Week that Was for 03.28.26

Top stories.

1. DarkSword iOS exploit kit leaks to GitHub.
2. CISA warns of critical flaws affecting PTC and Langflow products.
3. Tycoon2FA phishing platform recovers following law enforcement disruption.
4. US bans sale of new foreign-made routers.
5. Threat actors compromise a popular PyPI package.
6. White House unveils its national legislative framework for AI.

DarkSword iOS exploit kit leaks to GitHub.

TechCrunch reports that a new version of the iOS exploit kit DarkSword has been publicly posted on GitHub, allowing anyone to target iPhone users running iOS versions prior to iOS 26. iVerify, Lookout, and Google published reports on DarkSword last week, noting that a Russian espionage group was using the kit to launch watering-hole campaigns against Ukrainian users. Lookout states that DarkSword "leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device." iVerify co-founder Matthias Frielingsdorf told TechCrunch that "we need to expect criminals and others to start deploying this" now that the code is public.

An Apple spokesperson told TechCrunch that the company is aware of the exploit kit and urged users to keep their software up to date. Apple also issued an emergency update on March 11th for devices that are unable to run recent versions of iOS.

CISA warns of critical flaws affecting PTC and Langflow products.

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC’s Windchill product lifecycle management software. The industrial software maker says it hasn't observed exploitation affecting its customers, although a patch is not yet available.

In Germany, Heise reports that the Federal Criminal Police Office (BKA) sent officers to visit companies in person to warn them about the vulnerability. In some cases, officers woke up administrators at their private residences in the middle of the night. While the vulnerability is serious, it's unclear what prompted such an urgent response from the police, which Heise describes as "unprecedented." PTC urges customers to immediately implement mitigations until patches are available, prioritizing publicly accessible systems.

Separately, CISA also warned of active exploitation of a critical flaw affecting the Langflow framework for building AI agents, BleepingComputer reports. The vulnerability (CVE-2026-33017) is a code injection flaw that can lead to remote code execution. Researchers at Sysdig observed exploitation of the flaw about twenty hours after its disclosure on March 17th. The researchers state, "Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise." Users are advised to update Langflow as soon as possible and audit their systems for compromise.

Tycoon2FA phishing platform recovers following law enforcement disruption.

CrowdStrike warns that the Tycoon2FA commodity phishing platform is still operational following a law enforcement disruption effort earlier this month. CrowdStrike observed a short-term decrease in Tycoon2FA activity following the infrastructure takedown, but activity has since returned to normal levels.

The researchers note that "law enforcement bodies and their industry partners often go into these technically complicated efforts knowing full well that adversaries are resilient and will likely ultimately overcome or circumvent technical disruptions and reemerge as threats once again." CrowdStrike says it "nonetheless applauds the efforts by Europol and its partners to disrupt this threat actor's operations," adding that "infrastructure disruption — even if only temporary — can serve to frustrate, slow down, and confuse adversaries."

US bans sale of new foreign-made routers.

The US Federal Communications Commission (FCC) has effectively banned the sale of all new foreign-made consumer routers in the US, the Register reports. The FCC added "routers produced in a foreign country" to its Covered List of equipment and services that "pose an unacceptable risk to the national security of the United States or the security and safety of United States persons." The ban does not affect the sale of any existing models that have been previously approved.

The Commission cited a National Security Determination issued earlier this month that stated, "Recently, malicious state and non-state sponsored cyber attackers have increasingly leveraged the vulnerabilities in small and home office routers produced abroad to carry out direct attacks against American civilians in their homes. From disrupting network connectivity to enabling local networking espionage and intellectual property theft, foreign-produced routers present unacceptable risks to Americans. Additionally, routers produced abroad were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks which targeted critical American communications, energy, transportation, and water infrastructure. Routers in the United States must have trusted supply chains so we are not providing foreign actors with a built-in backdoor to American homes, businesses, critical infrastructure, and emergency services."

Threat actors compromise a popular PyPI package.

FutureSearch discovered a supply-chain attack affecting a PyPI release belonging to LiteLLM, a popular library that allows apps to interact with various LLMs. FutureSearch stated, "At 10:52 UTC on March 24, 2026, litellm version 1.82.8 was published to PyPI. The release contains a malicious .pth file (litellm_init.pth) that executes automatically on every Python process startup when litellm is installed in the environment." The purpose of the malware is to establish persistence, then harvest and exfiltrate sensitive files.

The malicious release has since been removed. Sonatype noted in its own report, "The compromised versions were available on PyPI for at least two hours. Given the package's three million daily downloads, the compromised litellm could have seen significant exposure during that short time span."

White House unveils its national legislative framework for AI.

The White House on Friday released its national legislative framework for AI, outlining six key objectives: Implementing stronger safeguards for children, strengthening small businesses, respecting intellectual property rights, preventing censorship, boosting innovation by removing cumbersome regulations, and furthering workforce development and AI skills training programs.

Notably, the framework calls for the Federal government to set a national framework that supersedes state laws, stating that Congress should "preempt state AI laws that impose undue burdens to ensure a minimally burdensome national standard consistent with these recommendations, not fifty discordant ones."

Axios notes that it will be difficult to implement these objectives with bipartisan support, but the framework seems designed to "set the contours of the legislative debate" rather than serve as a bill meant for passage.