Langflow locked and loaded.

CISA warns of actively exploited Langflow vulnerability. CISA flags critical PTC Windchill vulnerability. Phishing activity surges amid war in Iran. Google moves up their post-quantum timeline. Alleged RedLine infostealer developer faces thirty years in a US prison. Bearlyfy hacktivists launch disruptive ransomware campaign in Russia. FCC moves to crack down on robocallers and foreign call centers. Anti-piracy group takes down AnimePlay streaming platform. I talk with Dave Bittner as we look back on the biggest breaches in the past 10 years. And what happens when hackers call the game?

Today is Friday, March 27th, 2026 and I am Maria Varmazis in for Dave Bittner who is recuperating from RSAC. And this is your CyberWire Intel Briefing.

CISA warns of actively exploited Langflow vulnerability.

According to a report from BleepingComputer, the US Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of a critical flaw affecting the Langflow framework for building AI agents. The vulnerability (CVE-2026-33017) is a code injection flaw that can lead to remote code execution. Researchers at Sysdig observed exploitation of the flaw about twenty hours after its disclosure on March 17th. The researchers state, "Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise."

Users are advised to update Langflow as soon as possible and audit their systems for compromise.

CISA flags critical PTC Windchill vulnerability.

Germany’s federal cyber agency and police took the unusual step of directly warning organizations about a newly disclosed critical vulnerability in PTC Windchill and FlexPLM, underscoring the seriousness of the threat. The flaw, tracked as CVE-2026-4681, involves unsafe deserialization that could allow remote, unauthenticated attackers to execute arbitrary code on affected systems.

The U.S. Cybersecurity and Infrastructure Security Agency has also issued an ICS advisory on the flaw, signaling heightened concern for organizations running the widely used product lifecycle management platforms. While patches are still in development, PTC has released mitigations and indicators of compromise to help defenders detect possible exploitation attempts.

Phishing activity surges amid war in Iran.

Bitdefender is tracking a surge in phishing and malware activity targeting Gulf countries amid the war in Iran, with malicious emails spiking by approximately 130% since the conflict began on February 28th. Bitdefender states, "Within days, activity doubled, and at peak reached nearly four times the baseline levels, signaling a sustained and coordinated spike rather than a one-off campaign. This clearly suggests that phishing and malware delivery campaigns are being deployed and adjusted in real time, with attackers capitalizing on heightened regional sensitivity and business disruptions."

While state-sponsored cyber operations are accompanying the war, much of this phishing activity is financially motivated, with criminal threat actors exploiting fear and uncertainty across the region.

Google moves up their post-quantum timeline. 

Google has accelerated its timeline for transitioning to post-quantum cryptography, warning organizations they may need to be ready by 2029 instead of the previously expected mid-2030s. The shift reflects growing concern that advances in quantum computing—and improvements in error correction and algorithms—could allow future machines to break today’s encryption sooner than anticipated.

The company is prioritizing protections for authentication systems and digital signatures, and is already working to deploy quantum-resistant cryptography across products like Chrome, Android, and its cloud platforms.

Alleged RedLine infostealer developer faces thirty years in a US prison.

An Armenian national accused of developing the popular RedLine infostealer has been extradited to the United States, where he faces up to thirty years in prison, the Record reports. The defendant, Hambardzum Minasyan, allegedly worked with co-conspirators to maintain RedLine's infrastructure, including C2 servers and administrative panels, and collected payments from the malware's affiliates. The US Justice Department states, "The indictment alleges that Minasyan registered two virtual private servers to host portions of RedLine’s infrastructure as well as two internet domains in support of the RedLine scheme. He also allegedly created repositories on an online file-sharing site that were used to distribute RedLine to affiliates. In November 2021, he allegedly registered a cryptocurrency account that was used to receive payments from RedLine affiliates."

An international law enforcement effort disrupted the RedLine operation in October 2024, and the Justice Department unsealed charges against one of Minasyan's alleged co-conspirators, Maxim Rudometov. Rudometov is also facing a maximum of thirty years.

Bearlyfy hacktivists launch disruptive ransomware campaign in Russia.

A pro-Ukraine hacking group known as Bearlyfy has carried out more than 70 cyberattacks against Russian companies over the past year and is escalating its campaign with newly developed ransomware, according to researchers. Unlike traditional profit-driven ransomware gangs, Bearlyfy appears motivated by disruption and political signaling tied to Russia’s war in Ukraine. The group has targeted organizations across sectors including energy, telecommunications, and finance, sometimes wiping systems rather than negotiating payment. Analysts say the activity reflects a broader trend of hacktivist-style operations increasingly adopting advanced tooling once associated with state actors or criminal syndicates. The campaign highlights how cyber operations linked to geopolitical conflicts continue to blur the lines between activism, espionage, and sabotage—raising the risk of spillover effects beyond the immediate battlefield. 

FCC moves to crack down on robocallers and foreign call centers.

The Federal Communications Commission has voted to advance new rules aimed at cracking down on illegal robocalls and limiting the role of foreign call centers in handling sensitive U.S. communications. The proposals would tighten certification requirements for obtaining phone numbers—making it harder for scammers to acquire legitimate numbers—and require telecom providers to disclose more information about callers on their networks. Regulators are also exploring restrictions on routing certain customer-service calls overseas, particularly those involving sensitive personal data. Officials say many robocall investigations involve resold numbers and offshore infrastructure, creating enforcement gaps. The measures now move to a public comment phase and could reshape how telecom providers manage numbering resources and customer support operations

Anti-piracy group takes down AnimePlay streaming platform.

The Alliance for Creativity and Entertainment (ACE) has shut down the piracy streaming app AnimePlay, a platform with more than 5 million users that hosted roughly 60 terabytes of anime content. The coalition seized the app’s infrastructure, including 15 domains, backend servers, databases, advertising tools, and 29 GitHub repositories containing its source code, effectively preventing operators from relaunching the service. Most users were reportedly based in Indonesia. ACE, backed by major studios including Disney, Netflix, and Warner Bros., said the takedown is part of its broader campaign to dismantle large-scale piracy networks worldwide. The action highlights how coordinated industry-led enforcement operations are increasingly targeting not just websites, but the full technical ecosystems supporting illicit streaming platforms. 

As we close out the RSAC 2026 week, we thank our ever faithful Intern Kevin and treat you to his sign off. 

Stay with us—after the break, the breaches that defined a decade of CyberWire Daily. Dave Bittner and I sit down to discuss the biggest breaches in the last 10 years. And what happens when hackers call the game? 

The CyberWire Daily is turning 10 this year! We are celebrating all year long—and today, we’re looking back at the breaches that didn’t just make headlines, they changed the conversation. I alongside Dave Bittner walk through the cyber incidents that still stick with us. Here’s our conversation. 

That was me, Maria Varmazis alongside my N2K colleague Dave Bittner walking us through some of the biggest cyber incidents of the last 10 years, if you enjoyed our chat and want to hear more be sure to tune in on Sunday to your CyberWire Daily podcast feed to hear our full conversation. 

 

Hackers call the game. 

AFC Ajax says a recent breach exposed limited supporter data—but reporting suggests the impact may have gone far beyond a routine leak. An attacker exploited vulnerabilities in the club’s systems to access internal data, including email addresses and details tied to a small number of banned supporters. Ajax says the issues have been fixed and there’s no evidence of further spread.

But an investigation found the same flaws may have allowed outsiders to do more than just look—they may have been able to play manager, too. By abusing exposed APIs and shared digital keys, it was reportedly possible to impersonate users, transfer season tickets, alter account details, and even lift stadium bans. In one case, a journalist demonstrated just how easy it was, grabbing a VIP ticket from a director’s account in seconds and using it to access a match.

The vulnerabilities may have put hundreds of thousands of supporter accounts and tens of thousands of tickets at risk. While Ajax is emphasizing the limited confirmed exposure, the ability to manipulate accounts as well as access data points to a deeper breakdown—less a contained breach, and more a system that left the door wide open and the playbook sitting right next to it.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Research Saturday plug. 

Be sure to check out Research Saturday tomorrow, where Dave Bittner sits down with Omer Ninburg, CTO of Novee Security, to discuss their work on "From PDF to Pwn." That’s Research Saturday, check it out. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.