Kinetic Potential Blog

A threat actor tracked as Storm-2561 has been targeting VPN users in a new credential theft campaign, Microsoft reports.

Active since at least May 2025, Storm-2561 is known for using search engine optimization (SEO) poisoning for malware distribution and for impersonating popular software vendors to attract victims to malicious websites.

The newly observed campaign started in mid-January, aimed at luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection.

Not only did the threat actor abuse users’ trust in search engine rankings, but they also hosted the malicious payloads on GitHub repositories, further increasing the chances of successful infections.

In the repositories associated with the campaign, which have been removed, Storm-2561 hosted a ZIP file containing an MSI installer file posing as the legitimate VPN software Pulse Secure.

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild.

The list of vulnerabilities is as follows -

• CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
• CVE-2026-3910 (CVSS score: 8.8) - An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Both vulnerabilities were discovered and reported by Google itself on March 10, 2026. As is customary in these cases, no details are available about how the issues are being abused in the wild and who is behind the efforts. This is done so as to prevent other threat actors from exploiting the issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.

"N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.

According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.