Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
Exploitation at machine speed
I couldn’t have picked a more suitable name than “March Madness.” Last month, we may have seen more exploits than 3-pointers. From authentication bypasses to AI pipeline compromises and shortened exploitation timelines, March showed how quickly small weaknesses can turn into full-blown breaches.
Sysdig’s March security briefing provides the receipts: vulnerabilities are being weaponized in real time, and if you aren’t watching your back(end), someone else probably is. Let’s dig in.
Mar 3: Pac4j authentication bypass CVE-2026-29000
- This critical vulnerability is a flaw in Pac4j’s JWT signature validation.
- By manipulating how public keys are interpreted during verification, attackers could bypass authentication controls. This means they basically tricked the system into letting them through the front door without an ID.
- Takeaway: Never assume signature validation logic is safe by default. Instead, enforce strict key validation and allowlists, reject tokens with mismatched or untrusted key sources, and monitor for anomalies such as session spikes from new users or IPs.
- Affected organizations should rotate keys and kill active sessions after applying the patch.
Mar 9: Ingress-NGINX RCE CVE-2026-3288
- A configuration injection vulnerability in Ingress-NGINX enabled remote code execution within Kubernetes clusters.
- This flaw is a sibling of February’s path-injection vulnerability CVE-2026-24512.
- These vulnerabilities result from improper input sanitization in buildLocation() and buildProxyPass(). By inserting a “ or \ character into the Ingress path field, attackers can break out of intended boundaries.
- NGINX Ingress Controllers often have access to secrets and internal services. Therefore, unexpected changes to Ingress resources, network traffic anomalies, and config reloads are red flags that warrant inspection.
Additional Sysdig TRT findings
Langflow AI pipeline exploitation
- CVE-2026-33017 is a critical vulnerability that allows unauthenticated remote code execution in exposed Langflow instances.
- The Sysdig Threat Research Team (TRT) identified active attacks within twenty hours of public disclosure, before any public proof of concept exploits were even available on GitHub.
- With a single HTTP request, attackers are able to exfiltrate keys and credentials from a potentially massive number of victims due to the popularity of Langflow for building AI agents and RAG pipelines. No credentials needed.
- If you can’t patch your Langflow instance right away, restrict network access to the endpoint or disable public flow building.
- Fortunately for Sysdig users, out-of-the-box detections will trigger on multiple behaviors seen in this particular attack.
Rapid supply chain threat expansion
- TeamPCP exploited a misconfigured GitHub Actions workflow in Trivy on March 19 and demonstrated how quickly attackers can expand and evolve their campaign throughout the rest of the month.
- The Sysdig TRT identified the campaign moving from Trivy’s GitHub Actions to Checkmarx on March 23 with identical credential-stealing activity.
- PyPI’s LiteLLM and Telnyx were also hijacked within a week of the original breach, and as of March 31, Databricks and Cisco were also investigating possibly linked compromises. Beware: this campaign will very likely continue to expand.
- Security tools are targets because they provide trusted execution, pipeline, and secrets access, and potentially an organization-wide blast radius.
- This open source supply chain attack shows us that pipeline tools cannot be inherently trusted, and execution should be monitored in real time at runtime. Additionally, organizations should verify dependency integrity and alert on unexpected CI/CD pipeline behavior, irregular outbound calls, and changes in tool integrity.
Educational spotlight: Securing AI coding agents
- The Sysdig TRT highlighted the risks of AI coding agents running inside environments with minimal oversight.
- These agents can execute code, access organizational repos, and interact with infrastructure. They act as privileged users, without human judgment.
- The team built four high-confidence Falco detections for Sysdig Secure users, but the blog is an important asset for anyone to read who is looking to secure Claude Code or otherwise.
Also in the news
- The Zero Day Clock: Sysdig’s CISO, Sergej Epp, published the Zero Day Clock on March 4. A project backed by industry leaders, this webpage shows the terrifyingly shortened timescale between “vulnerability found” and “vulnerability exploited,” and it’s backed by hard evidence.
- Ubiquiti UniFi: CVE-2026-22557 is a maximum-severity vulnerability in Ubiquiti’s UniFi Network Application that was published on March 19. Exploitation allows attackers without privileges to steal user accounts and access files.
- Botnet takedown: Federal authorities dismantled the C2 infrastructure of four DDoS botnets on March 19. But the reality is, the previously infected IoT devices remain vulnerable. Attackers can quickly stand up new botnet infrastructure, and the capacity of these botnets will return. Organizations must assume compromised devices are still compromised and keep IoT devices segmented from other networks, or, ya know, update the security of all devices.
- Anthropic leaks: On March 30, Anthropic’s new Mythos model, built specifically for cybersecurity use cases, was leaked. Then, on March 31, the source code for Claude Code was also made public. Be prepared for the cat-and-mouse game between AI-driven attackers and defenders to get a lot more interesting in April.
Closing thoughts
Speed is the only metric that mattered in March. Between the exploits coming in at machine speed and intensive supply chain pivots, the defender’s shot clock is shrinking. Unfortunately, there’s no off-season in cybersecurity. If you’re not detecting and stopping malicious behaviors in real-time, you’re going to cramp up. Stay frosty, my friends.
CISO corner
By: Conor Sherman, Sysdig CISO in Residence
By the numbers
AI infrastructure is the emerging battleground
In 2024, I framed the threat actor's AI playbook in three moves: more of the same attacks with greater effectiveness, pivoting to target the new infrastructure being built to support AI, and leveraging AI for autonomous attacks. 2026 is the year all three are bearing out simultaneously.
Langflow was compromised with zero authentication required. LiteLLM, which routes requests to over 100 LLM providers and stores API keys for all of them, was backdoored through its own CI pipeline. AI coding agents are running on developer machines with access to credentials, source code, and infrastructure, operating as privileged users without human judgment or monitoring.
These production compromises are happening now, against tools your teams are actively deploying. If AI infrastructure isn't in your asset inventory, it's in your blind spot.
Three program-level actions for April: