MSP cybersecurity news digest, March 30, 2026

 CVE-2026-33017 affects Langflow, a framework used to build AI agents and workflows, and was added to CISA’s Known Exploited Vulnerabilities catalog after active exploitation was observed. The flaw can allow unauthorized code injection in exposed instances, making it a high-risk issue for internet-facing deployments.

Separate reporting said exploitation began roughly 20 hours after public disclosure, which underlines how little time defenders may have once technical details become public. That speed is especially important for AI workflow systems because they may connect to internal data sources, APIs, and automation pipelines.

The broader implication is that AI infrastructure is now part of the mainstream attack surface: if exposed orchestration tools can be hijacked quickly, they can become launch points for lateral movement, data access, or malicious workflow manipulation inside enterprise environments. 

 Malicious versions 4.87.1 and 4.87.2 of the Telnyx Python package were published to PyPI on March 27, 2026, after the package’s publishing credentials were apparently compromised. The tampered releases contained credential-stealing code, and Telnyx advised users to avoid those versions.

The malware reportedly concealed part of its behavior inside a WAV audio file, an obfuscation technique meant to make static inspection less obvious while still delivering a payload capable of harvesting credentials from developer environments.

This matters beyond one package because it illustrates how software supply-chain attacks can hit trusted developer dependencies and spread into CI / CD systems, developer workstations and downstream applications if compromised releases are pulled automatically. 

 A large-scale campaign posted fake Visual Studio Code security alerts in GitHub Discussions, using alarming titles, fake CVE references and impersonation of trusted maintainers or researchers to pressure developers into downloading supposed fixes. The campaign was described as coordinated and heavily automated across thousands of repositories.

The lure redirected victims through trusted infrastructure, including Google Drive, before landing on a site that ran a JavaScript reconnaissance payload. That script collected environment details such as time zone, locale, OS and user-agent information and sent them to attacker-controlled infrastructure, likely to filter targets before a second-stage payload.

The broader takeaway is that developer collaboration platforms and notification channels now function as phishing surfaces in their own right. Because discussions trigger email notifications and appear inside normal development workflows, they create a credible delivery path for malware and credential theft. 

 An illicit consent grant attack works by tricking a user into approving a malicious Microsoft Entra ID application that requests access to email, contacts or documents. Once consent is granted, the application can keep access to that data without needing a native account in the tenant.

This is a cloud-native attack vector because it does not require malware, a password compromise or an endpoint exploit. Password resets or MFA alone may not remove the risk, because the malicious application can continue to operate until its granted permissions are revoked.

The broader security implication is that attackers can abuse identity and application trust instead of compromising a workstation first, which makes the activity both stealthy and persistent in Microsoft 365 environments. 

 CVE-2026-3098 affects Smart Slider 3 through version 3.5.1.33 and can let authenticated users with minimal privileges, such as subscribers, read arbitrary files on the server. The risk is serious because sensitive files like wp-config.php can expose database credentials and cryptographic keys.

The issue stems from missing capability checks in the plugin’s export functionality, which allowed arbitrary files to be added to export archives. A patch was released in version 3.5.1.34 on March 24, 2026, but download statistics indicated that at least 500,000 sites were still on vulnerable versions at the time of reporting.

This is a useful reminder that authenticated low-privilege flaws can still become severe when they expose secrets that lead to database compromise or full site takeover. Membership, subscription or portal-style WordPress deployments are especially exposed because they routinely grant basic user access to large numbers of accounts.