DigiCert’s Open-Source Intelligence (OSINT) Report – March 27 – April 2, 2026

Stored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover

(TLP: CLEAR) Security researchers at Snapsec uncovered a critical Stored Cross-Site Scripting (XSS) vulnerability in Jira Work Management, a widely used collaboration and project tracking tool within the Atlassian ecosystem. The flaw resided in the icon URL field of Jira’s custom issue priority settings, where the backend lacked proper input validation and output encoding. By injecting a malicious JavaScript payload into this field, a low-privileged user holding the Product Admin role could silently execute malicious code in the browser of any higher-privileged user who visited the affected page, with no clicks or interaction required from the victim. The attack chain was particularly concerning because of how effectively it bridged the gap between a low-privileged entry point and full organizational compromise. When a Super Admin visited the modified priorities page, the stored payload executed automatically in their browser, forcing their session to send an automated invite request that granted an attacker-controlled account full access across multiple Atlassian products. The result was a complete organizational takeover, giving the attacker the ability to view, create, modify, and delete projects across the entire environment. What makes this vulnerability especially significant is that the Product Admin role is not typically considered high risk, as it lacks direct access to internal Atlassian applications like Confluence or Service Management. However, it retained just enough administrative capability to inject a persistent payload into a globally accessible configuration area, demonstrating that access control restrictions do not automatically translate into risk control. The attack required no exploitation of elevated permissions, only the ability to edit issue priorities.

The vulnerability underscores a broader lesson in SaaS security, namely that even mature and widely trusted platforms can harbor high-impact vulnerabilities when input validation is neglected in internal configuration panels. Organizations are advised to enforce strict validation across all customizable administrative fields and avoid assuming that lower-privileged roles present negligible security risk.

(TLP: CLEAR) Comments: The Jira Work Management XSS vulnerability uncovered by Snapsec is a textbook example of how privilege assumptions can create dangerous blind spots in enterprise security architecture. The core issue here is not simply a missing input validation check, it is the broader organizational tendency to assess risk based on what a role is designed to do rather than what it is technically capable of doing. The Product Admin role was almost certainly not conceived as a high-risk permission level, yet its ability to modify globally accessible configuration fields created a lateral escalation pathway that effectively nullified the privilege separation that higher-level roles were designed to enforce. The stored XSS mechanism amplifies the severity considerably beyond what a reflected XSS variant would present. Because the payload persists in the platform’s configuration and executes automatically upon page render, the attacker requires no ongoing interaction with the victim and no social engineering beyond the initial injection. In an enterprise environment where Super Admins routinely visit configuration pages as part of normal administrative workflows, the likelihood of triggering the payload without any suspicious activity is extremely high. This passive, automated quality makes stored XSS in administrative interfaces one of the most reliable and difficult to detect attack vectors available to a malicious insider or compromised account. The SaaS context adds another layer of concern that deserves emphasis. Organizations increasingly consolidate critical business operations, intellectual property, project data, and internal communications within interconnected SaaS ecosystems like Atlassian’s product suite. A single successful stored XSS exploitation that achieves Super Admin access does not compromise one application, it potentially compromises the entire integrated environment including Confluence, Service Management, and any other connected Atlassian products. The blast radius of what appears to be a relatively contained configuration vulnerability is therefore significantly larger than it might initially appear. From a web application security standpoint, this finding reinforces that input validation cannot be selectively applied to user-facing fields while internal administrative panels are treated as implicitly trusted. Every field that accepts and renders user-supplied content represents a potential injection surface regardless of who is authorized to modify it, and mature security programs must treat administrative interfaces with the same rigorous validation standards applied to public-facing inputs.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks.

Source: https://cybersecuritynews.com/stored-xss-bug-in-jira-work-management/#google_vignette

VoidLink Malware Framework Shows that AI-assisted Malware is Not Experimental Anymore

(TLP: CLEAR) VoidLink is a Linux-based malware framework discovered in early 2026 that represents a significant milestone in the evolution of AI-assisted cyber threats, moving the concept from theoretical concern to fully operational reality. Identified by Check Point analysts in January 2026, the framework features a modular command-and-control architecture, eBPF and LKM rootkits, cloud and container enumeration capabilities, and more than 30 post-exploitation plugins. Its technical quality was so high that analysts initially assumed it was the product of a coordinated multi-person engineering team working over several months. That assumption proved incorrect. The entire framework was built by a single developer using TRAE SOLO, the paid tier of ByteDance’s AI-powered integrated development environment. An operational security failure by the developer exposed internal development artifacts that revealed the true origin. From those leaked materials, analysts determined that the framework reached its first functional implant just one week after development began, with the developer producing over 88,000 lines of functional code in that window, work that would traditionally have required three teams and approximately 30 weeks to complete. What distinguished VoidLink from cruder AI-assisted malware attempts was the developer’s use of Spec Driven Development, a structured workflow in which detailed project specifications are written first and an AI agent then implements code autonomously based on those instructions. The developer organized the project around three virtual teams covering core functionality, exploitation capabilities, and backend infrastructure, with the AI handling actual implementation while the developer acted purely as a product owner directing and reviewing output. Check Point’s broader analysis found that one in every 31 prompts across corporate AI tool usage carried a high risk of sensitive data leakage, affecting approximately 90% of organizations. Security teams are advised to strengthen Linux environment monitoring, review detection rules for rootkit behavior, apply strict governance over corporate AI tool usage, and regularly audit cloud and container security configurations.

(TLP: CLEAR) Comments: VoidLink represents a genuine inflection point in the threat landscape, and its implications extend well beyond the technical capabilities of the framework itself. The most significant finding is not what VoidLink can do, but how it was built. The fact that a single developer produced enterprise-grade malware in one week using a structured AI-driven workflow fundamentally challenges the assumption that sophisticated malware development requires either a well-resourced threat actor group or nation-state backing. That assumption has underpinned a significant portion of how the security community has historically assessed and attributed advanced threats, and VoidLink forces a serious reassessment of that framework. The Spec Driven Development methodology deserves particular analytical attention. The cybercrime ecosystem has been experimenting with AI-assisted malware generation for some time, but the predominant approach has been unstructured prompting, essentially asking AI models for malicious code directly. That approach produces inconsistent, often low-quality output that experienced defenders can identify relatively quickly. SDD represents a qualitative leap, applying the same disciplined software engineering practices used by legitimate development teams to the production of malicious tooling. The output is cleaner, more modular, better documented, and significantly harder to distinguish from professionally developed software, which has direct implications for how analysts approach malware attribution and reverse engineering. The Linux and cloud targeting dimensions amplify the threat considerably in enterprise contexts. Linux underpins the majority of cloud infrastructure, container orchestration platforms, and critical server environments that organizations depend on, and it has historically received less endpoint security attention than Windows environments. VoidLink’s eBPF and LKM rootkit capabilities are particularly concerning because they operate at the kernel level, giving the malware deep visibility into system activity while remaining extremely difficult to detect through conventional endpoint tools. The broader democratization effect is perhaps the most consequential long-term implication. VoidLink demonstrates that the knowledge barrier for building sophisticated malware has collapsed to the point where deep security expertise combined with the right AI tooling is sufficient to produce nation-state quality output. Security teams should treat AI-assisted malware development as a default assumption going forward rather than an exceptional case, and detection and response capabilities need to evolve accordingly to account for a threat landscape where the quality ceiling for malicious tooling is rising rapidly and continuously.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://cybersecuritynews.com/voidlink-malware-framework-2/

New RoadK1ll WebSocket Implant Used to Pivot on Breached Networks

(TLP: CLEAR) RoadK1ll is a newly discovered malicious implant identified by managed detection and response provider Blackpoint during an incident response engagement. Built as a Node.js implant communicating over a custom WebSocket protocol, its sole purpose is to convert a single compromised machine into a controllable relay point through which an attacker can pivot to internal systems, services, and network segments that would otherwise be completely unreachable from outside the perimeter. Unlike traditional implants that rely on inbound listeners, RoadK1ll establishes an outbound WebSocket connection to attacker-controlled infrastructure, using that connection as a tunnel to relay TCP traffic on demand. Because these connections originate from the compromised machine, they inherit its network trust and positioning, effectively bypassing perimeter controls without generating the kind of unusual inbound traffic that security tools are typically configured to flag. The implant supports multiple concurrent connections over the same tunnel, allowing the operator to communicate with several internal destinations simultaneously. RoadK1ll operates through a small, focused command set covering connection initiation, data forwarding, connection confirmation, termination, and error reporting. If the WebSocket tunnel is interrupted, the implant includes a reconnection mechanism that automatically attempts to restore access without requiring manual intervention from the operator, helping maintain persistent reach into the compromised environment with minimal noise. Notably, the malware lacks traditional persistence mechanisms such as registry keys, scheduled tasks, or services, meaning it operates only as long as its process remains alive. Despite this limitation, Blackpoint describes it as a modern and purpose-built implementation of covert communication that is flexible, efficient, and straightforward to deploy. The implant’s ability to blend into normal network activity by mimicking legitimate outbound WebSocket traffic makes it particularly difficult to detect through conventional network monitoring. Blackpoint has released a limited set of host-based indicators of compromise including a file hash and an attacker-controlled IP address to assist defenders in identifying potential infections.

(TLP: CLEAR) Comments: RoadK1ll is a technically focused and operationally disciplined implant that reflects a broader trend in modern malware development toward purpose-built, single-function tools rather than bloated all-in-one frameworks. Its design philosophy is notable precisely because of what it does not include. The absence of traditional persistence mechanisms like registry keys or scheduled tasks is not an oversight, it is a deliberate trade-off that reduces the implant’s forensic footprint and lowers its detectability by endpoint security tools that are specifically tuned to flag those persistence behaviors. The attacker accepts the risk of losing access if the process dies in exchange for a significantly quieter operational profile during active use. The use of outbound WebSocket connections as the primary communication channel is analytically significant from a network defense perspective. Most enterprise perimeter controls are optimized to inspect and restrict inbound connections, operating on the assumption that outbound traffic from internal machines represents legitimate user or application activity. RoadK1ll exploits that assumption directly, blending its command and control traffic into the same protocols used by modern web applications and collaboration tools. This makes detection heavily dependent on behavioral anomaly analysis rather than signature-based or firewall-level controls, which requires a more mature and resource-intensive monitoring capability than many organizations maintain. The network pivoting capability is where RoadK1ll’s threat potential becomes most consequential in an enterprise context. By inheriting the network trust and positioning of the compromised host, the implant effectively grants the attacker access to internal segments, management interfaces, and services that are deliberately isolated from external access. This directly undermines the segmentation strategies that organizations invest heavily in as a core defense-in-depth control. A single compromised endpoint with RoadK1ll deployed can therefore render internal network segmentation largely ineffective, extending the attacker’s reach across environments that were assumed to be protected by architectural boundaries rather than endpoint-level controls alone.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable. 
• Generating audit logs. 
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team.

Source: https://www.bleepingcomputer.com/news/security/new-roadk1ll-websocket-implant-used-to-pivot-on-breached-networks/

File Read Flaw in Smart Slider Plugin Impacts 500K WordPress Sites

(TLP: CLEAR) A security vulnerability tracked as CVE-2026-3098 has been discovered in Smart Slider 3, one of the most popular WordPress plugins for creating image sliders and content carousels, with an active install base of over 800,000 websites. The flaw allows any authenticated user, including those with minimal subscriber-level access, to read arbitrary files stored on the server. The most immediately dangerous consequence is the potential exposure of the wp-config.php file, which contains database credentials, cryptographic keys, and salt data, creating a pathway to full website takeover and user data theft. The vulnerability stems from missing capability checks in the plugin’s AJAX export actions, specifically the actionExportAll function, which lacks file type and source validation. This allows authenticated users to invoke the function and export not just image or video files but any file on the server, including sensitive PHP configuration files. The presence of a security nonce does not prevent abuse because authenticated users can obtain it independently, rendering that protection ineffective in this context. The flaw was discovered and reported by researcher Dmitrii Ignatyev to Wordfence on February 23, with Wordfence validating the proof-of-concept and notifying the plugin developer Nextendweb. A patch was delivered on March 24 with the release of Smart Slider version 3.5.1.34. However, despite the plugin being downloaded over 300,000 times in the past week alone, WordPress.org statistics indicate that at least 500,000 websites are still running a vulnerable version, leaving a substantial portion of the install base exposed. While CVE-2026-3098 has not been flagged as actively exploited at the time of writing, the availability of a validated proof-of-concept and the large number of unpatched sites means that window could close quickly. Website owners and administrators are urged to update to version 3.5.1.34 immediately.

(TLP: CLEAR) Comments: CVE-2026-3098 is a strong reminder that authentication requirements alone are insufficient as a security boundary when the permissions model within an application is poorly enforced. The vulnerability’s medium severity classification, driven primarily by the authentication prerequisite, risks understating the real-world threat it presents. On the vast majority of affected sites, subscriber-level access is trivially easy to obtain. Any platform offering free registration, membership, or subscription functionality effectively hands an attacker the authentication they need to exploit this flaw, reducing the practical barrier to exploitation to near zero. The specific exposure of wp-config.php is what elevates this beyond a typical file disclosure finding. That file is the single most sensitive asset in a WordPress installation, containing database credentials, authentication keys, and cryptographic salts. Successful retrieval of wp-config.php does not just expose one piece of sensitive data, it provides everything an attacker needs to authenticate directly to the database, extract the full user table including hashed passwords, and potentially pivot to broader server compromise depending on the hosting environment’s configuration. The chain from a medium severity plugin vulnerability to complete site takeover is therefore shorter and more reliable than the CVSS score alone would suggest. The scale of unpatched exposure compounds the concern significantly. With at least 500,000 sites still running vulnerable versions despite an available patch, the window for opportunistic mass exploitation is wide open. WordPress plugin vulnerabilities with available proof-of-concept exploits historically attract automated scanning activity within days of public disclosure, and the combination of a large unpatched install base, low exploitation barrier, and high-value file exposure makes CVE-2026-3098 an attractive target for exactly that kind of automated campaign. From a web application security standpoint, this case reinforces that capability checks must be enforced at every privileged function regardless of whether a nonce or authentication layer exists upstream. Treating internal export functions as implicitly trusted because they sit behind a login is a design assumption that attackers will reliably exploit given the opportunity.

(TLP: CLEAR) Recommended best practices/regulations: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, can augment the effectiveness of your existing on-prem WAF investment by filtering out bad traffic from the public cloud before it reaches your network so you can reduce the overall traffic load on your on-prem devices.

Source: https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/

Hackers Use EtherRAT and EtherHiding to Hide Malware Infrastructure on Ethereum

(TLP: CLEAR) EtherRAT is a sophisticated backdoor discovered by eSentire analysts in March 2026 after being detected within a retail industry customer’s environment. Built on Node.js, the malware gives attackers full remote control over compromised machines, enabling command execution, cryptocurrency wallet theft, and cloud credential harvesting. Sysdig has tied EtherRAT to a North Korean APT group through significant code overlaps with the Contagious Interview campaign, a known pattern in which threat actors impersonate recruiters and IT support staff to deliver malware. The same Ethereum smart contract address appeared across multiple eSentire customer cases spanning retail, finance, software, and business services sectors, indicating a well-organized and continuing multi-industry campaign. EtherRAT’s most technically distinct feature is its use of EtherHiding, a technique that stores command-and-control addresses directly inside an Ethereum smart contract. Because the blockchain cannot be altered or removed by any external authority, attackers can redirect all infected machines to fresh infrastructure simply by updating the contract with a new address, without needing to redeploy the malware itself. To avoid network-level detection, EtherRAT disguises its outbound traffic as ordinary CDN requests, generating beacon URLs that resemble normal static file requests complete with random hexadecimal paths and common file extensions. The malware also sends its own source code back to the C2 server, which returns a freshly scrambled version that overwrites the original, keeping it ahead of signature-based defenses. Persistence is maintained through a Windows registry Run key entry using a randomly generated hexadecimal name executing silently through conhost.exe. Initial access relies primarily on social engineering rather than software exploitation, meaning even fully patched systems remain at risk. Defenders are advised to disable mshta.exe and pcalua.exe, restrict the Run prompt through Group Policy, train employees on IT support scams and ClickFix scenarios, and block corporate access to cryptocurrency RPC providers to sever EtherHiding-based C2 communication before it is established.

(TLP: CLEAR) Comments: EtherRAT represents a convergence of several advanced evasion techniques into a single cohesive framework, and its attribution to North Korean threat actors is consistent with that group’s well-documented pattern of combining financial motivation with sophisticated operational security. The Contagious Interview campaign overlap is particularly telling, as North Korean actors have refined the fake recruiter and IT support impersonation approach over multiple years into a highly reliable initial access methodology. The fact that initial access relies entirely on social engineering rather than software exploitation is strategically deliberate, as it renders patch-based defenses completely irrelevant and shifts the burden of prevention onto human judgment, which is inherently less consistent than technical controls. The use of Ethereum as a command and control backbone through EtherHiding deserves particularly careful analytical attention because it represents a fundamental challenge to how defenders have historically approached C2 disruption. Traditional takedown operations work by identifying attacker-controlled infrastructure, whether domains, IP addresses, or hosting providers, and working through legal, technical, or cooperative channels to sever those connections. Ethereum eliminates every one of those intervention points simultaneously. The blockchain is decentralized across thousands of nodes globally, operates outside any single jurisdiction, and cannot be modified or taken down by any authority, law enforcement, hosting provider, or registrar. When an attacker stores a C2 address in an Ethereum smart contract, they are effectively placing their command infrastructure beyond the reach of every conventional disruption mechanism that the security community has developed over decades. Updating that address costs fractions of a cent in transaction fees and takes seconds, meaning that even if defenders identify and block a specific C2 server, the attacker can reroute the entire infected fleet to new infrastructure almost instantaneously with no malware redeployment required. The CDN traffic disguise layered on top of the EtherHiding mechanism compounds the detection challenge considerably. By generating beacon URLs that closely resemble legitimate static file requests, EtherRAT blends its communications into the enormous volume of normal web traffic that traverses enterprise networks constantly. Combined with the self-scrambling code mechanism that keeps the malware’s own signature in perpetual flux, defenders face a threat that is simultaneously difficult to detect at the network level, difficult to block at the infrastructure level, and difficult to identify through static signature analysis at the endpoint level. The multi-sector targeting pattern observed across retail, finance, software, and business services reflects a deliberately broad campaign strategy that prioritizes scale and cryptocurrency harvesting over targeted espionage. This is consistent with North Korea’s operational priorities, which have increasingly focused on cryptocurrency theft as a primary revenue generation mechanism to offset the impact of international sanctions. Organizations across all of these sectors should treat the blocking of outbound connections to Ethereum RPC providers as an immediate and non-negotiable defensive measure, as it represents one of the few reliable intervention points available against a C2 architecture that has been specifically engineered to survive every other form of disruption.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.

• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/hackers-use-etherrat-and-etherhiding/