Attacks leveraging the ‘PolyShell’ vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores.

According to eCommerce security company Sansec, hackers started exploiting the critical PolyShell issue en masse last week, just two days after public disclosure.

“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec says.

The researchers previously reported that the problem lies in Magento’s REST API, which accepts file uploads as part of the custom options for the cart item, allowing polyglot files to achieve remote code execution or account takeover via stored cross-site scripting (XSS), if the web server configuration allows it.

Adobe released a fix in version 2.4.9-beta1 on March 10, 2026, but it has not yet reached the stable branch. BleepingComputer previously contacted Adobe to ask about when a security update addressing PolyShell will become available for production versions, but we have not received a response.

Meanwhile, Sansec has published a list of IP addresses that target scanning for web stores vulnerable to PolyShell.

WebRTC skimmer

Sansec reports that in some of the attacks suspected to exploit PolyShell, the threat actor delivers a novel payment card skimmer that uses Web Real-Time Communication (WebRTC) to exfiltrates data.

WebRTC uses DTLS-encrypted UDP rather than HTTP, so it is more likely to evade security controls even on sites with strict Content Security Policy (CSP) controls like “connect-src.”

The skimmer is a lightweight JavaScript loader that connects to a hardcoded command-and-control (C2) server via WebRTC, bypassing normal signaling by embedding a forged SDP exchange.

It receives a second-stage payload over the encrypted channel, then executes it while bypassing CSP, primarily by reusing an existing script nonce, or falling back to unsafe-eval or direct script injection. Execution is delayed using ‘requestIdleCallback’ to reduce detection.

Sansec noted that this skimmer was detected on the e-commerce website of a car maker valued at over $100 billion, which did not respond to their notifications.

The researchers provide a set of indicators of compromise that can help defenders protect against these attacks.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

from the melted-snowflakes dept

Last week we covered how the government successfully convinced Judge Colleen McMahon to order the plaintiffs in the DOGE/National Endowment for the Humanities (NEH) lawsuit to “claw back” the viral deposition videos they had posted to YouTube — videos showing DOGE operatives Justin Fox and Nate Cavanaugh stumbling through questions about how they used ChatGPT to decide which humanities grants to kill, and struggling mightily to define “DEI” despite it apparently being the entire basis for their work.

The government’s argument was that the videos had led to harassment and death threats against Fox and Cavanaugh — the same two who had no problem obliterating hundreds of millions in already approved grants with a simplistic ChatGPT prompt, but apparently couldn’t handle the public seeing them struggle to explain themselves under oath. The government argued the videos needed to come down. The judge initially agreed and ordered the plaintiffs to pull them. As we noted at the time, archivists had already uploaded copies to the Internet Archive and distributed them as torrents, because that’s how the internet works.

Well, now Judge McMahon has issued a full ruling on the government’s motion for a protective order, and has reversed course. The government’s motion is denied. The videos are now back up. There are hours and hours of utter nonsense for you to enjoy. Here are just a couple of the videos:

The ruling is worth reading in full, because McMahon manages to be critical of both sides while ultimately landing firmly against the government’s attempt to suppress the videos. She spends a good chunk of the opinion scolding the plaintiffs for what she clearly views as a procedural end-run — they sent the full deposition videos to chambers on a thumb drive without ever filing them on the docket or seeking permission to do so, which she sees as a transparent attempt to manufacture a “judicial documents” argument that would give the videos a presumption of public access.

McMahon doesn’t buy it:

When deciding a motion for summary judgment, the Court wants only those portions of a deposition on which a movant actually relies, and does not want to be burdened with irrelevant testimony merely because counsel chose to, or found it more convenient to, submit it. And because videos cannot be filed on the public docket without leave of court, there was no need for the rule to contain a specific reference to video transcriptions; the only way to get such materials on the docket (and so before the Court) was to make a motion, giving the Court the opportunity to decide whether the videos should be publicly docketed. This Plaintiffs did not do.

But if Plaintiffs wanted to know whether the Court’s rule applied to video-recorded depositions, they could easily have sought clarification – just as they could easily have filed a motion seeking leave to have the Clerk of Court accept the videos and place them on the public record. Again, they did not. At the hearing held on March 17, 2026, on Defendants’ present motion for a protective order, counsel for ACLS Plaintiffs, Daniel Jacobson, acknowledged the reason, stating “Frankly, your Honor, part of it was just the amount of time that it would have taken” to submit only the portions of the videos on which Plaintiffs intended to rely. Hr’g Tr., 15:6–7. In other words, “It would have been too much work.” That is not an acceptable excuse.

The Court is left with the firm impression that at least “part of” the reason counsel did not ask for clarification was because they wished to manufacture a “judicial documents” argument and did not wish to be told they could not do so. The Court declines to indulge that tactic.

Advertisement

Fair enough. But having knocked the plaintiffs for their procedural maneuver, the judge then turns to the actual question: has the government shown “good cause” under Rule 26(c) to justify a protective order keeping the videos off the internet? And the answer is a pretty resounding no. And that’s because public officials acting in their official capacities have significantly diminished privacy interests in their official conduct:

The Government’s motion fails for three independent reasons. First, the materials at issue concern the conduct of public officials acting in their official capacities, which substantially diminishes any cognizable privacy interest and weighs against restriction. Second, the Government has not made the particularized showing of a “clearly defined, specific and serious injury” required by Rule 26(c). Third, the Government has not demonstrated that the prospective relief it seeks would be effective in preventing the harms it identifies, particularly where those harms arise from the conduct of third-party actors beyond the control of the parties.

She cites Garrison v. Louisiana (the case that extended the “actual malice” standard from NY Times v. Sullivan) for the proposition that the public’s interest “necessarily includes anything which might touch on an official’s fitness for office,” and that “[f]ew personal attributes are more germane to fitness for office than dishonesty, malfeasance, or improper motivation.” Given that these depositions are literally about how government officials decided to terminate hundreds of millions of dollars in grants, that framing fits.

The judge also directly calls out the government’s arguments about harassment and reputational harm, and essentially says: that’s the cost of being a public official whose official conduct is being scrutinized. Suck it up, DOGE bros.

Reputational injury, public criticism, and even harsh commentary are not unexpected consequences of disclosing information about public conduct. They are foreseeable incidents of public scrutiny concerning government action. Where, as here, the material sought to be shielded by a protective order is testimony about the actions of government officials acting in their official capacities, embarrassment and reputational harm arising from the public’s reaction to official conduct is not the sort of harm against which Rule 26(c) protects. Public officials “accept certain necessary consequences” of involvement in public affairs, including “closer public scrutiny than might otherwise be the case.”

As for the death threats and harassment — which McMahon explicitly says she takes seriously and calls “deeply troubling” and “highly inappropriate” — she notes that there are actual laws against threats and cyberstalking, and that Rule 26(c) protective orders aren’t a substitute for law enforcement doing its job:

There are laws against threats and harassment; the Government and its witnesses have every right to ask law enforcement to take action against those who engage in such conduct, by enforcing federal prohibitions on interstate threats and cyberstalking, see, e.g., 18 U.S.C. §§ 875(c), 2261A, as well as comparable state laws. Rule 26(c) is not a substitute for those remedies.

And then there’s the practical reality McMahon acknowledges directly: it’s too damn late. The videos have already spread everywhere. A protective order aimed solely at the plaintiffs would accomplish approximately nothing.

At bottom, the Government has not shown that the relief it seeks is capable of addressing the harm it identifies. The videos have already been widely disseminated across multiple platforms, including YouTube, X, TikTok, Instagram, and Reddit, where they have been shared, reposted, and viewed by at least hundreds of thousands of users, resulting in near-instantaneous and effectively permanent global distribution. This is a predictable consequence of dissemination in the modern digital environment, where content can be copied, redistributed, and indefinitely preserved beyond the control of any single actor. Given this reality, a protective order directed solely at Plaintiffs would not meaningfully limit further dissemination or mitigate the Government’s asserted harms.

Separately, the plaintiffs asked for attorney’s fees, and McMahon denied that too, noting that she wasn’t going to “reward Plaintiffs for bypassing its procedures” even though the government’s motion ultimately failed. So everyone gets a little bit scolded here. But the bottom line is clear: you don’t get to send unqualified DOGE kids to nuke hundreds of millions in grants using a ChatGPT prompt, and then ask a court to hide the video of them trying to explain themselves under oath.

Releasing full deposition videos is certainly not the norm, but given that these are government officials who were making massively consequential decisions with a chatbot and no discernible expertise, the world is much better off with this kind of transparency — even if Justin and Nate had to face some people on the internet making fun of them for it.

Filed Under: depositions, doge, justin fox, nate cavanaugh, neh, public scrutiny

Companies: american council of learned societies, american historical association, authors guild

Meanwhile, a Los Angeles jury is deliberating a social media addiction lawsuit against Meta and Google.

A New Mexico jury has found that Meta endangered children by misleading users about the safety of its platforms. The decision comes after a nearly seven-week trial, resulting in Meta being told to pay $375m in damages.

“The jury’s verdict is a historic victory for every child and family who has paid the price for Meta’s choice to put profits over kids’ safety,” said New Mexico attorney general Raúl Torrez, who filed the lawsuit against Meta in 2023.

In the suit, he claimed Meta knowingly exposes children to sexual exploitation and mental harm for profit. Meta owns Instagram, Facebook and WhatsApp.

According to the New Mexico Department of Justice, evidence presented at the trial established that Meta’s design features enable bad actors to engage in child sexual exploitation. Evidence also showed platforms are also designed to addict young people, according to the department.

“Meta executives knew their products harmed children, disregarded warnings from their own employees, and lied to the public about what they knew. Today the jury joined families, educators, and child safety experts in saying enough is enough,” Torrez added. The company has been found to have violated parts of the state’s Unfair Practices Act.

Meta plans to appeal the decision. “We respectfully disagree with the verdict and will appeal,” Meta said in statement yesterday (24 March).

“We work hard to keep people safe on our platforms and are clear about the challenges of identifying and removing bad actors or harmful content. We will continue to defend ourselves vigorously, and we remain confident in our record of protecting teens online.”

Meanwhile Torrez will be asking the presiding judge to place additional penalties on Meta during a bench trial scheduled in early May. Torrez will also be asking the court to force Meta to make its apps safer for children.

The New Mexico verdict is a major loss for Meta, which is gearing up for a number of trials set for this year. A jury in Los Angeles is currently deliberating a social media addiction suit against Meta and Google. TikTok and Snapchat were involved in the original suit, but have since settled out of court.

Thousands have filed lawsuits against social media companies over the alleged harm they pose to their users, including more than 40 US state attorney generals.

A coalition suit filed in 2023 accused Meta of designing and deploying “harmful features” on Instagram and Facebook, which get younger people addicted to these platforms.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

‘Wispit 2C’ is estimated to be about 5m years old and most likely 10 times the mass of Jupiter.

Galway native Chloe Lawlor has discovered a new planet – the second one to be found forming near an infant star called ‘Wispit 2’, some 437 light years away.

As a child, Lawlor wanted to be an artist, she tells SiliconRepublic.com. However, she changed her mind once she joined university. “I moved into physics because I did like physics in school, so I thought, ‘Oh, maybe I’ll just try this out.’”

The 25-year-old says discoveries such as these feed the innate curiosity humans have in wanting to know how we came to be, how we evolved and why we are here. Lawlor is a PhD student at the University of Galway’s Centre for Astronomy at the School of Natural Sciences and the Ryan Institute.

She is working in collaboration with project lead Richelle van Capelleveen, a PhD student from Leiden Observatory in the Netherlands, and postdoctoral researcher Guillaume Bourdarot from the Max Planck Institute for Extraterrestrial Physics in Germany, to learn more about young planets and how they’re forming.

“Most of the planets that we’ve observed have been much older,” Lawlor says. “We don’t know how they get to those sort of final stages like something like our solar system. This is really key for these formation theories and it’s hopefully going to tell us a lot about these young systems, how they’re forming, and then how they evolve.”

Lawlor’s new discovery, an exoplanet named ‘Wispit 2C’, is thought to be about 5m years old. ‘Wispit 2B’, a nearby planet, was discovered last year by van Capelleveen and Dr Laird Close from the University of Arizona.

Both these exoplanets are at early stages of formation in the disc around Wispit 2, which is located in the Constellation of the Eagle, a prominent equatorial constellation visible in the northern hemisphere summer along the Milky Way.

Lawlor’s discovery makes Wispit 2 the second known young and still forming multi-planet system. The only other system yet discovered with more than one planet developing is PDS 70, some 400 light years away from Earth.

Wispit 2C is a gas giant, likely around 10 times the mass of Jupiter. It is twice as massive as Wispit 2B and orbits four-times closer to its host star, which makes it incredibly difficult to detect with ground-based telescopes.

Wispit 2B and Wispit 2C forming around Wispit 2. Image: ESO/C Lawlor, R F van Capelleveen et al.

The exoplanet was detected using the European Southern Observatory’s Very Large Telescope in Chile’s Atacama desert. By linking several telescopes together to act as one giant instrument, the research team was able to observe regions very close to the star. In their analysis, the team was able to detect carbon monoxide gas, a chemical commonly found in the atmospheres of young giant planets.

Lawlor said earlier this week: “At first, we weren’t sure if it was a planet or a very large dust clump. We very quickly made follow-up observations using the Very Large Telescope Interferometer, an incredible setup where multiple telescopes can be connected to form a large virtual telescope.

“This allowed us to take what we call a spectrum, which is essentially a chemical fingerprint revealing the elements and molecules in an object’s atmosphere.”

Lawlor led the study, which has been published in The Astrophysical Journal Letters.

Prof Frances Fahy, director of the Ryan Institute, said: “The discovery of the planet Wispit 2C is a remarkable achievement and highlights the world-class astrophysics research taking place at University of Galway.”

The team will continue on with their efforts to hopefully find more planets in the system.

Last year, a study from Scotland’s University of St Andrews showed how giant free-floating planets could make their own miniature planetary systems without needing a star to orbit around. In a different study from 2025, scientists – for the first time – observed the very early stages of the creation of a new solar system around a baby star.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.