Daily Intel Brief — 2026-03-19 — Arc Security Research

In this brief

APT28 LNK File Campaign with Embedded HTML
Actively Exploited n8n Code Injection (CVE-2025-68613)
Nuclei Templates Labs Playground
Critical Authentication Bypass & RCE Templates
Centralized Directory of Attack Writeups

APT28 LNK File Campaign with Embedded HTML

WhatAPT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files containing embedded HTML for multi-stage payload delivery.

Source[External: www.recordedfuture.com]

Applies toGeneral (Windows environments)

Why it mattersThis is a live campaign using a sophisticated social engineering vector (malicious files) to bypass defenses, analogous to the .md file attack in the target report.

Actively Exploited n8n Code Injection (CVE-2025-68613)

WhatCISA added CVE-2025-68613 to its Known Exploited Vulnerabilities catalog; it's an improper control of dynamically-managed code resources vulnerability in n8n.

Source[External: www.reddit.com]

Applies toOrganizations using n8n workflow automation

Why it mattersIt represents a common, actively exploited entry point due to insufficient input/content validation, mirroring the root cause in the Anthropic finding.

Nuclei Templates Labs Playground

WhatProjectDiscovery released a hands-on security testing playground with vulnerable environments and ready-to-use Nuclei templates for safe experimentation.

Source[External: projectdiscovery.io]

Applies toGeneral (security teams & researchers)

Why it mattersProvides a direct resource for teams to build detection and understand exploitation patterns for vulnerabilities like file upload abuses.

Critical Authentication Bypass & RCE Templates

WhatRecent Nuclei template highlights include CVE-2025-64446 (FortiWeb auth bypass) and CVE-2024-47575 (FortiManager unauth RCE), both in the CISA KEV catalog.

Source[External: projectdiscovery.io]

Applies toGeneral (organizations using affected products)

Why it mattersThese are weaponized, reliable detection templates for vulnerabilities under active exploitation, offering immediate defensive utility.

Centralized Directory of Attack Writeups

WhatPentester Land maintains a searchable directory of ethical hacking writeups from bug bounties and pentests.

Source[External: pentester.land]

Applies toGeneral (red/blue teams)

Why it mattersIt's a primary source for understanding real-world attacker TTPs, including social engineering and file-based initial access methods.

Sources reviewed

22 results scanned. Discarded: Generic trend reports ([1]), broad CVE lists with no active exploitation context ([3], [8], [9]), product announcements ([4], [5], [6], [7], [13]), beginner guides ([11]), tool repositories ([10], [12]), and duplicate/less specific CISA alerts ([15], [16]).

Gaps identified

No external results directly address AI/LLM project file injection vulnerabilities or content scanning bypasses in system contexts. This attack vector appears novel in public reporting. [Internal: research/anthropic-project-injection-report.md] remains our sole source.

Is your WordPress site exposed to threats like these?

Arc is an AI security agent that watches your site 24/7 and patches vulnerabilities before attackers find them.

Scan your site free →

← All research