Market & Momentum - 03/30/2026

This week opens with sharpened enterprise risk around edge reconnaissance heating up, supply-chain poisoning in developer tooling, and real-world mobile exploit pressure—showing how attackers are pairing “quiet access” with fast monetization lanes.

Author

J.W. Croley
March 30, 2026

In partnership with

88% resolved. 22% stayed loyal. What went wrong?

That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.

Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.

Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.

If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.

Over the last ~72 hours, threat signals converged on five patterns: critical edge-device reconnaissance on perimeter gateways, developer supply-chain compromise through trusted packages, cloud account intrusion with governance implications, Mac-targeted ClickFix execution chains, and mobile exploit activity forcing emergency user updates.

The operational takeaway: your biggest losses this week won’t come from “mystery malware,” they’ll come from exposed edges, over-trusted ecosystems, and under-governed identities.

📈 Risk Forecast – The Week Ahead 📉

Trend (Macro)

Likelihood

Direction

Signal for the Week

Edge gateway exploitation pressure (pre-exploit recon)

81%

🔺 Rising

Critical NetScaler recon suggests rapid weaponization is imminent.

Software supply-chain compromise in dev ecosystems

76%

🔺 Rising

Backdoored packages and stolen publisher creds reappear as a reliable access path.

Cloud account compromise (IaaS control-plane access)

72%

🔺 Rising

Cloud environments remain high-trust targets with high blast radius.

User-assisted execution targeting macOS (ClickFix variants)

68%

🔺 Rising

Fake verification and “run-this” flows keep slipping past expectations and controls.

Mobile web-exploit pressure on outdated devices

65%

🔺 Rising

iOS exploitation activity is forcing urgent update behavior, especially for older fleets.

🔎 Key Watchlist Items 🔍

  1. Citrix NetScaler critical bug seeing active recon (CVE-2026-3055) — Active scanning means your patch window is already closing, so treat every internet-facing ADC/Gateway instance as NetScaler-recon until you confirm remediation and reduced exposure.

  2. Backdoored Telnyx Python SDK used WAV steganography for malware — Supply-chain compromise via stolen publisher access is back in the spotlight, and “official SDK” does not mean safe when the pipeline is compromised; prioritize hunting for Telnyx-PyPI installs in build systems and dev endpoints.

  3. TeamPCP pushes malicious Telnyx versions to PyPI with stealth techniques — This reinforces that repo/package governance is now a security control, not a developer preference, and you need monitoring for audio-steg-style payload staging inside “normal” artifacts.

  4. European Commission investigating breach after Amazon cloud account hack — Control-plane access in cloud environments turns into “everything access” fast, so treat this as a reminder to harden tenant governance and investigate abnormal administrative activity tied to AWS-account events.

  5. Cloudflare-themed ClickFix drops Infiniti Stealer on macOS — The Mac storyline continues to evolve beyond “rare edge cases,” with fake CAPTCHA flows driving user execution and delivering stealers via ClickFix-Mac chains.

  6. Apple pushes lock-screen alerts urging updates due to active web exploits — When Apple starts warning users directly, it’s a signal the threat is real and persistent, so treat VIP device compliance as urgent and track risk around LockScreen-alerts for outdated fleets.

Go from AI overwhelmed to AI savvy professional

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

  • Join the Superhuman AI newsletter - read by 1M+ professionals

  • Learn AI skills in 3 mins a day

  • Become the AI expert on your team

📊 Emerging Patterns 📊

Recon is the new “exploit is coming.” When edge platforms hit active recon, exploitation tends to follow quickly.

Supply chain is staying hot because it scales. One poisoned dependency can land in thousands of environments without ever “phishing” anyone.

Cloud governance is a blast-radius problem. If an attacker lands control-plane privileges, containment gets expensive and noisy.

ClickFix keeps winning because it weaponizes compliance. Users follow steps because they look legitimate, and the payload arrives without “traditional” exploit noise.

Mobile compromise is operational now. Outdated devices are being directly called out because attackers are actively targeting them.

⏰ Call to Action ⏰

NetScaler exposure triage: identify every internet-facing ADC/Gateway, confirm patch status, restrict management planes, and add detections for recon + abnormal auth attempts.

Dev supply-chain containment: enforce dependency allowlists where possible, monitor for new package versions in CI/CD, and alert on suspicious SDK updates across dev endpoints.

Cloud control-plane hardening: validate MFA and conditional access for admins, review new access keys/tokens, and baseline unusual console logins and permission changes.

Mac execution controls: detect suspicious shell invocation patterns, block common stealer staging behaviors, and reinforce that “verification steps” should never require running pasted commands.

Mobile compliance for VIPs: enforce minimum iOS versions for leaders and high-risk roles, reduce “temporary exceptions,” and treat mobile patching as identity security.

⚡ Monday Motivation ⚡

If the edge is being probed, the supply chain is being poisoned, and users are being coached into executing payloads…

then the winning strategy is fast governance: know your assets, lock your trust surfaces, and verify what changed.

This week’s reality: attackers don’t need to break down the front door when they can walk in through your edge, ride your dependencies, or borrow your users.

J.W.

(P.S. Forward this to the SOC, infra owners, engineering leadership, and cloud governance teams to align edge urgency, supply-chain controls, and identity discipline.)

88% resolved. 22% loyal. Your stack has a problem.

Those numbers aren't a CX issue — they're a design issue. Gladly's 2026 Customer Expectations Report breaks down exactly where AI-powered service loses customers, and what the architecture of loyalty-driven CX actually looks like.