Latest Interesting Cybersecurity News of the Week Summarised – 16-02-2026

I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

1. OpenAI adds Lockdown Mode and ‘Elevated Risk’ labels to reduce prompt-injection risk

OpenAI introduced Lockdown Mode — an optional, deterministic security setting that tightly constrains ChatGPT’s interactions with external systems — and standardized “Elevated Risk” labels for features that introduce additional network-related risk. 

The changes aim to reduce prompt injection–style data exfiltration for high-risk users (e.g., executives, security teams) and to give users clearer guidance when enabling capabilities like internet access in Codex. 

Key Details

• Lockdown Mode is available for ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare, and ChatGPT for Teachers.
• In Lockdown Mode, web browsing is limited to cached content and certain features are deterministically disabled to prevent data exfiltration.
• Workspace admins enable Lockdown Mode in Workspace Settings by creating a role and can select which apps and specific app actions are available.
• OpenAI is applying a consistent “Elevated Risk” label across ChatGPT, ChatGPT Atlas, and Codex for capabilities that introduce extra network-related risk.
• Admins can use the Compliance API Logs Platform for detailed visibility into app usage, shared data, and connected sources.

Next Steps

• Consider enabling Lockdown Mode for high-risk staff

Read more at OpenAI

2. Long form Read: OpenClaw and Moltbook breaches reveal systemic AI-agent security failures

Two leading AI-agent projects were breached within weeks: OpenClaw’s default, unauthenticated control panel and in-process tooling enabled a one‑click remote code execution chain, while Moltbook’s Supabase backend lacked Row Level Security and exposed writable access to its production database. Together these incidents exposed millions of credentials and demonstrate a common architectural failure: no deterministic, protocol-agnostic enforcement layer between agent intent and action, creating high risk for credential theft, supply‑chain compromise, and prompt‑injection attacks.

Key Details

• OpenClaw shipped with control panel bound to 0.0.0.0:18789; SecurityScorecard found 42,900 exposed IPs across 82 countries and estimates ~15,200 are directly vulnerable to RCE.
• ClawHub marketplace supply‑chain issues: Snyk found 76 malicious payloads among 3,984 skills; Koi Security found 341 malicious skills (ClawHavoc) distributing a macOS infostealer.
• Moltbook left Supabase RLS disabled; exposed data included ~1.5 million API tokens, ~35,000 registered emails, and ~4,060 private agent DMs, and granted unauthenticated read/write access to production tables.

Next Steps

• Audit and close agent control panels bound to 0.0.0.0
• Enable RLS/ACLs and rotate any exposed Supabase/API keys immediately

Read more at DEV Community

3. AI Recommendation Poisoning: ‘Summarize with AI’ Buttons Can Inject Persistent, Biased Prompts

Microsoft researchers disclosed a technique—called AI recommendation poisoning—where hidden instructions embedded in 'Summarize with AI' links inject persistent prompts into AI assistants to bias future recommendations. 

Legitimate companies across multiple industries have used the method for promotional advantage, creating risks of skewed vendor, product, or service recommendations that can affect procurement, clinical, or legal decisions. 

Microsoft has published detection queries and deployed mitigations in Copilot, but organizations using AI agents should treat this as an active attack surface.

Key Details

• Microsoft observed 50 unique prompt-based memory-poisoning attempts over a 60-day period.
• Researchers identified 31 different companies across 14 industries using the technique, including one cybersecurity vendor.
• The attack embeds instructions via URL ‘prefill’ parameters on ‘Summarize with AI’ buttons that load into an active AI assistant session.
• Turnkey tools cited as enablers include the CiteMET NPM package and AI Share URL Creator.
• The technique requires an active, logged-in AI assistant session and targets specific AI domains (limits depend on which assistant is used).
• Microsoft published threat-hunting queries and has implemented mitigations in Microsoft 365 Copilot.

Next Steps

• Hunt for AI-prefill URLs containing ‘remember’ or ‘trusted source’.
• Block or sanitize external ‘Summarize with AI’ prefill links.
• Disable persistent memory for enterprise AI assistants where feasible.

Read more at Microsoft Security Blog, CSO Online, Dark Reading

4. Organized campaign of 30+ malicious Chrome ‘AI assistant’ extensions steals API keys, emails, and page data

Security researchers (LayerX Security) uncovered an operation—named AiFrame—using at least 32 Chrome extensions installed by roughly 260,000 users that pose as AI chatbots or productivity helpers while exfiltrating API keys, email content and other sensitive page data. 

The extensions load attacker-controlled iframes (remote content) to extract readable page content and Gmail DOM data, can capture voice input, and are able to change functionality post-install without Chrome Web Store updates; many remain listed on the store.

Key Details

• LayerX Security identified 32 malicious extension IDs that share the same codebase and permissions.
• All identified extensions communicate with attacker infrastructure under tapnetic [.] pro (and onlineapp [.] pro) subdomains.
• A cluster of ~15 extensions specifically target Gmail, reading visible message threads, drafts and compose text from the DOM.
• Extensions use injected remote-controlled iframes and Mozilla’s Readability library to extract article content and authentication details from active tabs.
• Some malicious extensions were re-published under new IDs after removals (extension ‘spraying’), and at least one carried a Chrome Web Store ‘Featured’ badge.
• Installed base across the campaign is approximately 260,000 users, with high-install examples observed in the tens of thousands.

Next Steps

• Audit and block the LayerX-listed extension IDs via enterprise policies
• Rotate API keys, OAuth tokens, and any exposed credentials
• Monitor/block network egress to tapnetic[.]pro and onlineapp[.]pro

Read more at SecurityWeek, BleepingComputer, The Register, CybersecurityNews, Malwarebytes, CybersecurityNews

5. Malicious Outlook Add-in ‘AgreeTo’ Hijacked to Steal 4,000+ Microsoft Credentials and Payment Data

Security researchers found the first documented malicious Microsoft Outlook add-in: AgreeTo, a formerly legitimate meeting-scheduler whose hosting URL was reclaimed by an attacker and used to serve a fake Microsoft login. 

The campaign — dubbed AgreeToSteal by Koi Security — captured over 4,000 Microsoft account credentials, credit card numbers, banking security answers and IP addresses by presenting the phishing page inside Outlook’s trusted sidebar. The incident exposes a supply-chain gap in Office add-ins: Microsoft validates manifests at submission but does not continuously monitor the live remote content those manifests load.

Key Details

• Koi Security recovered a dataset of more than 4,000 victims containing Microsoft credentials, credit card numbers, banking security answers and IP addresses.
• The add-in (AgreeTo) was published to the Microsoft Office Add-in Store in December 2022 and later abandoned by its developer.
• The manifest pointed to outlook-one.vercel.app; the attacker re-registered that Vercel deployment and deployed a phishing kit.
• Captured credentials were exfiltrated using the Telegram Bot API, according to the researchers.
• AgreeTo had ReadWriteItem permissions, which would allow reading/modifying user emails if abused.
• Microsoft removed the add-in from the store after Koi Security reported the campaign (codenamed AgreeToSteal).

Next Steps

• Scan tenants for the ‘AgreeTo’ add-in and uninstall it immediately
• Block outlook-one[.]vercel.app and related Vercel hosts at network/proxy
• Force password resets for impacted accounts and enable/verify MFA

Read more at BleepingComputer, CSO Online, The Hacker News, CybersecurityNews

6. ClickFix campaign leverages nslookup DNS staging, Pastebin JavaScript and LLM artifacts to deliver ModeloRAT and macOS infostealers

Security researchers and Microsoft detail a new ClickFix variant that tricks users into pasting and running commands which use nslookup against an attacker-controlled DNS server to retrieve and execute a second-stage payload. 

The Windows chain downloads a ZIP (from azwsappdev[.]com) containing a portable Python bundle that runs reconnaissance, drops a VBScript and a Startup shortcut for persistence, and ultimately installs ModeloRAT; parallel variants use Pastebin-posted JavaScript to hijack crypto swaps and Claude LLM artifacts to push macOS infostealers. This technique weaponizes DNS as a lightweight staging channel to blend malicious activity into normal network traffic and bypass some detection controls.

Key Details

• The initial command runs via cmd.exe/Run and performs an nslookup against a hard-coded external DNS resolver; the DNS ‘Name:’ response contains the second-stage code.
• The infection chain downloads a ZIP archive from azwsappdev[.]com that contains a portable Python bundle and a malicious Python script used for host/domain reconnaissance.
• The malware establishes persistence by dropping a VBScript and creating a MonitoringService.lnk shortcut in the Windows Startup folder.
• Microsoft Defender identifies the activity as Trojan:Win32/ClickFix.R!ml and links the final payload to ModeloRAT.
• Related ClickFix variants include malicious JavaScript posted in Pastebin comments to intercept Web3 swap flows and Claude LLM-derived artifacts that trick macOS users into running infostealer-install commands.

Next Steps

• Alert on or block nslookup/cmd.exe nslookup usage from user sessions
• Block or monitor outbound DNS to unapproved external resolvers and unknown download domains
• Train users: never paste code/JS into console or terminal; verify crypto recipients manually

Read more at The Hacker News, BleepingComputer, BleepingComputer, CybersecurityNews, CybersecurityNews

7. SSHStalker botnet uses IRC C2 and SSH brute-force, exploiting legacy Linux kernel flaws to enroll thousands of hosts

Security researchers disclosed SSHStalker, a newly observed Linux botnet that combines automated SSH scanning/brute-forcing with Internet Relay Chat (IRC) command-and-control to enroll compromised servers into control channels. 

The campaign leverages a Golang SSH scanner, C/Perl IRC bots, rootkits and log-cleaners, and a back-catalog of 2009–2010 Linux kernel exploits to maintain long-tail persistence rather than immediate abuse. Staging data shows roughly 7,000 SSH scan results in January 2026 — many in cloud hosting ranges — making legacy and forgotten infrastructure prime targets for sustained access.

Key Details

• Flare identified a toolkit containing 16 distinct Linux kernel vulnerabilities from 2009–2010 (examples: CVE-2009-2692, CVE-2010-3849, CVE-2010-1173).
• Attack pipeline uses a Golang scanner (observed dropped as a binary named “nmap”) that probes port 22 to find SSH targets and propagate in a worm-like fashion.
• Staging data referenced ~7,000 fresh SSH scan results from January 2026, including many IPs in large cloud hosting ranges.
• Payloads include IRC-controlled bots written in C and Perl, rootkits, cryptocurrency miners, an AWS secret-stealing utility, and log cleaners that tamper with utmp/wtmp/lastlog and shell history.
• Persistence mechanisms: the kit compiles C code on-host (installs GCC), often places files in /dev/shm, and adds a one-minute cron-based watchdog that restarts the main process within ~60 seconds if killed.
• Operational traces suggest possible Romanian-language fingerprints and overlaps with the Outlaw (aka Dota) group, per Flare’s analysis.

Next Steps

• Disable SSH password authentication; enforce key-based access and rate-limit logins.
• Hunt for one-minute cron jobs and remove kits in /dev/shm and compiled binaries.
• Alert on unexpected GCC/make runs and signs of utmp/wtmp/lastlog tampering.

Read more at CSO Online, BleepingComputer, The Hacker News, CybersecurityNews

8. South Korea fines Louis Vuitton, Dior, Tiffany KRW 36 billion (~$25M) for SaaS security failures after breaches exposed >5.5M customers

South Korea’s Personal Information Protection Commission (PIPC) levied KRW 36.033 billion (about US$25 million) in fines against local subsidiaries of Louis Vuitton, Christian Dior Couture, and Tiffany after investigators found basic security controls were not applied to a cloud-based customer management SaaS, enabling breaches that exposed data for more than 5.5 million customers. 

The regulator found malware- and social-engineering-driven compromises, failures to enforce IP-based access controls, strong authentication, bulk-export restrictions, and delays in breach notification — and emphasized that using SaaS does not transfer responsibility for protecting personal data. 

Key Details

• Total fines: KRW 36.033 billion (~US$25M); additional penalties KRW 10.8 million.
• PIPC found all three lacked IP-based access controls, stronger authentication, bulk-download restrictions, and timely breach notification (72-hour requirement).
• Google researchers linked the campaign to the ShinyHunters group, and the threat actor later claimed responsibility for LVMH systems (per reporting).

Next Steps

• Enforce IP allow-lists and restrict remote SaaS access
• Mandate strong MFA and least-privilege for SaaS accounts
• Block bulk exports; implement monthly access-log reviews and alerts

Read more at CSO Online, BleepingComputer

9. EU unconditionally approves Google’s $32B acquisition of Wiz, removing major regulatory hurdle

The European Commission has unconditionally cleared Google's $32 billion acquisition of cloud security vendor Wiz under the EU Merger Regulation, finding the transaction raises no competition concerns in the European Economic Area. 

The decision removes a key regulatory uncertainty for the deal, but analysts warn Google ownership could undermine Wiz's cloud neutrality and increase long‑term vendor lock‑in risks for enterprises.

Key Details

• Deal value: $32 billion for cloud security firm Wiz.
• US antitrust review: DOJ previously cleared the acquisition in November 2025.
• Google states Wiz products will remain available across all major cloud platforms; analysts caution potential erosion of neutrality.

Read more at CSO Online, SecurityWeek

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.