{"id":21593,"date":"2026-02-09T14:31:56","date_gmt":"2026-02-09T12:31:56","guid":{"rendered":"https:\/\/kordon.app\/?p=21593"},"modified":"2026-02-09T14:31:57","modified_gmt":"2026-02-09T12:31:57","slug":"latest-interesting-cybersecurity-news-of-the-week-summarised-09-02-2026","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-interesting-cybersecurity-news-of-the-week-summarised-09-02-2026\/","title":{"rendered":"Latest Interesting Cybersecurity News of the Week Summarised &#8211; 09-02-2026"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. <\/strong>Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31<\/p>\n\n\n\n<p>My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.<\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday<\/strong><\/p>\n\n\n\n<p><strong>scroll to the bottom to subscribe to the e-mail newsletter.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Malicious ClawdBot AI Skills Distribute Crypto-Stealing Malware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Security researchers have uncovered 386 malicious AI \u201cskills\u201d published to ClawHub and GitHub between January 27 and February 2 that masquerade as crypto-trading tools but deliver a NovaStealer payload targeting macOS and Windows.\u00a0<br>By exploiting social engineering\u2014urging users to download ZIPs or execute base64-encoded commands from C2 IP 91.92.242.30\u2014attackers harvest exchange API keys, wallet seeds, SSH credentials, browser passwords and other high-value artifacts.<\/b><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>There is no evidence that the skills listed in the ClawdBot ClawHub are scanned by any security tooling. <\/b>Many of the payloads we found were visible in plain text in the first paragraph of the SKILL.md file.<\/li>\n\n\n\n<li><b>First wave: 28 skills (Jan 27\u201329); second wave: 386 variants <\/b>(Jan 31\u2013Feb 2) all pointing at 91.92.242.30 C2 server.<\/li>\n\n\n\n<li>Major contributor \u201chightower6eu\u201d posted 354 variants with <b>7,000+ downloads of malicious updaters, CLI tools and trading assistants.<\/b><\/li>\n\n\n\n<li>Payload: NovaStealer-like Mach-O\/PE binary stealing crypto wallets, API keys, SSH keys, browser credentials and cloud secrets.<\/li>\n\n\n\n<li>Skills remain online at official ClawHub\/GitHub; <b>platform maintainers confirm no intention of removal of these malicious skills after the security review.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For now <b>don&#8217;t use OpenClawd with any real data or credentials.&nbsp;<\/b><\/li>\n\n\n\n<li>Audit and <b>remove all ClawdBot\/ClawHub skills not explicitly vetted.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/opensourcemalware.com\/blog\/clawdbot-skills-ganked-your-crypto\">OpenSourceMalware<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Notepad++ update infrastructure hijacked by Chinese state-sponsored APT for 6 months<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The popular open-source editor <b>Notepad++ had its update infrastructure compromised for six months starting June 2025<\/b>, when \na <b>China-linked APT group<\/b> broke into its hosting provider, selectively redirecting update traffic to deliver a s<b>ophisticated \nbackdoor (\u201cChrysalis\u201d)<\/b>. The attack evaded detection by blending into normal developer activity and exploiting missing \nenterprise tracking of unlicensed utilities.&nbsp;<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Attack ran June\u2013Dec 2025<\/b> after hosting provider\u2019s shared server was breached and credentials stolen.<\/li>\n\n\n\n<li><b>Targeted update traffic was redirected to attacker-controlled servers<\/b> hosting an NSIS installer with Chrysalis backdoor.<\/li>\n\n\n\n<li>Rapid7 identified 16 command capabilities and use of Cobalt Strike, Metasploit and Microsoft Warbird loaders.<\/li>\n\n\n\n<li><b>Notepad++ migrated to a new provider and upgraded WinGup to verify certificates and enforce signatures by v8.9.2.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Enforce cryptographic checks on update manifests and installers.<\/b><\/li>\n\n\n\n<li><b>Enforce strict vendor reviews<\/b> for free software like Notepad++ as well<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4126269\/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html\">CSO Online<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/notepad-hosting-breach-attributed-to.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. AI-Driven Attack Achieves AWS Admin Control in Under 8 Minutes<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Threat actors leveraged exposed AWS credentials and large language models to automate reconnaissance, privilege escalation, lateral movement and resource abuse, achieving full administrative control of an AWS environment in under eight minutes.<\/b><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Initial access: valid IAM keys exposed in public S3 buckets<\/b> containing AI model data.<\/li>\n\n\n\n<li><b>Privilege escalation: <\/b>attackers injected malicious code into a Lambda function with overly permissive execution role to generate new admin credentials.<\/li>\n\n\n\n<li><b>Lateral movement: <\/b>compromised 19 distinct AWS principals by assuming roles and creating backdoor users.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Deploy runtime detection for large-scale IAM enumeration and automated reconnaissance.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4126336\/from-credentials-to-cloud-admin-in-8-minutes-ai-supercharges-aws-attack-chain.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. GlassWorm Targeting MacOS Compromises Four VSCode Extensions with 22000 downloads<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>A recent supply chain compromise saw attackers hijack a trusted publisher on the Open VSX registry to push malicious updates to four VS Code extensions with over 22,000 downloads.&nbsp;<\/b><div><br><\/div><div>\nThe GlassWorm loader\u2014<b>targeting macOS<\/b>\u2014decrypts a staged payload at runtime to <b>steal browser cookies, crypto wallets, SSH keys, AWS credentials<\/b> and more,<b> using Solana transaction memos as a dynamic command-and-control channel.<\/b><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oorzc <b>publisher account compromised<\/b>; <b>malicious updates pushed Jan 30<\/b> to FTP\/SFTP\/SSH Sync Tool, I18n Tools, vscode mindmap and scss-to-css-compile extensions<\/li>\n\n\n\n<li><b>Loader filters for macOS and non-Russian locales, <\/b>decrypts payload and retrieves C2 instructions via Solana transaction memos<\/li>\n\n\n\n<li><b>Harvests Firefox\/Chrome cookies, Safari data, desktop crypto wallets, macOS keychain, Apple Notes and developer secrets (SSH\/AWS\/GitHub tokens)<\/b><\/li>\n\n\n\n<li><b>Achieves persistence via a LaunchAgent<\/b> entry to ensure execution at login and continuous exfiltration<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Rotate all publishing tokens,<\/b> SSH keys, AWS, npm and other developer credentials<\/li>\n\n\n\n<li><b>Scan macOS hosts for unfamiliar LaunchAgents<\/b> (e.g., com.user.nodestart.plist) and remove GlassWorm artifacts<\/li>\n\n\n\n<li><b>Audit CI\/CD pipelines and Git repositories for unauthorized commits or modified build jobs<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/glassworm-infiltrated-vsx-extensions\/\">Cyber Security News<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions\/\">BleepingComputer.com<\/a>, <a href=\"https:\/\/www.securityweek.com\/open-vsx-publisher-account-hijacked-in-fresh-glassworm-attack\/\">SecurityWeek<\/a>, <a href=\"https:\/\/www.darkreading.com\/application-security\/glassworm-malware-developer-ecosystems\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Multiple Critical Vulnerabilities Expose n8n Automation Platform to Server Compromise<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Six new flaws in n8n, including four rated critical (CVSS 9.4), enable remote code execution,\ncommand injection, file access and sandbox escape in shared deployments. <\/b>Exploits can\ncompromise host credentials, secrets and business logic, putting multi-user and cloud\ninstances at high risk.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Upwind researchers disclosed six vulnerabilities <\/b>spanning RCE, command injection, arbitrary file read and XSS in n8n\u2019s sandbox and Git node.<\/li>\n\n\n\n<li><b>Four issue<\/b>s (CVE-2026-21893, CVE-2026-25049, CVE-2026-25052, CVE-2026-25053) carry <b>CVSS 9.4;<\/b> an <b>XSS flaw scores 8.5<\/b>, and an <b>info-leak in task runners scores 7.7.<\/b><\/li>\n\n\n\n<li>Pillar Security separately demonstrated a <b>sandbox-escape bypass<\/b> (CVE-2026-25049) that yields full server takeover, exposing environment variables, API keys and OAuth tokens.<\/li>\n\n\n\n<li><b>Both n8n version 2.4.0 (self-hosted) and 1.121.3 <\/b>(authenticated RCE patch) address these flaws; cloud customers should verify managed instances are updated.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Apply n8n updates<\/b> (v2.4.0 or later, and v1.121.3) immediately.<\/li>\n\n\n\n<li><b>Restrict workflow-editing permissions to trusted users.<\/b><\/li>\n\n\n\n<li><b>Segment n8n servers from critical networks and monitor access logs.<\/b><\/li>\n\n\n\n<li><b>Use least privilege principl<\/b>e when granting n8n access to other systems<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4128998\/six-more-vulnerabilities-found-in-n8n-automation-platform.html\">CSO Online<\/a>, <a href=\"https:\/\/www.securityweek.com\/critical-n8n-sandbox-escape-could-lead-to-server-compromise\/\">SecurityWeek<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/critical-n8n-rce-vulnerability\/\">CybersecurityNews.com<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Asia-Based APT TGR-STA-1030 Breaches Governments and Infrastructure in 37 Countries<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>State-aligned group TGR-STA-1030 has compromised 70 government and critical infrastructure\nnetworks across 37 countries <\/b>and conducted reconnaissance against 155 more between November and December 2025.<b>\nThe threat actor uses tailored phishing, N-day vulnerability exploits, a dual-stage Diaoyu loader with\nsandbox<\/b> guardrails and a unique Linux eBPF rootkit \u201cShadowGuard\u201d to maintain stealth and persistence.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Successful breaches include national police, border control, finance ministries, parliaments and telcos.<\/li>\n\n\n\n<li>Diaoyu loader checks for \u22651440px resolution, pic1.png file and five specific AV processes before payload execution.<\/li>\n\n\n\n<li>ShadowGuard eBPF rootkit hides up to 32 PIDs, conceals \u201cswsecret\u201d files and intercepts syscalls at kernel level.<\/li>\n\n\n\n<li><b>Supporting tools:<\/b> Cobalt Strike, VShell, Havoc, SparkRat, Behinder and Godzilla web shells, GOST and FRPS tunnels.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Harden email defenses against phishing lures&nbsp;<\/b><\/li>\n\n\n\n<li>Continuous <b>phishing training.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/unit42.paloaltonetworks.com\/shadow-campaigns-uncovering-global-espionage\/\">Palo Alto Networks Unit 42<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/asian-state-backed-group-tgr-sta-1030.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.securityweek.com\/cyberspy-group-hacked-governments-and-critical-infrastructure-in-37-countries\/\">SecurityWeek<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Latest interesting cybersecurity news from February 2026<\/p>","protected":false},"author":1,"featured_media":21597,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21593"}],"version-history":[{"count":3,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21593\/revisions"}],"predecessor-version":[{"id":21599,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21593\/revisions\/21599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21597"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}