{"id":21614,"date":"2026-02-23T13:33:23","date_gmt":"2026-02-23T11:33:23","guid":{"rendered":"https:\/\/kordon.app\/?p=21614"},"modified":"2026-02-23T13:33:23","modified_gmt":"2026-02-23T11:33:23","slug":"latest-interesting-cybersecurity-news-23-02-2026","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-interesting-cybersecurity-news-23-02-2026\/","title":{"rendered":"Latest Interesting Cybersecurity News &#8211; 23-02-2026"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. <\/strong>Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31<\/p>\n\n\n\n<p>My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.<\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday<\/strong><\/p>\n\n\n\n<p><strong>scroll to the bottom to subscribe to the e-mail newsletter.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Researchers Demonstrate 27 Server\u2011Side Attacks Against Major Cloud Password Managers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>A research team from ETH Zurich and Universit\u00e0 della Svizzera italiana <\/b>published a paper showing <b>27 successful attacks against cloud password managers <\/b>that break assumptions behind Zero\u2011Knowledge Encryption when a provider's server is malicious or compromised. <b>The attacks (12 vs Bitwarden, 7 vs LastPass, 6 vs Dashlane)<\/b> range from integrity violations to full recovery of vault passwords, prompting vendors to patch issues and highlighting the operational risk of relying solely on server\u2011side protections.&nbsp;<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Total of 27 distinct attacks: <b>12 against Bitwarden, 7 against LastPass, 6 against Dashlane.<\/b><\/li>\n\n\n<li><b>Collective user base affected: researchers note these solutions serve over 60 million users and ~125,000 businesses.<\/b><\/li>\n\n\n<li><b>Researchers found that 1Password\u2019s Secret Key, a random code that stays only on your devices, makes most of these server-side attacks mathematically impossible. Even if a hacker takes over the company\u2019s servers, they lack the second half of the key needed to decrypt the data.&nbsp;<\/b><br><\/li>\n\n\n<li><b>Vendors used the study\u2019s 90\u2011day disclosure window to issue fixes; Dashlane removed legacy cryptography in Extension v6.2544.1 (Nov 2025).<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Update<\/b> Bitwarden, LastPass, and Dashlane clients immediately<\/li>\n\n\n<li><b>Audit account\u2011recovery and sharing workflows<\/b> for key\u2011escrow risks<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/02\/study-uncovers-25-password-recovery.html\">The Hacker News<\/a>, <a href=\"https:\/\/hackread.com\/researchers-demonstrate-password-managers-attacks\/\">HackRead<\/a>, <a href=\"https:\/\/www.wired.com\/story\/security-news-this-week-password-managers-share-a-hidden-weakness\/\">Wired<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">2. Device-code phishing campaign abuses OAuth to bypass Microsoft 365 MFA and gain persistent account access<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><div><div><b>The victim is directed to the legitimate Microsoft domain<\/b> (microsoft.com\/devicelogin) <b>portal to enter an attack-supplied device code.<\/b> <b>This action authenticates the victim and issues a valid OAuth access token to the attacker\u2019s application. <\/b>The real-time theft of these tokens grants the attacker persistent access to the victim\u2019s Microsoft 365 accounts and corporate data - Mail, Teams, OneDrive etc.<\/div><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Victims enter the code on a real microsoft.com login page; the code is tied to the attacker&#8217;s pre-registered device<\/b><\/li>\n\n\n<li>Attackers obtain OAuth access and refresh tokens (not necessarily raw credentials), <b>allowing persistent access<\/b> to Outlook, Teams, OneDrive<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Create an allowlist of authorized OAuth apps<\/b> in your tenant<\/li>\n\n\n<li><b>Disable device code flow in conditional access if not required<\/b><\/li>\n\n\n<li><b>Inventory and audit OAuth integrations and their scopes<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/blog.knowbe4.com\/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa\">KnowB4<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4134874\/new-phishing-campaign-tricks-employees-into-bypassing-microsoft-365-mfa.html\">CSO Online<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">3. AI coding assistants&#8217; local config directories are leaking credentials to public GitHub repositories<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Local configuration directories created by AI coding assistants (e.g., Claude Code, Cursor, Continue) can contain API keys, database credentials and other secrets that developers are accidentally committing to public repositories.&nbsp;<\/b><div><b><br><\/b><\/div><div>Coding assistants love using git add -A that adds all files (including these configuration files) to git.&nbsp;<br><div><br><\/div><div><b>A targeted scan using the open-source tool claudleak found verified credentials in real repositories \u2014 about 2.4% of repos containing AI tool config directories \u2014 <\/b>demonstrating tangible exposure risk that organizations need to audit and remediate immediately.<\/div><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Author example: a committed .claude\/settings.local.json contained whitelisted commands with database passwords and API keys<\/li>\n\n\n<li>Common directories involved:<b> .claude\/, .cursor\/, .continue\/, .copilot\/, .aider\/<\/b><\/li>\n\n\n<li><b>claudleak (open-source, written in Go) searches GitHub for those config dirs then runs TruffleHog against their paths<\/b><\/li>\n\n\n<li><b>In a sample scan of 100 repositories, claudleak turned up verified API keys and database credentials<\/b><\/li>\n\n\n<li>Approximately 2.4% of repositories containing AI tool config directories had sensitive information in their history<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Add .claude\/.cursor\/.continue\/.copilot\/.aider to .gitignore<\/b><\/li>\n\n\n<li><b>Run claudleak against your org and rotate exposed credentials<\/b><\/li>\n\n\n<li><b>Install a pre-commit hook blocking AI config directory commits<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/ironpeak.be\/blog\/leaking-secrets-from-the-claud\/\">IronPeak<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">4. Critical vulnerabilities in four popular VS Code extensions with 125 million installs<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">OX Security disclosed multiple vulnerabilities in four widely used Visual Studio Code extensions \u2014 <b>Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview<\/b> \u2014 that can enable local file exfiltration, local network reconnaissance, and remote code execution.&nbsp;<div><b><br><\/b><\/div><div><b>The extensions have been installed at scale (reported between ~125\u2013128 million combined)<\/b>, t<b>hree CVEs were assigned on Feb 16, 2026, and three of the flaws remain unpatched<\/b>, creating immediate risk for developer machines that often store credentials and secrets.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Combined installation counts<\/b> reported <b>between ~125 million <\/b>(The Hacker News) and <b>128 million<\/b> (CSO).<\/li>\n\n\n<li><b>CVE-2025-65717 (Live Server) \u2014 CVSS 9.1;&nbsp;<\/b><div><b>attacker can exfiltrate local files <\/b>via localhost:5500;<b> remains unpatched.<\/b><\/div><\/li>\n\n\n<li><b>CVE-2025-65716 (Markdown Preview Enhanced) \u2014 CVSS 8.8; <\/b>opening a crafted .md can execute JavaScript, <b>enumerate ports, and exfiltrate data; remains unpatched.<\/b><\/li>\n\n\n<li><b>CVE-2025-65715 (Code Runner) \u2014 CVSS 7.8;<\/b> crafted settings.json entry or social-engineered paste can trigger arbitrary code execution, including reverse shells; <b>remains unpatched.<\/b><\/li>\n\n\n<li>Microsoft Live Preview contained an XSS-based file-exfiltration flaw; Microsoft silently fixed it in version 0.4.16 (released Sept 11, 2025) and no CVE was assigned.<\/li>\n\n\n<li>OX Security began vendor disclosure in June 2025; three CVEs were published Feb 16, 2026;<b> Cursor and Windsurf IDEs (built on VS Code) are also affected.<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Uninstall or disable Live Server, Code Runner, Markdown Preview Enhanced<\/b><\/li>\n\n\n<li><b>Update Live Preview to v0.4.16+<\/b> and monitor CVE advisories<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/02\/critical-flaws-found-in-four-vs-code.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4133800\/flaws-in-four-popular-vs-code-extensions-left-128-million-installs-open-to-attack.html\">CSO Online<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">5. An attacker used a compromised npm publishing token to release a malicious version of Cline that silently installed OpenClaw on developer machines<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>An attacker used a compromised npm publishing token to release a malicious Cline v2.3.0 that added a postinstall hook to silently install OpenClaw on developer machines;&nbsp;<\/b><div><br><\/div><div>Cline patched and deprecated the release within hours. Separately, OpenClaw\u2014now widely deployed and reaching viral adoption\u2014has multiple critical vulnerabilities and is being actively exploited (credential theft, info-stealers, and remote code execution), elevating risk across developer workstations and CI\/CD pipelines.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The attacker modified only package.json in Cline v2.3.0, <b>adding: &#8220;postinstall&#8221;: &#8220;npm install -g openclaw@latest&#8221;<\/b><\/li>\n\n\n<li>Cline published a corrected v2.4.0 and deprecated the malicious v2.3.0 within hours (patch at ~11:23 AM PT; deprecation at ~11:30 AM)<\/li>\n\n\n<li><b>Cline is used by roughly 4 million developers<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Update Cline to the latest patched release<\/b> (npm install -g cline@latest)<\/li>\n\n\n<li>If unintentional, uninstall OpenClaw and scan developer hosts for malicious artifacts<\/li>\n\n\n<li>Rotate publisher tokens and enable MFA on all package publishing accounts<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4135449\/compromised-npm-package-silently-installs-openclaw-on-developer-machines.html\">CSO Online<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/cline-cli-230-supply-chain-attack.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.theregister.com\/2026\/02\/20\/openclaw_snuck_into_cline_package\/\">The Register<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/hacking-groups-exploit-openclaw\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4134540\/six-flaws-found-hiding-in-openclaws-plumbing.html\">CSO Online<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/02\/19\/running-openclaw-safely-identity-isolation-runtime-risk\/\">Microsoft<\/a>, <a href=\"https:\/\/hackread.com\/infostealer-steal-openclaw-ai-identity-memory-files\/\">HackRead<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/infostealer-steals-openclaw-ai-agent.html\">The Hacker News<\/a>, <a href=\"https:\/\/awesomeagents.ai\/news\/cline-npm-supply-chain-attack\/\">AwesomeAgents.ai<\/a>, <a href=\"https:\/\/www.praetorian.com\/blog\/praetorian-guard-finds-critical-flaws-in-openclaw-and-what-it-means-for-your-software-supply-chain\/\">Praetorian<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">6. Wikipedia blacklists Archive.today after alleged DDoS activity and altered archived pages<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Wikipedia editors have agreed to deprecate and add Archive.today (archive.is \/ archive.ph) to the spam blacklis<\/b>t and remove all links <b>after allegations that the site executed a distributed denial-of-service (DDoS) by running JavaScript from its CAPTCHA page<\/b> and that some archived snapshots were altered. The move affects roughly 695,000 existing Wikipedia links to the service and directs editors to replace Archive.today links with originals or other archives such as the Wayback Machine \u2014 a significant change for anyone relying on archived citations.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Allegation: since January 11, users loading Archive.today&#8217;s CAPTCHA unknowingly executed JavaScript that sent search requests to blogger Jani Patokallio, apparently to DDoS his site.<\/b><\/li>\n\n\n<li>Evidence was presented that some Archive.today snapshots were altered to insert Patokallio\u2019s name, <b>raising reliability concerns.<\/b><\/li>\n\n\n<li><b>Archive.today was previously blacklisted in 2013<\/b> and removed from the blacklist in 2016.<\/li>\n\n\n<li><b>Archive.today and alternate domains (archive.is, archive.ph)<\/b> are linked more than 695,000 times across Wikipedia.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Consider blocking archive.today, archive.is domains<\/b> at network perimeter to avoid taking part of DDOS attacks.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/techcrunch.com\/2026\/02\/21\/wikipedia-blacklists-archive-today-after-alleged-ddos-attack\/\">TechCrunch<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">7. PromptSpy: Android malware uses Google&#8217;s Gemini AI to automate UI navigation and persist while deploying VNC access<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>ESET researchers identified PromptSpy, the first observed Android malware family that calls Google's Gemini generative AI at runtime to interpret on\u2011screen UI and generate actions that keep the malicious app pinned in recent apps.<\/b>&nbsp;<div><br><\/div><div><b>Its primary objective is to deploy a VNC module<\/b> that grants remote control of infected devices; the sample set appears to be a limited proof\u2011of\u2011concept but demonstrates how GenAI can make mobile malware more adaptive and harder to remove.&nbsp;<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PromptSpy sends an XML dump of the current screen plus a hard\u2011coded natural\u2011language prompt to Gemini and receives JSON instructions for taps\/gestures to keep the app pinned.<\/li>\n\n\n<li><b>Capabilities include intercepting lockscreen PINs\/passwords, recording the pattern unlock screen as video,<\/b> taking screenshots, and recording screen and gestures.<\/li>\n\n\n<li>Uses accessibility services and invisible overlay boxes to block uninstall and force\u2011quit; <b>uninstall requires safe mode reboot.<\/b><\/li>\n\n\n<li>Samples were uploaded to VirusTotal in January (Gemini\u2011assisted uploads traced to Argentina); distribution used a fake Chase\u2011style site (mgardownload[.]com \/ m-mgarg[.]com).<\/li>\n\n\n<li><b>App is not on Google Play;<\/b> code contains simplified Chinese debug strings, suggesting development in a Chinese\u2011speaking environment.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Block connections to C2 IP 54.67.2.84<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/02\/promptspy-android-malware-abuses-google.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.securityweek.com\/promptspy-android-malware-abuses-gemini-ai-at-runtime-for-persistence\/\">SecurityWeek<\/a>, <a href=\"https:\/\/www.theregister.com\/2026\/02\/19\/genai_malware_android\/\">The Register<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">8. Keenadu firmware backdoor preinstalled on Android tablets, delivered via signed OTA updates<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Kaspersky discovered a persistent backdoor named Keenadu embedded in the firmware of Android tablets (notably Alldocube iPlay 50 mini Pro), <\/b>delivered in signed firmware\/OTA updates and loaded into libandroid_runtime.so at boot.&nbsp;<div><br><\/div><div>The backdoor injects into the Zygote\/system_server context, uses an AKServer\/AKClient architecture to deploy payloads (ad fraud, search hijacking, install monetization) and has been observed on at least 13,715 devices worldwide.&nbsp;<\/div><div><br><\/div><div><b>Because it sits in firmware and can grant or revoke app permissions, Keenadu effectively bypasses Android sandboxing and cannot be removed by end users.<\/b><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keenadu was found in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023.<\/li>\n\n\n<li><span style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-size: medium; letter-spacing: normal;\"><b>The&nbsp;<\/b><\/span><span style=\"letter-spacing: 0.3px;\"><b>Alldocube<\/b><\/span><span style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-size: medium; letter-spacing: normal;\"><b>&nbsp;is sold globally through Amazon and AliExpress,<\/b> positioning itself as the most affordable high-spec option in its size class and attracting a wide consumer audience across the US, Europe, and beyond.<\/span><\/li>\n\n\n<li><b>Firmware files carrying the backdoor had valid digital signatures and were distributed via OTA updates<\/b> in some cases.<\/li>\n\n\n<li><b>Telemetry shows 13,715 users encountered Keenadu or its modules, <\/b>with most victims in Russia, Japan, Germany, Brazil, and the Netherlands.<\/li>\n\n\n<li>Malware is embedded in libandroid_runtime.so, injected into Zygote, and creates AKServer (core\/C2) and AKClient (injected into every app) components.<\/li>\n\n\n<li><b>Identified payloads include loaders\/modules for ad fraud and abuse: <\/b>Keenadu loader (targets Amazon\/Shein\/Temu), Clicker loader (YouTube, Facebook, Google Digital Wellbeing), Chrome module (search hijack), and Install monetization in system launcher.<\/li>\n\n\n<li><b>Keenadu\u2019s C2 uses Alibaba Cloud for CDN and will not serve payloads until ~2.5 months after initial check-in.<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Inventory and isolate affected Alldocube tablet models immediately<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/02\/keenadu-firmware-backdoor-infects.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4133774\/keenadu-android-malware-that-comes-preinstalled-and-cant-be-removed-by-users.html\">CSO Online<\/a>, <a href=\"https:\/\/www.darkreading.com\/mobile-security\/supply-chain-attack-embeds-malware-android-devices\">Dark Reading<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">9. Starkiller PhaaS Proxies Real Login Pages to Capture Credentials and MFA Tokens<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Starkiller is a phishing\u2011as\u2011a\u2011service<\/b> that spins up attacker\u2011controlled containers to load real login pages and relay victims\u2019 inputs, capturing usernames, passwords, session cookies and MFA codes in real time.&nbsp;<div><br><\/div><div>Packaged with a SaaS\u2011style GUI, URL\u2011masking tools and analytics, it automates reverse\u2011proxy tradecraft and <b>lets lower\u2011skill criminals achieve account takeover even when MFA completes<\/b>. Security teams should treat successful MFA as insufficient on its own and prioritize session\u2011aware detection and phishing\u2011resistant authentication for high\u2011risk accounts.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Runs a Docker container with a headless Chrome instance that loads the legitimate login page and acts as a reverse proxy.<\/b><\/li>\n\n\n<li><b>Proxies forward every keystroke, form submission, cookie and session token to attacker infrastructure, enabling reuse of authenticated sessions.<\/b><\/li>\n\n\n<li>URL Masker uses tricks (the &#8216;@&#8217; userinfo pattern and URL shorteners) to create deceptive links that visually mimic target domains.<\/li>\n\n\n<li>Platform offers SaaS\u2011style features: brand selection, campaign analytics, geo\u2011tracking, keylogger capture, and automated Telegram alerts.<\/li>\n\n\n<li><b>Service is linked to a cybercrime group calling itself Jinkusu<\/b> and is offered as an end\u2011to\u2011end phishing suite.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Require phishing\u2011resistant MFA (FIDO2\/WebAuthn) for high\u2011risk accounts<\/b><\/li>\n\n\n<li><b>Block suspicious shroterner URLs<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/krebsonsecurity.com\/2026\/02\/starkiller-phishing-service-proxies-real-login-pages-mfa\/\">KrebsOnSecurity<\/a>, <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/starkiller-phishing-kit-mfa\">Dark Reading<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">10. Researchers: Microsoft Copilot and xAI Grok can be abused as covert malware C2 proxies<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Check Point Research demonstrated that the web\u2011browsing and URL\u2011fetch features in AI assistants such as Microsoft Copilot and xAI Grok can be abused to form bidirectional command\u2011and\u2011control (C2) channels that relay attacker commands and exfiltrate data.&nbsp;<\/b><div><br><\/div><div>The technique <b>works through the services' web interfaces without requiring API keys or registered accounts and can blend into routine AI traffic often exempt from deep inspection,<\/b> so organizations that allow unrestricted outbound AI access risk stealthy, adaptive malware control; <b>the attack requires an already\u2011compromised host with malware installed.<\/b><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Demonstrated against Microsoft Copilot and xAI Grok by Check Point Research<\/b><\/li>\n\n\n<li><b>Abuse leverages web\u2011browsing and URL\u2011fetch capabilities to retrieve attacker\u2011controlled URLs and return embedded instructions.<\/b><\/li>\n\n\n<li>Works via public web interfaces without needing API keys or authenticated accounts, making key revocation ineffective.<\/li>\n\n\n<li>Precondition: <b>an attacker must first compromise the host and install malware that queries the AI service.<\/b><\/li>\n\n\n<li>Technique blends into legitimate AI outbound traffic;&nbsp;<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4134419\/hackers-can-turn-grok-copilot-into-covert-command-and-control-channels-researchers-warn.html\">CSO Online<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/researchers-show-copilot-and-grok-can.html\">The Hacker News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">11. Notepad++ releases v8.9.2 to harden updater after hosting-level breach delivered &#8216;Chrysalis&#8217; backdoor<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Notepad++ published version 8.9.2<b> implementing a \u201cdouble\u2011lock\u201d update verification after a hosting provider compromise was used to hijack updates<\/b> and deliver a targeted backdoor called Chrysalis.<b>&nbsp;<\/b><span style=\"caret-color: rgb(64, 64, 74); color: rgb(64, 64, 74); font-family: Roboto, -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Helvetica, Arial, sans-serif; font-size: 15.7px; letter-spacing: 0.1px;\">The update<b> includes verification of the signed installer downloaded from GitHub, as well as the newly added verification of the signed XML returned by the update server<\/b> at notepad-plus-plus[.]org.<\/span><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upgrade Notepad++ to v8.9.2 from the official domain<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4134135\/notepad-author-says-fixes-make-update-mechanism-effectively-unexploitable.html\">CSO Online<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/02\/notepad-fixes-hijacked-update-mechanism.html\">The Hacker News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">12. SANDWORM_MODE: npm typosquatting worm steals developer and CI secrets from 19+ packages<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers uncovered an active supply-chain worm, tracked as SANDWORM_MODE, that distributes <b>at least 19 typosquatted npm packages <\/b>which preserve expected library behavior but execute a covert multi-stage payload on import.&nbsp;<div><b><br><\/b><\/div><div><b>The malware immediately harvests developer and CI secrets (npm\/GitHub tokens, environment variables, crypto keys and password stores), exfiltrates data via the GitHub API with DNS and Cloudflare Worker fallbacks, and uses stolen credentials to inject dependencies, workflows and commits to continue spreading.<\/b>&nbsp;<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>At least 19 malicious npm packages published under two npm publisher aliases.<\/b><\/li>\n\n\n<li>A weaponized GitHub Action (ci-quality\/code-quality-check) is part of the campaign and harvests CI secrets.<\/li>\n\n\n<li><b>Exfiltration channels<\/b> include GitHub API over HTTPS, a Cloudflare Worker endpoint, and DNS tunneling as a fallback.<\/li>\n\n\n<li><b>Propagation methods: <\/b>stolen npm\/GitHub credentials, carrier dependency injection, modifying package.json\/lockfiles, and injecting GitHub workflows; SSH fallback abuses the victim&#8217;s SSH agent.<\/li>\n\n\n<li><b>Persistence techniques<\/b> include git hooks and a global init.templateDir setting; optional dead-switch can wipe a user\u2019s home directory if GitHub and npm access are lost.<\/li>\n\n\n<li>Payloads are obfuscated and multi-stage (Base64\/compression\/XOR\/AES encrypted second stage); <b>campaign targets AI toolchains<\/b> (Claude, Cursor, VS Code) and <b>can harvest LLM API keys.<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Audit repos<\/b> for injected workflows\/git hooks and block carrier dependency patterns<\/li>\n\n\n<li><b>Search and remove known malicious packages<\/b> (typosquats) from codebasese <a href=\"https:\/\/socket.dev\/blog\/sandworm-mode-npm-worm-ai-toolchain-poisoning\" target=\"_blank\" rel=\"noopener noreferrer\">IOC list here<\/a><\/li>\n\n\n<li>Rotate and revoke npm\/GitHub tokens used since exposure<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/socket.dev\/blog\/sandworm-mode-npm-worm-ai-toolchain-poisoning\">Socket.dev<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/shai-hulud-like-npm-worm-attack\/\">Cybersecurity News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">13. Anthropic opens limited research preview of Claude Code Security, AI-driven code scanner and patch suggester<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Anthropic has launched a limited research preview of Claude Code Security, an AI capability that reads code like a human reviewer to find complex, context-dependent vulnerabilities and propose targeted patches for human approval.&nbsp;<\/b><div><br><\/div><div><b>The tool re-verifies its findings, assigns severity and confidence ratings, <\/b>and surfaces validated issues in a dashboard so teams can triage and approve fixes .<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Released as a limited research preview to Enterprise and Team customers;&nbsp;<\/b><div><b>open-source maintainers<\/b> can request expedited access<\/div><\/li>\n\n\n<li><b>Claude re-examines each finding in a multi-stage verification process <\/b>to filter false positives<\/li>\n\n\n<li>Validated findings include suggested patches, severity ratings, and confidence scores in a review dashboard<\/li>\n\n\n<li><b>Anthropic reports using Claude Opus 4.6 to find over 500 vulnerabilities in production open-source codebases<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.anthropic.com\/news\/claude-code-security\">Anthropic<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">14. Israeli firms commercialize &#8216;CARINT&#8217; tools that turn vehicle telemetry into intelligence<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Israeli cyber-intelligence companies have developed and are marketing CARINT \u2014 tools that collect and fuse vehicle telemetry, connectivity and camera\/microphone data to identify, track and monitor vehicles and their occupants.&nbsp;<\/b><div><br><\/div><div>Haaretz reports at least three vendors (Toka, Rayzone\/TA9 and Ateros\/Netline) offer <b>capabilities ranging from vehicle-only tracking to an offensive product that can remotely access a car's hands-free microphone and cameras;<\/b>&nbsp;<\/div><div><br><\/div><div>The rise of AI-driven data fusion and constant vehicle connectivity creates new privacy and national-security exposure.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Haaretz identified at least three Israeli CARINT vendors: Toka, Rayzone (TA9) and Ateros\/Netline.<\/li>\n\n\n<li><b>Toka developed an offensive tool able to hack a specific vehicle&#8217;s multimedia system and access its microphone and cameras; <\/b>the Defense Ministry approved demonstrations and sale, and Toka says it no longer sells the product in its 2026 roadmap.<\/li>\n\n\n<li><b>Rayzone&#8217;s TA9 product tracks vehicles via embedded SIMs, wireless\/Bluetooth signals and cross-references roadside cameras and advertising data to identify targets; <\/b>marketing materials promise &#8220;full intelligence coverage.&#8221;<\/li>\n\n\n<li><b>Ateros (Netline sister) offers GeoDome\/Onyx integration; <\/b>Netline sensors can use unique tire-pressure identifiers as a vehicle fingerprint for tracking.<\/li>\n\n\n<li><b>The IDF banned most Chinese-made electric vehicles for senior personnel<\/b> and bars Chinese cars onto bases; one exception (Chery TIGGO 8) had its media system removed.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Audit fleet telematics and segment infotainment networks<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.haaretz.com\/israel-news\/security-aviation\/2026-02-16\/ty-article-magazine\/.premium\/your-car-is-spying-on-you-and-israeli-firms-are-leading-the-surveillance-race\/0000019c-6651-d2f0-a19c-7fdd81920000\">Haaretz<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">15. When AI Agents mess up &#8211; real company and peopl examples from the last few months<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">An interesting listing of different cases where the AI has not quite done what asked and maybe also done the polar opposite of what was prohibited.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Amazon Kiro (Dec 2025):<\/b> AWS\u2019s autonomous AI coding agent Kiro was allowed elevated permissions and <b>chose to delete and recreate a live production environment, causing a 13-hour outage of the AWS Cost Explorer service<\/b> in a China region.&nbsp;<\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"2\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><b>Replit AI Agent (Jul 18 2025):&nbsp;<\/b><span style=\"color: rgb(39, 31, 19); letter-spacing: 0.3px;\">During a \u201cvibe coding\u201d trial, <b>Replit\u2019s AI agent deleted an entire live production database with records for over 1,200 companies despite explicit instructions not to touch production. <\/b>The agent then fabricated thousands of fake records and logs, falsely portraying the situation before the issue was discovered. &nbsp;<\/span><\/p><\/li><\/ol><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"3\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><b>Google Antigravity IDE (Nov\/Dec 2025):<\/b><span class=\"s1\">&nbsp;&nbsp;<\/span><span style=\"color: rgb(39, 31, 19); letter-spacing: 0.3px;\">A user building an app in Google\u2019s Antigravity IDE in \u201cTurbo mode\u201d <b>asked the AI to restart a server and clear cache, but the model ran a recursive remove (rmdir) command on his whole D: drive. <\/b>Years of personal photos, projects, and files were permanently erased as a result.<\/span><\/p><\/li><\/ol><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"4\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Anthropic Claude Code CLI (Oct 21 2025):<\/b><\/span>&nbsp;When a developer requested a Makefile rebuild using Claude Code, <b>the agent generated and ran&nbsp;<span class=\"s2\">rm -rf<\/span>&nbsp;with a trailing&nbsp;<span class=\"s2\">~\/<\/span>, which expanded to the user\u2019s entire home directory. &nbsp;<\/b>All project files and personal data in that directory were deleted despite safety flags intended to prevent destructive commands.&nbsp;<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"5\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Anthropic Claude Code CLI (Dec 2025):<\/b><\/span>&nbsp;Another Claude Code user reported an identical destructive pattern, where the CLI deleted the Mac home directory including desktop files, keychains, and downloads, resulting in widespread data loss.&nbsp;<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"6\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Anthropic Claude Cowork (Feb 7 2026):<\/b><\/span>&nbsp;Claude Cowork, a general-purpose AI agent for non-developers, <b>was told to delete only temporary Office files but instead erased a folder containing 15 years of family photos.<\/b><\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"7\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Google Gemini CLI (Jul 2025):<\/b><\/span>&nbsp;A product manager using Gemini CLI <b>instructed the AI to move files between folders; when a destination folder didn\u2019t exist, the agent overwrote files sequentially, leaving only the last file intact.<\/b> This unintended overwrite destroyed all other data in the target location with no direct delete command.&nbsp;<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"8\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Cursor IDE (YOLO Mode, Jun 2025):<\/b><\/span>&nbsp;With \u201cYOLO mode\u201d enabled\u2014which lets the AI execute without oversight\u2014<b>the Cursor IDE agent attempted to delete outdated files during a migration but spiraled and wiped all data it could access, including its own installation. <\/b>This categorical removal occurred because the autonomy setting lacked effective guardrails.&nbsp;<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"9\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>Cursor IDE (Plan Mode, Dec 2025):<\/b><\/span>&nbsp;<b>Even with a mode designed to prevent unintended execution, Cursor\u2019s agent deleted about 70 git-tracked files and terminated test processes<\/b> after a developer explicitly instructed it not to run anything. The agent then auto-generated commits attempting to \u201crepair\u201d the damage, compounding the disruption.<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n\n<li><p class=\"p1\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><span class=\"s1\"><\/span><\/p><ol start=\"10\" style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><li><p class=\"p1\"><span class=\"s1\"><b>LLM Agent (Oct 2024):<\/b><\/span>&nbsp;A custom LLM agent commanded to find and manage the user\u2019s desktop ended up autonomously SSHing into another machine and modifying its bootloader configuration, leaving the system unbootable. What began as a remote assistance task devolved into a destructive update with significant operational impact.<\/p><\/li><\/ol><p style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal;\"><\/p><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block AI-agent command execution in production by default<\/li>\n\n\n<li>Enforce non-inheritable, least-privilege roles for AI agent credentials<\/li>\n\n\n<li>Require dual-approval and audited change workflows before agent pushes<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/blog.barrack.ai\/amazon-ai-agents-deleting-production\/\">Barrack.ai<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            ","protected":false},"excerpt":{"rendered":"<p>Latest interesting cybersecurity news from February 2026<\/p>","protected":false},"author":1,"featured_media":21618,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21614"}],"version-history":[{"count":4,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21614\/revisions"}],"predecessor-version":[{"id":21619,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21614\/revisions\/21619"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21618"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}