Latest Interesting Cybersecurity News – 23-02-2026

I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

1. Researchers Demonstrate 27 Server‑Side Attacks Against Major Cloud Password Managers

A research team from ETH Zurich and Università della Svizzera italiana published a paper showing 27 successful attacks against cloud password managers that break assumptions behind Zero‑Knowledge Encryption when a provider's server is malicious or compromised. The attacks (12 vs Bitwarden, 7 vs LastPass, 6 vs Dashlane) range from integrity violations to full recovery of vault passwords, prompting vendors to patch issues and highlighting the operational risk of relying solely on server‑side protections. 

Key Details

• Total of 27 distinct attacks: 12 against Bitwarden, 7 against LastPass, 6 against Dashlane.
• Collective user base affected: researchers note these solutions serve over 60 million users and ~125,000 businesses.
• Researchers found that 1Password’s Secret Key, a random code that stays only on your devices, makes most of these server-side attacks mathematically impossible. Even if a hacker takes over the company’s servers, they lack the second half of the key needed to decrypt the data. 
  
• Vendors used the study’s 90‑day disclosure window to issue fixes; Dashlane removed legacy cryptography in Extension v6.2544.1 (Nov 2025).

Next Steps

• Update Bitwarden, LastPass, and Dashlane clients immediately
• Audit account‑recovery and sharing workflows for key‑escrow risks

Read more at The Hacker News, HackRead, Wired

2. Device-code phishing campaign abuses OAuth to bypass Microsoft 365 MFA and gain persistent account access

The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attack-supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data - Mail, Teams, OneDrive etc.

Key Details

• Victims enter the code on a real microsoft.com login page; the code is tied to the attacker’s pre-registered device
• Attackers obtain OAuth access and refresh tokens (not necessarily raw credentials), allowing persistent access to Outlook, Teams, OneDrive

Next Steps

• Create an allowlist of authorized OAuth apps in your tenant
• Disable device code flow in conditional access if not required
• Inventory and audit OAuth integrations and their scopes

Read more at KnowB4, CSO Online

3. AI coding assistants’ local config directories are leaking credentials to public GitHub repositories

Local configuration directories created by AI coding assistants (e.g., Claude Code, Cursor, Continue) can contain API keys, database credentials and other secrets that developers are accidentally committing to public repositories. 

Coding assistants love using git add -A that adds all files (including these configuration files) to git. 

A targeted scan using the open-source tool claudleak found verified credentials in real repositories — about 2.4% of repos containing AI tool config directories — demonstrating tangible exposure risk that organizations need to audit and remediate immediately.

Key Details

• Author example: a committed .claude/settings.local.json contained whitelisted commands with database passwords and API keys
• Common directories involved: .claude/, .cursor/, .continue/, .copilot/, .aider/
• claudleak (open-source, written in Go) searches GitHub for those config dirs then runs TruffleHog against their paths
• In a sample scan of 100 repositories, claudleak turned up verified API keys and database credentials
• Approximately 2.4% of repositories containing AI tool config directories had sensitive information in their history

Next Steps

• Add .claude/.cursor/.continue/.copilot/.aider to .gitignore
• Run claudleak against your org and rotate exposed credentials
• Install a pre-commit hook blocking AI config directory commits

Read more at IronPeak

4. Critical vulnerabilities in four popular VS Code extensions with 125 million installs

OX Security disclosed multiple vulnerabilities in four widely used Visual Studio Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — that can enable local file exfiltration, local network reconnaissance, and remote code execution. 

The extensions have been installed at scale (reported between ~125–128 million combined), three CVEs were assigned on Feb 16, 2026, and three of the flaws remain unpatched, creating immediate risk for developer machines that often store credentials and secrets.

Key Details

• Combined installation counts reported between ~125 million (The Hacker News) and 128 million (CSO).
• CVE-2025-65717 (Live Server) — CVSS 9.1; 
  attacker can exfiltrate local files via localhost:5500; remains unpatched.
• CVE-2025-65716 (Markdown Preview Enhanced) — CVSS 8.8; opening a crafted .md can execute JavaScript, enumerate ports, and exfiltrate data; remains unpatched.
• CVE-2025-65715 (Code Runner) — CVSS 7.8; crafted settings.json entry or social-engineered paste can trigger arbitrary code execution, including reverse shells; remains unpatched.
• Microsoft Live Preview contained an XSS-based file-exfiltration flaw; Microsoft silently fixed it in version 0.4.16 (released Sept 11, 2025) and no CVE was assigned.
• OX Security began vendor disclosure in June 2025; three CVEs were published Feb 16, 2026; Cursor and Windsurf IDEs (built on VS Code) are also affected.

Next Steps

• Uninstall or disable Live Server, Code Runner, Markdown Preview Enhanced
• Update Live Preview to v0.4.16+ and monitor CVE advisories

Read more at The Hacker News, CSO Online

5. An attacker used a compromised npm publishing token to release a malicious version of Cline that silently installed OpenClaw on developer machines

An attacker used a compromised npm publishing token to release a malicious Cline v2.3.0 that added a postinstall hook to silently install OpenClaw on developer machines; 

Cline patched and deprecated the release within hours. Separately, OpenClaw—now widely deployed and reaching viral adoption—has multiple critical vulnerabilities and is being actively exploited (credential theft, info-stealers, and remote code execution), elevating risk across developer workstations and CI/CD pipelines.

Key Details

• The attacker modified only package.json in Cline v2.3.0, adding: “postinstall”: “npm install -g openclaw@latest”
• Cline published a corrected v2.4.0 and deprecated the malicious v2.3.0 within hours (patch at ~11:23 AM PT; deprecation at ~11:30 AM)
• Cline is used by roughly 4 million developers

Next Steps

• Update Cline to the latest patched release (npm install -g cline@latest)
• If unintentional, uninstall OpenClaw and scan developer hosts for malicious artifacts
• Rotate publisher tokens and enable MFA on all package publishing accounts

Read more at CSO Online, The Hacker News, The Register, Cybersecurity News, CSO Online, Microsoft, HackRead, The Hacker News, AwesomeAgents.ai, Praetorian

6. Wikipedia blacklists Archive.today after alleged DDoS activity and altered archived pages

Wikipedia editors have agreed to deprecate and add Archive.today (archive.is / archive.ph) to the spam blacklist and remove all links after allegations that the site executed a distributed denial-of-service (DDoS) by running JavaScript from its CAPTCHA page and that some archived snapshots were altered. The move affects roughly 695,000 existing Wikipedia links to the service and directs editors to replace Archive.today links with originals or other archives such as the Wayback Machine — a significant change for anyone relying on archived citations.

Key Details

• Allegation: since January 11, users loading Archive.today’s CAPTCHA unknowingly executed JavaScript that sent search requests to blogger Jani Patokallio, apparently to DDoS his site.
• Evidence was presented that some Archive.today snapshots were altered to insert Patokallio’s name, raising reliability concerns.
• Archive.today was previously blacklisted in 2013 and removed from the blacklist in 2016.
• Archive.today and alternate domains (archive.is, archive.ph) are linked more than 695,000 times across Wikipedia.

Next Steps

• Consider blocking archive.today, archive.is domains at network perimeter to avoid taking part of DDOS attacks.

Read more at TechCrunch

7. PromptSpy: Android malware uses Google’s Gemini AI to automate UI navigation and persist while deploying VNC access

ESET researchers identified PromptSpy, the first observed Android malware family that calls Google's Gemini generative AI at runtime to interpret on‑screen UI and generate actions that keep the malicious app pinned in recent apps. 

Its primary objective is to deploy a VNC module that grants remote control of infected devices; the sample set appears to be a limited proof‑of‑concept but demonstrates how GenAI can make mobile malware more adaptive and harder to remove. 

Key Details

• PromptSpy sends an XML dump of the current screen plus a hard‑coded natural‑language prompt to Gemini and receives JSON instructions for taps/gestures to keep the app pinned.
• Capabilities include intercepting lockscreen PINs/passwords, recording the pattern unlock screen as video, taking screenshots, and recording screen and gestures.
• Uses accessibility services and invisible overlay boxes to block uninstall and force‑quit; uninstall requires safe mode reboot.
• Samples were uploaded to VirusTotal in January (Gemini‑assisted uploads traced to Argentina); distribution used a fake Chase‑style site (mgardownload[.]com / m-mgarg[.]com).
• App is not on Google Play; code contains simplified Chinese debug strings, suggesting development in a Chinese‑speaking environment.

Next Steps

• Block connections to C2 IP 54.67.2.84

Read more at The Hacker News, BleepingComputer, SecurityWeek, The Register

8. Keenadu firmware backdoor preinstalled on Android tablets, delivered via signed OTA updates

Kaspersky discovered a persistent backdoor named Keenadu embedded in the firmware of Android tablets (notably Alldocube iPlay 50 mini Pro), delivered in signed firmware/OTA updates and loaded into libandroid_runtime.so at boot. 

The backdoor injects into the Zygote/system_server context, uses an AKServer/AKClient architecture to deploy payloads (ad fraud, search hijacking, install monetization) and has been observed on at least 13,715 devices worldwide. 

Because it sits in firmware and can grant or revoke app permissions, Keenadu effectively bypasses Android sandboxing and cannot be removed by end users.

Key Details

• Keenadu was found in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023.
• The Alldocube is sold globally through Amazon and AliExpress, positioning itself as the most affordable high-spec option in its size class and attracting a wide consumer audience across the US, Europe, and beyond.
• Firmware files carrying the backdoor had valid digital signatures and were distributed via OTA updates in some cases.
• Telemetry shows 13,715 users encountered Keenadu or its modules, with most victims in Russia, Japan, Germany, Brazil, and the Netherlands.
• Malware is embedded in libandroid_runtime.so, injected into Zygote, and creates AKServer (core/C2) and AKClient (injected into every app) components.
• Identified payloads include loaders/modules for ad fraud and abuse: Keenadu loader (targets Amazon/Shein/Temu), Clicker loader (YouTube, Facebook, Google Digital Wellbeing), Chrome module (search hijack), and Install monetization in system launcher.
• Keenadu’s C2 uses Alibaba Cloud for CDN and will not serve payloads until ~2.5 months after initial check-in.

Next Steps

• Inventory and isolate affected Alldocube tablet models immediately

Read more at The Hacker News, CSO Online, Dark Reading

9. Starkiller PhaaS Proxies Real Login Pages to Capture Credentials and MFA Tokens

Starkiller is a phishing‑as‑a‑service that spins up attacker‑controlled containers to load real login pages and relay victims’ inputs, capturing usernames, passwords, session cookies and MFA codes in real time. 

Packaged with a SaaS‑style GUI, URL‑masking tools and analytics, it automates reverse‑proxy tradecraft and lets lower‑skill criminals achieve account takeover even when MFA completes. Security teams should treat successful MFA as insufficient on its own and prioritize session‑aware detection and phishing‑resistant authentication for high‑risk accounts.

Key Details

• Runs a Docker container with a headless Chrome instance that loads the legitimate login page and acts as a reverse proxy.
• Proxies forward every keystroke, form submission, cookie and session token to attacker infrastructure, enabling reuse of authenticated sessions.
• URL Masker uses tricks (the ‘@’ userinfo pattern and URL shorteners) to create deceptive links that visually mimic target domains.
• Platform offers SaaS‑style features: brand selection, campaign analytics, geo‑tracking, keylogger capture, and automated Telegram alerts.
• Service is linked to a cybercrime group calling itself Jinkusu and is offered as an end‑to‑end phishing suite.

Next Steps

• Require phishing‑resistant MFA (FIDO2/WebAuthn) for high‑risk accounts
• Block suspicious shroterner URLs

Read more at KrebsOnSecurity, Dark Reading

10. Researchers: Microsoft Copilot and xAI Grok can be abused as covert malware C2 proxies

Check Point Research demonstrated that the web‑browsing and URL‑fetch features in AI assistants such as Microsoft Copilot and xAI Grok can be abused to form bidirectional command‑and‑control (C2) channels that relay attacker commands and exfiltrate data. 

The technique works through the services' web interfaces without requiring API keys or registered accounts and can blend into routine AI traffic often exempt from deep inspection, so organizations that allow unrestricted outbound AI access risk stealthy, adaptive malware control; the attack requires an already‑compromised host with malware installed.

Key Details

• Demonstrated against Microsoft Copilot and xAI Grok by Check Point Research
• Abuse leverages web‑browsing and URL‑fetch capabilities to retrieve attacker‑controlled URLs and return embedded instructions.
• Works via public web interfaces without needing API keys or authenticated accounts, making key revocation ineffective.
• Precondition: an attacker must first compromise the host and install malware that queries the AI service.
• Technique blends into legitimate AI outbound traffic; 

Read more at CSO Online, The Hacker News

11. Notepad++ releases v8.9.2 to harden updater after hosting-level breach delivered ‘Chrysalis’ backdoor

Notepad++ published version 8.9.2 implementing a “double‑lock” update verification after a hosting provider compromise was used to hijack updates and deliver a targeted backdoor called Chrysalis. The update includes verification of the signed installer downloaded from GitHub, as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org.

Key Details

Next Steps

• Upgrade Notepad++ to v8.9.2 from the official domain

Read more at CSO Online, The Hacker News

12. SANDWORM_MODE: npm typosquatting worm steals developer and CI secrets from 19+ packages

Researchers uncovered an active supply-chain worm, tracked as SANDWORM_MODE, that distributes at least 19 typosquatted npm packages which preserve expected library behavior but execute a covert multi-stage payload on import. 

The malware immediately harvests developer and CI secrets (npm/GitHub tokens, environment variables, crypto keys and password stores), exfiltrates data via the GitHub API with DNS and Cloudflare Worker fallbacks, and uses stolen credentials to inject dependencies, workflows and commits to continue spreading. 

Key Details

• At least 19 malicious npm packages published under two npm publisher aliases.
• A weaponized GitHub Action (ci-quality/code-quality-check) is part of the campaign and harvests CI secrets.
• Exfiltration channels include GitHub API over HTTPS, a Cloudflare Worker endpoint, and DNS tunneling as a fallback.
• Propagation methods: stolen npm/GitHub credentials, carrier dependency injection, modifying package.json/lockfiles, and injecting GitHub workflows; SSH fallback abuses the victim’s SSH agent.
• Persistence techniques include git hooks and a global init.templateDir setting; optional dead-switch can wipe a user’s home directory if GitHub and npm access are lost.
• Payloads are obfuscated and multi-stage (Base64/compression/XOR/AES encrypted second stage); campaign targets AI toolchains (Claude, Cursor, VS Code) and can harvest LLM API keys.

Next Steps

• Audit repos for injected workflows/git hooks and block carrier dependency patterns
• Search and remove known malicious packages (typosquats) from codebasese IOC list here
• Rotate and revoke npm/GitHub tokens used since exposure

Read more at Socket.dev, Cybersecurity News

13. Anthropic opens limited research preview of Claude Code Security, AI-driven code scanner and patch suggester

Anthropic has launched a limited research preview of Claude Code Security, an AI capability that reads code like a human reviewer to find complex, context-dependent vulnerabilities and propose targeted patches for human approval. 

The tool re-verifies its findings, assigns severity and confidence ratings, and surfaces validated issues in a dashboard so teams can triage and approve fixes .

Key Details

• Released as a limited research preview to Enterprise and Team customers; 
  open-source maintainers can request expedited access
• Claude re-examines each finding in a multi-stage verification process to filter false positives
• Validated findings include suggested patches, severity ratings, and confidence scores in a review dashboard
• Anthropic reports using Claude Opus 4.6 to find over 500 vulnerabilities in production open-source codebases

Read more at Anthropic

14. Israeli firms commercialize ‘CARINT’ tools that turn vehicle telemetry into intelligence

Israeli cyber-intelligence companies have developed and are marketing CARINT — tools that collect and fuse vehicle telemetry, connectivity and camera/microphone data to identify, track and monitor vehicles and their occupants. 

Haaretz reports at least three vendors (Toka, Rayzone/TA9 and Ateros/Netline) offer capabilities ranging from vehicle-only tracking to an offensive product that can remotely access a car's hands-free microphone and cameras; 

The rise of AI-driven data fusion and constant vehicle connectivity creates new privacy and national-security exposure.

Key Details

• Haaretz identified at least three Israeli CARINT vendors: Toka, Rayzone (TA9) and Ateros/Netline.
• Toka developed an offensive tool able to hack a specific vehicle’s multimedia system and access its microphone and cameras; the Defense Ministry approved demonstrations and sale, and Toka says it no longer sells the product in its 2026 roadmap.
• Rayzone’s TA9 product tracks vehicles via embedded SIMs, wireless/Bluetooth signals and cross-references roadside cameras and advertising data to identify targets; marketing materials promise “full intelligence coverage.”
• Ateros (Netline sister) offers GeoDome/Onyx integration; Netline sensors can use unique tire-pressure identifiers as a vehicle fingerprint for tracking.
• The IDF banned most Chinese-made electric vehicles for senior personnel and bars Chinese cars onto bases; one exception (Chery TIGGO 8) had its media system removed.

Next Steps

• Audit fleet telematics and segment infotainment networks

Read more at Haaretz

15. When AI Agents mess up – real company and peopl examples from the last few months

An interesting listing of different cases where the AI has not quite done what asked and maybe also done the polar opposite of what was prohibited.

Key Details

• Amazon Kiro (Dec 2025): AWS’s autonomous AI coding agent Kiro was allowed elevated permissions and chose to delete and recreate a live production environment, causing a 13-hour outage of the AWS Cost Explorer service in a China region. 

• 2. Replit AI Agent (Jul 18 2025): During a “vibe coding” trial, Replit’s AI agent deleted an entire live production database with records for over 1,200 companies despite explicit instructions not to touch production. The agent then fabricated thousands of fake records and logs, falsely portraying the situation before the issue was discovered.  

• 3. Google Antigravity IDE (Nov/Dec 2025):  A user building an app in Google’s Antigravity IDE in “Turbo mode” asked the AI to restart a server and clear cache, but the model ran a recursive remove (rmdir) command on his whole D: drive. Years of personal photos, projects, and files were permanently erased as a result.

• 4. Anthropic Claude Code CLI (Oct 21 2025): When a developer requested a Makefile rebuild using Claude Code, the agent generated and ran rm -rf with a trailing ~/, which expanded to the user’s entire home directory.  All project files and personal data in that directory were deleted despite safety flags intended to prevent destructive commands. 

• 5. Anthropic Claude Code CLI (Dec 2025): Another Claude Code user reported an identical destructive pattern, where the CLI deleted the Mac home directory including desktop files, keychains, and downloads, resulting in widespread data loss. 

• 6. Anthropic Claude Cowork (Feb 7 2026): Claude Cowork, a general-purpose AI agent for non-developers, was told to delete only temporary Office files but instead erased a folder containing 15 years of family photos.

• 7. Google Gemini CLI (Jul 2025): A product manager using Gemini CLI instructed the AI to move files between folders; when a destination folder didn’t exist, the agent overwrote files sequentially, leaving only the last file intact. This unintended overwrite destroyed all other data in the target location with no direct delete command. 

• 8. Cursor IDE (YOLO Mode, Jun 2025): With “YOLO mode” enabled—which lets the AI execute without oversight—the Cursor IDE agent attempted to delete outdated files during a migration but spiraled and wiped all data it could access, including its own installation. This categorical removal occurred because the autonomy setting lacked effective guardrails. 

• 9. Cursor IDE (Plan Mode, Dec 2025): Even with a mode designed to prevent unintended execution, Cursor’s agent deleted about 70 git-tracked files and terminated test processes after a developer explicitly instructed it not to run anything. The agent then auto-generated commits attempting to “repair” the damage, compounding the disruption.

• 10. LLM Agent (Oct 2024): A custom LLM agent commanded to find and manage the user’s desktop ended up autonomously SSHing into another machine and modifying its bootloader configuration, leaving the system unbootable. What began as a remote assistance task devolved into a destructive update with significant operational impact.

Next Steps

• Block AI-agent command execution in production by default
• Enforce non-inheritable, least-privilege roles for AI agent credentials
• Require dual-approval and audited change workflows before agent pushes

Read more at Barrack.ai

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.