Category: Cybersecurity

Ravie LakshmananFeb 13, 2026Cloud Security / Cyber Espionage

A previously unknown threat actor tracked as UAT-9921 has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos.

“This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity,” researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. “UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network.”

VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It’s assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm called spec-driven development.

In another analysis published earlier this week, Ontinue pointed out that the emergence of VoidLink presents a new concern where LLM-generated implants, packed with kernel-level rootkits and features to target cloud environments, can further lower the skill barrier required to produce hard-to-detect malware.

Per Talos, UAT-9921 is believed to possess knowledge of the Chinese language, given the language of the framework, and the toolkit appears to be a recent addition. It is also believed that the development was split across teams, although the extent of the demarcation between development and the actual operations remains unclear.

“The operators deploying VoidLink have access to the source code of some [kernel] modules and some tools to interact with the implants without the C2,” the researchers noted. “This indicates inner knowledge of the communication protocols of the implants.”

VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has also been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan.

The cybersecurity company said it’s aware of multiple VoidLink-related victims dating back to September 2025, indicating that work on the malware may have commenced much earlier than the November 2025 timeline pieced together by Check Point.

VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. It supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics.

The framework also comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly.

“The C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for a known vulnerability, which just happens to be on an internal web server,” Talos said.

“The C2 doesn’t necessarily need to have all these tools available — it may have an agent that will do its research and prepare the tool for the operator to use. With the current VoidLink compile-on-demand capability, integrating such a feature should not be complex. Keep in mind that all of this will happen while the operator continues to explore the environment.”

Another defining trait of VoidLink is its auditability and the existence of a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. This suggests that the developers of the framework kept oversight in mind when designing it, raising the possibility that the activity may be part of red team exercises.

What’s more, there are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

“This is a near-production-ready proof of concept,” Talos said. “VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility.”

Ravie LakshmananFeb 13, 2026Threat Intelligence / Malware

A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL.

Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments.

However, the group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, GTIG added.

“Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs [large language models],” GTIG said.

“Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup.”

Recent phishing campaigns have involved the threat actor impersonating legitimate national and local Ukrainian energy organizations to obtain unauthorized access to organizational and personal email accounts.

The group is also said to have masqueraded as a Romanian energy company that works with customers in Ukraine, in addition to targeting a Romanian firm and conducting reconnaissance on Moldovan organizations.

To enable its operations, the threat actor generates email address lists tailored to specific regions and industries based on their research. The attack chains seemingly contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware.

Typically disguised with a double extension to pass off as a PDF document (*.pdf.js), CANFAIL is an obfuscated JavaScript malware that’s designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper. In parallel, it displays a fake “error” message to the victim.

Google said the threat actor is also linked to a campaign called PhantomCaptcha that was disclosed by SentinelOne SentinelLABS in October 2025 as targeting organizations associated with Ukraine’s war relief efforts through phishing emails that direct recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver a WebSocket-based trojan.

Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr.

“Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors,” Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. “Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.”

The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests.

BeyondTrust noted last week that successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.

It has been patched in the following versions –

• Remote Support – Patch BT26-02-RS, 25.3.2 and later
• Privileged Remote Access – Patch BT26-02-PRA, 25.1.1 and later

The use of CVE-2026-1731 demonstrates how quickly threat actors can weaponize new vulnerabilities, significantly shrinking the window for defenders to patch critical systems.

CISA Adds 4 Flaws to KEV Catalog

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows –

• CVE-2026-20700 (CVSS score: 7.8) – An improper restriction of operations within the bounds of a memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS that could allow an attacker with memory write capability to execute arbitrary code.
• CVE-2025-15556 (CVSS score: 7.7) – A download of code without an integrity check vulnerability in Notepad++ that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer and lead to arbitrary code execution with the privileges of the user.
• CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability in SolarWinds Web Help Desk that could allow an unauthenticated attacker to gain access to certain restricted functionality.
• CVE-2024-43468 (CVSS score: 9.8) – An SQL injection vulnerability in Microsoft Configuration Manager that could allow an unauthenticated attacker to execute commands on the server and/or underlying database by sending specially crafted requests.

It’s worth noting that CVE-2024-43468 was patched by Microsoft in October 2024 as part of its Patch Tuesday updates. It’s currently unclear how this vulnerability is being exploited in real-world attacks. Nor is there any information about the identity of the threat actors exploiting the flaw and the scale of such efforts.

The addition of CVE-2024-43468 to the KEV catalog follows a recent report from Microsoft about a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization’s network to other high-value assets.

However, the Windows maker said it’s not evident if the attacks exploited CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399, since attacks occurred in December 2025 and on machines vulnerable to both the old and new sets of vulnerabilities.

As for CVE-2026-20700, Apple acknowledged that the shortcoming may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26, raising the possibility that it was leveraged to deliver commercial spyware. It was fixed by the tech giant earlier this week.

Lastly, the exploitation of CVE-2025-15556 has been attributed by Rapid7 to a China-linked state-sponsored threat actor called Lotus Blossom (aka Billbug, Bronze Elgin, G0030, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip). It’s known to be active since at least 2009.

The targeted attacks have been found to deliver a previously undocumented backdoor called Chrysalis. While the supply chain attack was fully plugged on December 2, 2025, the compromise of the Notepad++ update pipeline is estimated to have spanned nearly five months between June and October 2025.

The DomainTools Investigations (DTI) team described the incident as precise and a “quiet, methodical intrusion” that points to a covert intelligence-gathering mission designed to keep operational noise as low as possible. It also characterized the threat actor as having a penchant for long dwell times and multi-year campaigns.

An important aspect of the campaign is that the Notepad++ source code was left intact, instead relying on trojanized installers to deliver the malicious payloads. This, in turn, allowed the attackers to bypass source-code reviews and integrity checks, effectively enabling them to stay undetected for extended periods, DTI added.

“From their foothold inside the update infrastructure, the attackers did not indiscriminately push malicious code to the global Notepad++ user base,” it said. “Instead, they exercised restraint, selectively diverting update traffic for a narrow set of targets, organizations, and individuals whose positions, access, or technical roles made them strategically valuable.”

“By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access. The campaign reflects continuity in purpose, a sustained focus on regional strategic intelligence, executed with more sophisticated, more subtle, and harder-to-detect methods than in prior iterations.”

In light of active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies have until February 15, 2026, to address CVE-2025-40536, and till March 5, 2026, to fix the remaining three.

The Hacker NewsFeb 13, 2026Supply Chain Security / DevSecOps

In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don’t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks – here’s what you need to know for a safer Node community.

Let’s start with the original problem

Historically, npm relied on classic tokens: long-lived, broadly scoped credentials that could persist indefinitely. If stolen, attackers could directly publish malicious versions to the author’s packages (no publicly verifiable source code needed). This made npm a prime vector for supply-chain attacks. Over time, numerous real-world incidents demonstrated this point. Shai-Hulud, Sha1-Hulud, and chalk/debug are examples of recent, notable attacks.

npm’s solution

To address this, npm made the following changes:

1. npm revoked all classic tokens and defaulted to session-based tokens instead. The npm team also improved token management. Interactive workflows now use short-lived session tokens (typically two hours) obtained via npm login, which defaults to MFA for publishing. 
2. The npm team also encourages OIDC Trusted Publishing, in which CI systems obtain short-lived, per-run credentials rather than storing secrets at rest.

Second, MFA on publish is optional. Developers can still create 90-day tokens with MFA bypass enabled in the console, which are extremely similar to the classic tokens from before.

These tokens allow you to read and write to a token author’s maintained packages. This means that if bad actors gain access to a maintainer’s console with these token settings, they can publish new, malicious packages (and versions) on that author’s behalf. This circles us back to the original issue with npm before they adjusted their credential policies.

To be clear, more developers using MFA on publish is good news, and future attacks should be fewer and smaller. However, making OIDC and MFA on-publish optional still leaves the core issue unresolved.

In conclusion, if (1) MFA phishing attempts to npm’s console still work and (2) access to the console equals access to publish new packages/versions, then developers need to be aware of the supply-chain risks that still exist.

Recommendations

In the spirit of open source security, here are three recommendations that we hope GitHub and npm will consider in the future.

1. Ideally, they continue to push for the ubiquity of OIDC in the long term. OIDC is very hard to compromise and would almost completely erase the issues surrounding supply-chain attacks.
2. More realistically, enforcing MFA for local package uploads (either via an email code or a one-time password) would further reduce the blast radius of worms like Shai-Hulud. In other words, it would be an improvement to not allow custom tokens that bypass MFA.
3. At a minimum, it would be nice to add metadata to package releases, so developers can take precautions and avoid packages (or maintainers) who do not take supply chain security measures.

In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, identity-bound credentials become the norm — and MFA bypass is no longer required for automation — supply-chain risk from compromised build systems remains materially present.

A new way to do it

This entire time, we’ve been talking about supply-chain attacks by uploading packages to npm on a maintainer’s behalf. If we could build every npm package from verifiable upstream source code rather than downloading the artifact from npm, we’d be better off. That’s exactly what Chainguard does for its customers with Chainguard Libraries for JavaScript.

We’ve looked at the public database for compromised packages across npm and discovered that for 98.5% of malicious packages, the malware was not present in the upstream source code (just the published artifact). This means an approach of building from source would reduce your attack surface by some 98.5%, based on past data, because Chainguard’s JavaScript repository would never publish the malicious versions available on npm.

In an ideal world, customers are most secure when they use Chainguard Libraries and apply the recommendations above. Per the “Swiss cheese model of security,” all of these features are layers of additive security measures, and companies would be best off using a combination of them.

If you’d like to learn more about Chainguard Libraries for JavaScript, reach out to our team.

Note: This article was thoughtfully written and contributed for our audience by Adam La Morre, Senior Solutions Engineer at Chainguard.

Ravie LakshmananFeb 12, 2026Zero-Day / Vulnerability

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.

The vulnerability, tracked as CVE-2026-20700 (CVSS score: N/A), has been described as a memory corruption issue in dyld, Apple’s Dynamic Link Editor. Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” the company said in an advisory. “CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”

It’s worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in December 2025, with the former first disclosed by Google as having been exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) relates to an out-of-bounds memory access in ANGLE’s Metal renderer component. Metal is a high-performance hardware-accelerated graphics and compute API developed by Apple.

CVE-2025-43529 (CVSS score: 8.8), on the other hand, is a use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content.

The updates are available for the following devices and operating systems –

• iOS 26.3 and iPadOS 26.3 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.3 – Macs running macOS Tahoe
• tvOS 26.3 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.3 – Apple Watch Series 6 and later
• visionOS 26.3 – Apple Vision Pro (all models)

In addition, Apple has also released updates to resolve various vulnerabilities in older versions of iOS, iPadOs, macOS, and Safari –

With the latest development, Apple has moved to address its first actively exploited zero-day in 2026. Last year, the company patched nine zero-day vulnerabilities that were exploited in the wild.

The Hacker NewsFeb 12, 2026Enterprise Security / Breach Prevention

A new 2026 market intelligence study of 128 enterprise security decision-makers (available here) reveals a stark divide forming between organizations – one that has nothing to do with budget size or industry and everything to do with a single framework decision. Organizations implementing Continuous Threat Exposure Management (CTEM) demonstrate 50% better attack surface visibility, 23-point higher solution adoption, and superior threat awareness across every measured dimension. The 16% who’ve implemented it are pulling away. The 84% who haven’t are falling behind.

The Demographics of the Divide

The research surveyed a senior cohort: 85% of respondents are Manager-level or above, representing organizations where 66% employ 5,000+ people across finance, healthcare, and retail sectors.

Download the full research here →

What is CTEM?

If you aren’t familiar, CTEM involves shifting from “patch everything reactively” to “continuously discover, validate, and prioritize risk exposures that can actually hurt the business.” It’s widely discussed in cybersecurity now as a next-generation evolution of exposure/risk management, and the new report reinforces Gartner’s view that businesses adopting it will consistently demonstrate stronger security outcomes than those that don’t.

The gap between awareness and implementation reveals modern security’s central dilemma: which priority wins? Security leaders understand the CTEM conceptually but struggle to sell its benefits in the face of organizational inertia, competing priorities, and budget constraints that force impossible tradeoffs. The challenge of gaining management buy-in is one reason why we prepared this report: to provide the statistics that make the business case impossible to ignore.

Complexity is the New Multiplier

For example: Beyond a certain threshold, manual tracking of all the additional integrations, scripts, and dependencies breaks down, ownership blurs, and blind spots multiply. The research makes it clear that attack surface complexity is not just a management challenge; it’s a direct risk multiplier. 

We can see this clearly in the graph below. Attack rates rise linearly from 5% (0-10 domains) to 18% (51-100 domains), then rise steeply past 100 domains. 

This sudden increase is driven by the ‘visibility gap’, the gulf between the assets a company is responsible for monitoring and those it’s aware of. Each additional domain can add dozens of connected assets, and when the count climbs past 100, this can translate to thousands of additional scripts: each one a possible attack vector. Traditional snapshot security cannot hope to log and monitor them all. Only CTEM-driven programs can provide the oversight to continuously identify and validate the dark assets hiding in this visibility gap – before attackers do.

Why This Matters Now

Security leaders are currently facing a ‘perfect storm’ of demands. At a time when 91% of CISOs report an increase in third-party incidents, average breach costs have climbed to $4.44M, and PCI DSS 4.0.1 brings stricter monitoring and the ever-present specter of penalties. With this in mind, the report shows that attack surface management has become an issue for the boardroom as much as the server room, and the C-suite reader can only conclude that continuing to trust manual oversight and periodic controls to manage such a complex, high-stakes challenge would be self-destructive.

One of the clearest signals in this research comes from the peer benchmarking data. When organizations compare themselves side by side – by attack surface size, visibility, tooling, and outcomes – a pattern emerges that is difficult to ignore: beyond a certain level of complexity, traditional security approaches stop scaling.

The takeaway from the peer benchmarks is clear: below a certain level of exposure, organizations can rely on periodic controls and manual oversight. Above it, those models no longer hold. For security leaders operating in high-complexity environments, the question is no longer whether CTEM is valuable – it is whether their current approach can realistically keep up without it.

Download the full market research here.

Ravie LakshmananFeb 12, 2026Cybersecurity / Hacking News

Threat activity this week shows one consistent signal — attackers are leaning harder on what already works. Instead of flashy new exploits, many operations are built around quiet misuse of trusted tools, familiar workflows, and overlooked exposures that sit in plain sight.

Another shift is how access is gained versus how it’s used. Initial entry points are getting simpler, while post-compromise activity is becoming more deliberate, structured, and persistent. The objective is less about disruption and more about staying embedded long enough to extract value.

There’s also growing overlap between cybercrime, espionage tradecraft, and opportunistic intrusion. Techniques are bleeding across groups, making attribution harder and defense baselines less reliable.

Below is this week’s ThreatsDay Bulletin — a tight scan of the signals that matter, distilled into quick reads. Each item adds context to where threat pressure is building next.

Taken together, these developments show how threat actors are balancing speed with patience — moving fast where defenses are weak, and slowing down where stealth matters more than impact. The result is activity that blends into normal operations until damage is already underway.

For defenders, the challenge isn’t just blocking entry anymore. It’s recognizing misuse of legitimate access, spotting abnormal behavior inside trusted systems, and closing gaps that don’t look dangerous on the surface.

The briefs that follow aren’t isolated incidents. They’re fragments of a wider operating picture — one that keeps evolving week after week.

Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.

The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. It’s assessed to be active since May 2025.

“Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit,” ReversingLabs researcher Karlo Zanki said in a report. “The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges.”

Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released. The names of the packages are listed below –

npm – 

• graphalgo
• graphorithm
• graphstruct
• graphlibcore
• netstruct
• graphnetworkx
• terminalcolor256
• graphkitx
• graphchain
• graphflux
• graphorbit
• graphnet
• graphhub
• terminal-kleur
• graphrix
• bignumx
• bignumberx
• bignumex
• bigmathex
• bigmathlib
• bigmathutils
• graphlink
• bigmathix
• graphflowx

PyPI –

• graphalgo
• graphex
• graphlibx
• graphdict
• graphflux
• graphnode
• graphsync
• bigpyx
• bignum
• bigmathex
• bigmathix
• bigmathutils

As with many job-focused campaigns conducted by North Korean threat actors, the attack chain begins with establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, and then setting up the necessary digital real estate to create an illusion of legitimacy.

This includes registering a domain and creating a related GitHub organization to host several repositories for use in coding assessments. The repositories have been found to contain projects based on Python and JavaScript.

“Examination of these repositories didn’t reveal any obvious malicious functionality,” Zanki said. “That is because the malicious functionality was not introduced directly via the job interview repositories, but indirectly – through dependencies hosted on the npm and PyPI open-source package repositories.”

The idea behind setting up these repositories is to trick candidates who apply to its job listings on Reddit and Facebook Groups into running the projects on their machines, effectively installing the malicious dependency and triggering the infection. In some cases, victims are directly contacted by seemingly legitimate recruiters on LinkedIn.

The packages ultimately act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server. It supports various commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.

Interestingly, the command-and-control (C2) communication is protected by a token-based mechanism to ensure that only requests with a valid token are accepted. The approach was previously observed in 2023 campaigns linked to a North Korean hacking group called Jade Sleet, which is also known as TraderTraitor or UNC4899.

It essentially works like this: the packages send system data as part of a registration step to the C2 server, which responds with a token. This token is then sent back to the C2 server in subsequent requests to establish that they are originating from an already registered infected system.

“The token-based approach is a similarity […] in both cases and has not been used by other actors in malware hosted on public package repositories as far as we know,” Zanki told The Hacker News at that time.

The findings show that North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages in hopes of stealing sensitive data and conducting financial theft, a fact evidenced by the RAT’s checks to determine if the MetaMask browser extension is installed in the machine.

“Evidence suggests that this is a highly sophisticated campaign,” ReversingLabs said. “Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor.”

More Malicious npm Packages Found

The disclosure comes as JFrog uncovered a sophisticated, malicious npm package called “duer-js” published by a user named “luizaearlyx.” While the library claims to be a utility to “make the console window more visible,” it harbors a Windows information stealer called Bada Stealer.

It’s capable of gathering Discord tokens, passwords, cookies, and autofill data from Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser, cryptocurrency wallet details, and system information. The data is then exfiltrated to a Discord webhook, as well as the Gofile file storage service as a backup.

“In addition to stealing information from the host it infected, the malicious package downloads a secondary payload,” security researcher Guy Korolevski said. “This payload is designed to run on the Discord Desktop app startup, with self-updating capabilities, stealing directly from it, including payment methods used by the user.”

It also coincides with the discovery of another malware campaign that weaponizes npm to extort cryptocurrency payments from developers during package installation using the “npm install” command. The campaign, first recorded on February 4, 2026, has been dubbed XPACK ATTACK by OpenSourceMalware.

duer-js malicious package flow, hijacking Discord’s Electron environment

The names of the packages, all uploaded by a user named “dev.chandra_bose,” are listed below –

• xpack-per-user
• xpack-per-device
• xpack-sui
• xpack-subscription
• xpack-arc-gateway
• xpack-video-submission
• test-npm-style
• xpack-subscription-test
• testing-package-xdsfdsfsc

“Unlike traditional malware that steals credentials or executes reverse shells, this attack innovatively abuses the HTTP 402 ‘Payment Required’ status code to create a seemingly legitimate payment wall,” security researcher Paul McCarty said. “The attack blocks installation until victims pay 0.1 USDC/ETH to the attacker’s wallet, while collecting GitHub usernames and device fingerprints.”

“If they refuse to pay, the installation simply fails after wasting 5+ minutes of their development time, and they may not even realize they’ve encountered malware versus what appeared to be a legitimate paywall for package access.”

Ravie LakshmananFeb 12, 2026Cyber Espionage / Artificial Intelligence

Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks.

“The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. “This actor’s target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.”

The tech giant’s threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise.

UNC2970 is the moniker assigned to a North Korean hacking group that overlaps with a cluster that’s tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. It’s best known for orchestrating a long-running campaign codenamed Operation Dream Job to target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings.

GTIG said UNC2970 has “consistently” focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profiling including searches for “information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.”

UNC2970 is far from the only threat actor to have misused Gemini to augment their capabilities and move from initial reconnaissance to active targeting at a faster clip. Some of the other hacking crews that have integrated the tool into their workflows are as follows –

• UNC6418 (Unattributed), to conduct targeted intelligence gathering, specifically seeking out sensitive account credentials and email addresses.
• Temp.HEX or Mustang Panda (China), to compile a dossier on specific individuals, including targets in Pakistan, and to gather operational and structural data on separatist organizations in various countries.
• APT31 or Judgement Panda (China), to automate the analysis of vulnerabilities and generate targeted testing plans by claiming to be a security researcher.
• APT41 (China), to extract explanations from open-source tool README.md pages, as well as troubleshoot and debug exploit code.
• UNC795 (China), to troubleshoot their code, conduct research, and develop web shells and scanners for PHP web servers.
• APT42 (Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (CVE-2025-8088).

“HONESTCUE is a downloader and launcher framework that sends a prompt via Google Gemini’s API and receives C# source code as the response,” it said. “However, rather than leveraging an LLM to update itself, HONESTCUE calls the Gemini API to generate code that operates the ‘stage two’ functionality, which downloads and executes another piece of malware.”

The fileless secondary stage of HONESTCUE then takes the generated C# source code received from the Gemini API and uses the legitimate .NET CSharpCodeProvider framework to compile and execute the payload directly in memory, thereby leaving no artifacts on disk.

Google has also called attention to a recent wave of ClickFix campaigns that leverage the public sharing feature of generative AI services to host realistic-looking instructions to fix a common computer issue and ultimately deliver information-stealing malware. The activity was flagged in December 2025 by Huntress.

Lastly, the company said it identified and disrupted model extraction attacks that are aimed at systematically querying a proprietary machine learning model to extract information and build a substitute model that mirrors the target’s behavior. In a large-scale attack of this kind, Gemini was targeted by over 100,000 prompts that posed a series of questions aimed at replicating the model’s reasoning ability across a broad range of tasks in non-English languages.

Last month, Praetorian devised a PoC extraction attack where a replica model achieved an accuracy rate of 80.1% simply by sending a series of 1,000 queries to the victim’s API and recording the outputs and training it for 20 epochs.

“Many organizations assume that keeping model weights private is sufficient protection,” security researcher Farida Shafik said. “But this creates a false sense of security. In reality, behavior is the model. Every query-response pair is a training example for a replica. The model’s behavior is exposed through every API response.” 

Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.

In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The activity has been codenamed AgreeToSteal by the cybersecurity company.

The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email. The add-in was last updated in December 2022.

Idan Dardikman, co-founder and CTO of Koi, told The Hacker News that the incident represents a broadening of supply chain attack vectors.

“This is the same class of attack we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval,” Dardikman said. “What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they’re distributed through Microsoft’s own store, which carries implicit trust.”

“The AgreeTo case adds another dimension: the original developer did nothing wrong. They built a legitimate product and moved on. The attack exploited the gap between when a developer abandons a project and when the platform notices. Every marketplace that hosts remote dynamic dependencies is susceptible to this.”

At its core, the attack exploits how Office add-ins work and the lack of periodic content monitoring of add-ins published to the Marketplace. According to Microsoft’s documentation, add-in developers are required to create an account and submit their solution to the Partner Center, following which it is subjected to an approval process.

The attacker took advantage of this behavior to stage a phishing kit on that URL that displayed a fake Microsoft sign-in page, capturing entered passwords, exfiltrating the details via the Telegram Bot API, and eventually redirecting the victim to the actual Microsoft login page.

But Koi warns that the incident could have been worse. Given that the add-in is configured with “ReadWriteItem” permissions – which allows it to read and modify the user’s emails – a threat actor could have abused this blind spot to deploy JavaScript that can covertly siphon a victim’s mailbox contents.

The findings once again bring to fore the need for rescanning packaged and tools uploaded to marketplaces and repositories to flag malicious/suspicious activity.

Dardikman said while Microsoft reviews the manifest during the initial submission phase, there is no control over the actual content that is retrieved live from the developer’s server every time the add-in is opened, once it’s signed and approved. As a result, the absence of continued monitoring of what the URL serves opens the door to unintended security risks.

“Office add-ins are fundamentally different from traditional software,” Dardikman added. “They don’t ship a static code bundle. The manifest simply declares a URL, and whatever that URL serves at any given moment is what runs inside Outlook. In AgreeTo’s case, Microsoft signed the manifest in December 2022, pointing to outlook-one.vercel.app. That same URL is now serving a phishing kit, and the add-in is still listed in the store.”

To counter the security issues posed by the threat, Koi recommends a number of steps that Microsoft can take –

• Trigger a re-review when an add-in’s URL starts returning different content from what it was during review.
• Verify ownership of the domain to ensure that it’s managed by the add-in developer, and flag add-ins where the domain infrastructure has changed hands.
• Implement a mechanism for delisting or flagging add-ins that have not been updated beyond a certain time period.
• Display installation counts as a way to assess impact.

The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back.

It bears noting that the problem is not limited to Microsoft Marketplace or the Office Store alone. Last month, Open VSX announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open-source repository. Microsoft’s VS Code Marketplace, similarly, does periodic bulk rescanning of all packages in the registry.

“The structural problem is the same across all marketplaces that host remote dynamic dependencies: approve once, trust forever,” Dardikman said. “The specifics vary by platform, but the fundamental gap that enabled AgreeTo exists anywhere a marketplace reviews a manifest at submission without monitoring what the referenced URLs actually serve afterward.”