Tag: Cyber Threats

Ravie LakshmananFeb 03, 2026Malware / Open Source

A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++.

The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7.

The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility.

The weakness was plugged in December 2025 with the release of version 8.8.9. It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker’s access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials.

Rapid7’s analysis of the incident has uncovered no evidence or artifacts to suggest that the updater-related mechanism was exploited to distribute malware.

“The only confirmed behavior is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious process ‘update.exe’ which was downloaded from 95.179.213.0,” security researcher Ivan Feigl said.

“Update.exe” is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files –

• An NSIS installation script
• BluetoothService.exe, a renamed version of Bitdefender Submission Wizard that’s used for DLL side-loading (a technique widely used by Chinese hacking groups)
• BluetoothService, encrypted shellcode (aka Chrysalis)
• log.dll, a malicious DLL that’s sideloaded to decrypt and execute the shellcode

Chrysalis is a bespoke, feature-rich implant that gathers system information and contacts an external server (“api.skycloudcenter[.]com”) to likely receive additional commands for execution on the infected host.

The command-and-control (C2) server is currently offline. However, a deeper examination of the obfuscated artifact has revealed that it’s capable of processing incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself.

“Overall, the sample looks like something that has been actively developed over time,” Rapid7 said, adding it also identified a file named “conf.c” that’s designed to retrieve a Cobalt Strike beacon by means of a custom loader that embeds Metasploit block API shellcode.

One such loader, “ConsoleApplication2.exe” is noteworthy for its use of Microsoft Warbird, an undocumented internal code protection and obfuscation framework, to execute shellcode. The threat actor has been found to copy and modify an already existing proof-of-concept (PoC) published by German cybersecurity company Cirosec in September 2024.

Rapid7’s attribution of Chrysalis to Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) based on similarities with prior campaigns undertaken by the threat actor, including one documented by Broadcom-owned Symantec in April 2025 that involved the use of legitimate executables from Trend Micro and Bitdefender to sideload malicious DLLs.

“While the group continues to rely on proven techniques like DLL side-loading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft,” the company said.

“What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird). This demonstrates that Billbug is actively updating its playbook to stay ahead of modern detection.”

Ravie LakshmananFeb 03, 2026Artificial Intelligence / Privacy

Mozilla on Monday announced a new controls section in its Firefox desktop browser settings that allows users to completely turn off generative artificial intelligence (GenAI) features.

“It provides a single place to block current and future generative AI features in Firefox,” Ajit Varma, head of Firefox, said. “You can also review and manage individual AI features if you choose to use them. This lets you use Firefox without AI while we continue to build AI features for those who want them.”

Mozilla first announced its plans to integrate AI into Firefox in November 2025, stating it’s fully opt-in and that it’s incorporating the technology while placing users in the driver’s seat.

The new feature is expected to be rolled out with Firefox 148, which is scheduled to be released on February 24, 2026. At the outset, AI controls will allow users to manage the following settings individually –

• Translations
• Alt text in PDFs (adding accessibility descriptions to images in PDF pages)
• AI-enhanced tab grouping (suggestions for related tabs and group names)
• Link previews (show key points before a link is opened)
• AI chatbot in the sidebar (Using well-known chatbots like Anthropic Claude, OpenAI ChatGPT, Microsoft Copilot, Google Gemini, and Le Chat Mistral while navigating the web)

Mozilla said user choice is crucial as more AI features are baked into web browsers, adding that it believes in giving people control regardless of how they feel about the technology.

“If you don’t want to use AI features from Firefox at all, you can turn on the Block AI enhancements toggle,” Varma said. “When it’s toggled on, you won’t see pop-ups or reminders to use existing or upcoming AI features.”

Last month, Mozilla’s new CEO, Anthony Enzor-DeMeo, said the company’s focus will be on becoming a trusted software company that gives users agency in how its products work. “Privacy, data use, and AI must be clear and understandable,” Enzor-DeMeo said. “Controls must be simple. AI should always be a choice – something people can easily turn off.”

Ravie LakshmananFeb 03, 2026Vulnerability / Malware

The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit.

Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug.

The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it.

“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”

The attack chains, in a nutshell, entail the exploitation of the security hole by means of a malicious RTF file to deliver two different versions of a dropper, one that’s designed to drop an Outlook email stealer called MiniDoor, and another, referred to as PixyNetLoader, that’s responsible for the deployment of a Covenant Grunt implant.

The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user’s emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.

In contrast, the second dropper, i.e., PixyNetLoader, is used to initiate a much more elaborate attack chain that involves delivering additional components embedded into it and setting up persistence on the host using COM object hijacking. Among the extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”).

The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it. That said, the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is “explorer.exe.” The malware stays dormant if the conditions are not met.

The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. It’s worth noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in connection with a campaign named Operation Phantom Net Voxel.

“The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” Zscaler said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.”

The disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA) that also warned of APT28’s abuse of CVE-2026-21509 using Word documents to target more than 60 email addresses associated with central executive authorities in the country. Metadata analysis reveals that one of the lure documents was created on January 27, 2026.

“During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said.

This, in turn, triggers an attack chain that’s identical to PixyNetLoader, resulting in the deployment of the COVENANT framework’s Grunt implant.

The Hacker NewsFeb 02, 2026Threat Detection / Endpoint Security

For mid-market organizations, cybersecurity is a constant balancing act. Proactive, preventative security measures are essential to protect an expanding attack surface. Combined with effective protection that blocks threats, they play a critical role in stopping cyberattacks before damage is done.

The challenge is that many security tools add complexity and cost that most mid-market businesses can’t absorb. With limited budgets and lean IT and security teams, organizations often focus on detection and response. While necessary, this places a significant operational burden on teams already stretched thin.

A more sustainable approach is security across the complete threat lifecycle—combining prevention, protection, detection, and response in a way that reduces risk without increasing cost or complexity.

Why Mid-Market Security Often Feels Stuck

Most mid-market organizations rely on a small set of foundational tools, such as endpoint protection, email security, and network firewalls. However, limited staff and resources often leave these tools operating as isolated point solutions, preventing teams from extracting their full value.

Solutions such as Bitdefender GravityZone consolidate critical security capabilities into a single platform, enabling centralized management, visibility, and reporting across the security program. This approach allows mid-market organizations to achieve broader coverage without increasing operational overhead.

Extending Coverage with MDR

Managed Detection and Response (MDR) services offer another way to strengthen security quickly. MDR provides 24/7 monitoring, proactive threat hunting, and incident response, effectively extending internal teams without adding headcount.

By combining a unified platform with MDR, mid-market organizations can close coverage gaps and focus internal resources on strategic priorities.

Takeaway: Security Across the Threat Lifecycle

Improving mid-market cybersecurity isn’t about adding more tools—it’s about using the right tools more effectively. Integrating prevention, protection, detection, and response across the threat lifecycle enables stronger security outcomes with less complexity.

Platforms like Bitdefender GravityZone help mid-market organizations strengthen resilience while reducing the operational burden on lean teams.

To explore this approach further, read How to Secure Your Mid-Market Business Across the Complete Threat Lifecycle or the Buyer’s Guide for Mid-Market Businesses: Choosing the Right Security Platform.

Ravie LakshmananFeb 02, 2026Threat Intelligence / Malware

The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility’s update mechanism to redirect update traffic to malicious servers instead.

“The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” developer Don Ho said. “The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.”

The exact mechanism through which this was realized is currently being investigated, Ho added.

The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being “occasionally” redirected to malicious domains, resulting in the download of poisoned executables.

Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead.

It’s believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components. The incident is assessed to have commenced in June 2025, more than six months before it came to light.

Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware. The attacks, attributed to a nation-state threat actor known as Violet Typhoon (aka APT31), targeted telecommunications and financial services organizations in East Asia.

In response to the security incident, the Notepad++ website has been migrated to a new hosting provider with “significantly strong practices,” and the update process has been hardened with additional guardrails to ensure its integrity.

“According to the former hosting provider, the shared hosting server was compromised until September 2, 2025,” Ho explained. “Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.”

Ravie LakshmananFeb 02, 2026Hacking News / Cybersecurity

Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage.

Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead.

This week’s recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what’s next.

⚡ Threat of the Week

Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable. Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators’ ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA’s available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers. Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs.

• Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory. “This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509.
• Ivanti Patches Exploited EPMM Flaws — Ivanti rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, relate to code injection, allowing attackers to achieve unauthenticated remote code execution. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide “reliable atomic indicators.” As of January 30, 2026, a public working proof-of-concept exploit is available. “As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant,” Rapid7 said. “An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information.”
• Poland Links Cyber Attack on Power System to Static Tundra — The Polish computer emergency response team revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. CERT Polska said the incident took place on December 29, 2025, describing the attacks as destructive. The agency attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit. Prior reports from ESET and Dragos linked the attack with moderate confidence to a group that shares tactical overlaps with a cluster referred to as Sandworm. The group exhibits a deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. The activity also reflects the adversary’s grasp of substation operations and the operational dependencies within electrical systems. “Taking over these devices requires capabilities beyond simply understanding their technical flaws,” Dragos said. “It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.”
• LLMJacking Campaign Targets Exposed AI Endpoints — Cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale. The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems. “The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar Security said. Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common misconfigurations that are under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, development/staging AI infrastructure with public IPs, and production chatbot endpoints that lack authentication or rate limits. Access to the infrastructure is advertised on a marketplace that offers access to over 30 LLMs. Called silver[.]inc, it is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.
• Chinese Threat Actors Use PeckBirdy Framework — China-aligned threat actors have been using a cross-platform, multifunction JScript framework called PeckBirdy to conduct cyber espionage attacks since 2023, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities. The command-and-control (C2) framework, written in Microsoft’s JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments, including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl).

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248, CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002, SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server).

📰 Around the Cyber World

• Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet (BYOB) framework. “The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules,” Hunt.io said. “Analysis of the captured samples reveals a modular multi-stage infection chain designed to establish persistent remote access across Windows, Linux, and macOS platforms.” The first stage is a dropper that implements multiple layers of obfuscation to evade signature-based detection, while fetching and executing an intermediate loader, which performs a series of security checks of its own before deploying the main remote access trojan (RAT) payload for reconnaissance and persistence. It also comes with capabilities to escalate privileges, log keystrokes, terminate processes, harvest emails, and inspect network traffic. Additional infrastructure linked to the threat actor has been found to host cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads.
• Phantom Enigma Resurfaces with New Tactics — The threat actors behind the Operation Phantom Enigma campaign, which targeted Brazilian users in order to steal bank accounts in early 2025, resurfaced with similar attacks in fall 2025. The attacks, per Positive Technologies, involve sending phishing emails bearing invoice-related themes to trick ordinary users into clicking on malicious links to download a malicious MSI installer that installs a malicious Google Chrome extension dubbed EnigmaBanker on the victim’s browser to collect credentials and transmit them to the attacker’s server. The malware is designed to execute JavaScript code that imports a malicious extension via Chrome DevTools Protocol (CDP) after launching the browser in debugging mode. On the other hand, the attacks aimed at enterprises drop an installer for legitimate remote access software like PDQ Connect, MeshAgent, ScreenConnect, or Syncro RMM. The threat actors behind the campaign are suspected to be operating out of Latin America.
• Attackers Exploit Stolen AWS Credentials to Target AWS WorkMail — Threat actors are leveraging compromised Amazon Web Services (AWS) credentials to deploy phishing and spam infrastructure using AWS WorkMail, bypassing the anti-abuse controls normally enforced by AWS Simple Email Service (SES). “This allows the threat actor to leverage Amazon’s high sender reputation to masquerade as a valid business entity, with the ability to send email directly from victim-owned AWS infrastructure,” Rapid7 said. “Generating minimal service-attributed telemetry also makes threat actor activity difficult to distinguish from routine activity. Any organization with exposed AWS credentials and permissive Identity and Access Management (IAM) policies is potentially at risk, particularly those without guardrails or monitoring around WorkMail and SES configuration.”
• Malicious VS Code Extension Delivers Stealer Malware — A malicious Visual Studio Code (VS Code) extension has been identified in Open VSX (“Angular-studio.ng-angular-extension”) masquerading as a tool for the Angular web development framework, but harbors functionality that’s activated when any HTML or TypeScript file is opened. It’s designed to run encrypted JavaScript responsible for fetching the next-stage payload from a URL embedded into the memo field of a Solana wallet using a technique called EtherHiding by constructing an RPC request to the Solana mainnet. The infection chain is also engineered such that execution is skipped on systems matching Russian locale indicators. “This pattern is commonly observed in malware originating from or affiliated with Russian-speaking threat actors, implemented to avoid domestic prosecution,” Secure Annex said. This architecture offers several advantages: blockchain immutability ensures configuration data persists indefinitely, and attackers can update payload URLs without modifying the published extension. The final payload deployed as part of the attack is a stealer malware that can siphon credentials from developer machines, conduct cryptocurrency theft, establish persistence, and exfiltrate the data to a server retrieved from a Google Calendar event.
• Threat Actors Exploit Critical Adobe Commerce Flaw — Threat actors are continuing to exploit a critical flaw in Adobe Commerce and Magento Open Source platforms (CVE-2025-54236, CVSS score: 9.1) to compromise 216 websites worldwide in one campaign, and deploy web shells on Magento sites in Canada and Japan to enable persistent access in another. “While the cases are not assessed to be part of a single coordinated campaign, all incidents demonstrate that the vulnerability is being actively abused for authentication bypass, full system compromise, and, in some cases, web shell deployment and persistent access,” Oasis Security said.
• Malicious Google Ads Leads to Stealer Malware — Sponsored ads on Google when searching for “Mac cleaner” or “clear cache macOS” are being used to redirect unsuspecting users to sketchy sites hosted on Google Docs and Medium to trick them into following ClickFix-style instructions to deliver stealer malware. In a related development, DHL-themed phishing emails containing ZIP archives are being used to launch XLoader using DLL side-loading, which then uses process hollowing techniques to load Phantom Stealer.
• U.S. Authorities Investigated Meta Contractors’ Claims that WhatsApp Chats Aren’t Private — U.S. law enforcement has been investigating allegations by former Meta contractors that employees at the company can access WhatsApp messages, despite the company’s statements that the chat service is private and encrypted. The contractors claimed that some Meta staff had “unfettered” access to WhatsApp messages, content that should be off-limits, Bloomberg reported. The report stands in stark contrast to WhatsApp encryption foundations, which prevent third parties, including the company, from accessing the chat contents. “What these individuals claim is not possible because WhatsApp, its employees, and its contractors, cannot access people’s encrypted communications,” Meta was quoted as saying to Bloomberg. It’s worth noting that when a user reports a user or group, WhatsApp receives up to five of the last messages sent to them, along with their metadata. This is akin to taking a screenshot of the last few messages, as they are already on the device and in a decrypted state because the device has the “key” to read them. However, these allegations suggest much broader access to the platform.
• New PyRAT Malware Spotted — A new Python-based remote access trojan (RAT) called PyRAT has been found to demonstrate cross-platform capabilities, persistent infection methods, and extensive remote access features. It supports features like system command execution, file system operations, file enumeration, file upload/download, and archive creation to facilitate bulk exfiltration of stolen data. The malware also comes fitted with self-cleanup capabilities to uninstall itself from the victim machine and wipe all persistence components. “This Python‑based RAT poses a notable risk to organizations because of its cross‑platform capability, broad functionality, and ease of deployment,” K7 Security Labs said. “Even though it is not associated with highly sophisticated threat actors, its effectiveness in real‑world attacks and observed detection rates indicate that it is actively used by cybercriminals and deserves attention.” It’s currently not known how it’s distributed.
• New Exfil Out&Look Attack Technique Detailed — Cybersecurity researchers have discovered a new technique named Exfil Out&Look that abuses Outlook add-ins to steal data from organizations. “An add-in installed via OWA [Outlook Web Access can be abused to silently extract email data without generating audit logs or leaving any forensic footprint — a stark contrast to the behavior observed in Outlook Desktop,” Varonis said. “In organizations that rely heavily on Unified Audit Logs for detection and investigation, this blind spot can allow malicious or overly permissive add-ins to operate undetected for extended periods of time.” An attacker could exploit this behavior to trigger an add-in’s core functionality when a victim sends an email, allowing it to intercept outgoing messages and send the data to a third-party server. Following responsible disclosure to Microsoft on September 30, 2025, the company categorized the issue as low-severity with no immediate fix.
• Exposed MongoDB Servers Exploited for Extortion Attacks — Almost half of all internet-exposed MongoDB servers have been compromised and are being held for ransom. An unidentified threat actor has targeted misconfigured instances to drop ransom notes on more than 1,400 databases demanding a Bitcoin payment to restore the data. Flare’s analysis found more than 208,500 publicly exposed MongoDB servers, out of which 100,000 expose operational information, and 3,100 could be accessed without authentication. What’s more, nearly half (95,000) of all internet-exposed MongoDB servers run older versions that are vulnerable to N-day flaws. “Threat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data,” the cybersecurity company said. “However, there is no guarantee the attackers have the data, or will provide a working decryption key if paid.”
• Deep Dive into Dark Web Forums — Positive Technologies has taken a deep-dive look into modern dark web forums, noting how they are in a constant state of flux due to ramping up of law enforcement operations, even as they embrace anonymity and protection technologies like Tor, I2P, coupled with anti-bot guardrails, anti-scraping mechanisms, closed moderation, and a strict trust system to escape scrutiny and block suspicious activity. “However, the results of these interventions are rarely final: the elimination of one forum usually becomes the starting point for the emergence of a new, more sustainable and secure one,” it said. “And an important feature of such forums is the high level of development of technical means of protection. If the early generations of dark web forums were primitive web platforms that often existed in the public part of the internet, modern forums are complex distributed systems with multi-level infrastructure, APIs, moderator bots, built-in verification tools and a multi-stage access system.”
• TA584 Campaign Drops XWorm and Tsundere Bot — A prolific initial access broker known as TA584 (aka Storm-0900) has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access for likely follow-on ransomware attacks. The XWorm malware uses a configuration called “P0WER” to enable its execution. “In the second half of 2025, TA584 demonstrated multiple attack chain changes, including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot,” Proofpoint said. The threat actor is assessed to be active since at least 2020, but has exhibited an increased operational tempo since March 2025. Organizations in North America, the U.K., Ireland, and Germany are the main targets. Emails sent by TA584 impersonate various organizations associated with healthcare and government entities, as well as leverage well-designed and believable lures to get people to engage with malicious content. These messages are sent via compromised accounts or third-party services like SendGrid and Amazon Simple Email Service (SES). “The emails usually contain unique links for each target that perform geofencing and IP filtering,” Proofpoint said. “If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email.” Early iterations of the campaign delivered macro-enabled Excel documents dubbed EtterSilent to facilitate malware installation. The end goal of the attack is to initiate a redirect chain involving third-party traffic direction systems (TDS) like Keitaro to a CAPTCHA page, followed by a ClickFix page that instructs the victim to run a PowerShell command on their system. Some of the other payloads distributed by TA584 in the past include Ursine, TA584, WARMCOOKIE, Xeno RAT, Cobalt Strike, and DCRat.
• South Korea to Notify Citizens of Data Leaks — The South Korean government will notify citizens when their data was exposed in a security breach. The new notification system will cover confirmed breaches, but also alert people who may be involved in a data breach, even if the case has not been confirmed. These alerts will also include information on how to seek compensation for damages.
• Details About Critical Apache bRPC Flaw — CyberArk has published details about a recently patched critical vulnerability in Apache bRPC (CVE-2025-60021, CVSS score: 9.8) that could allow an attacker to inject remote commands. The problem resides in the “/pprof/heap” profiler endpoint. “The heap profiler service /pprof/heap did not validate the user-provided extra_options parameter before incorporating it into the jeprof command line,’ CyberArk said. “Prior to the fix, extra_options was appended directly to the command string as –<user_input>. Because this command is later executed to generate the profiling output, shell special characters in attacker-controlled input could alter the executed command, resulting in command injection.” As a result, an attacker could exploit a reachable “/pprof/heap” endpoint to execute arbitrary commands with the privileges of the Apache bRPC process, resulting in remote code execution. There are about 181 publicly reachable /pprof/heap endpoints and 790 /pprof/* endpoints, although it’s not known how many of them are susceptible to this flaw.
• Threat Actors Use New Unicode Trick to Evade Detection — Threat actors are using the Unicode character for math division (∕) instead of a standard forward slash (/) in malicious links to evade detection. “The barely noticeable difference between the divisional and forward slashes causes traditional automated security systems and filters to fail, allowing the links to bypass detection,” email security firm Barracuda said. “As a result, victims are redirected to default or random pages.”
• China Executes 11 Members of Myanmar Scam Mafia — The Chinese government has executed 11 members of the Ming family who ran cyber scam compounds in Myanmar. The suspects were sentenced in September 2025 following their arrest in 2023. In November 2025, five members of a Myanmar crime syndicate were sentenced to death for their roles in running industrial-scale scamming compounds near the border with China. The Ming mafia’s scam operations and gambling dens brought in more than $1.4 billion between 2015 and 2023, BBC News reported, citing China’s highest court.
• FBI Urges Organizations to Improve Cybersecurity — The U.S. Federal Bureau of Investigation (FBI) launched Operation Winter SHIELD (short for “Securing Homeland Infrastructure by Enhancing Layered Defense”), outlining ten actions which organizations should implement to improve cyber resilience. This includes adopting phishing-resistant authentication, implementing a risk-based vulnerability management program, retiring end-of-life technology, managing third-party risk, preserving security logs, maintaining offline backups, inventorying internet-facing systems and services, strengthening email authentication, reducing administrator privileges, and executing incident response plans with all stakeholders. “Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface,” the FBI said. “Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.”
• Only 26% of Vulnerability Attacks Blocked by Hosts — A new study by website security firm PatchStack has revealed that a significant majority of common WordPress-specific vulnerabilities are not mitigated by hosting service providers. In a test using 30 vulnerabilities that were known to be exploited in real-world attacks, the company found that 74% of all attacks resulted in a successful site takeover. “Of the high-impact vulnerabilities, Privilege Escalation attacks were blocked only 12% of the time,” Patchstack said. “The biggest problem isn’t that hosts don’t care about vulnerability attacks – it’s that they think their existing solutions have got them covered.”
• Cyber Attacks Became More Distributed in 2025 — Forescout’s Threat Roundup report for 2025 has found that cyber attacks became more globally distributed and cloud-enabled. “In 2025, the top 10 countries accounted for 61% of malicious traffic – a 22% decrease compared to 2024 – and a reversal of a trend observed since 2022, when that figure was 73%,” Forescout said. “In other words, attacks are more distributed and attackers are using IP addresses from less common countries more frequently.” The U.S., India, and Germany were the most targeted countries, with 59% of the attacks originating from ISP-managed IPs, 17% from business and government networks, and 24% from hosting or cloud providers. The vast majority of the attacks originated from China, Russia, and Iran. Attacks using OT protocols surged by 84%, led by Modbus. The development comes as Cisco Talos revealed that threat actors are increasingly exploiting public-facing applications, overtaking phishing in the last quarter of 2025.
• Google Agrees to Settle Privacy Lawsuit for $68M — Google has agreed to pay $68 million to settle a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared the private conversations with third parties without their consent. The case revolved around “false accepts,” where Google Assistant is said to have activated and recorded the user’s communications even in scenarios where the actual trigger word, “Ok Google,” was not used. Google has denied any wrongdoing. Apple reached a similar $95 million settlement in December 2024 over Siri recordings. Separately, Google has agreed to pay $135 million to settle a proposed class-action lawsuit that accused the company of illegally using users’ cellular data to transmit system information to its servers without the user’s knowledge or consent since November 12, 2017. As part of the settlement, Google will not transfer data without obtaining consent from Android users when they set up their phones. It will also make it easier for users to stop the transfers, and will disclose the transfers in its Google Play terms of service. The development follows a U.S. Supreme Court decision to hear a case stemming from the use of a Facebook tracking pixel to monitor the streaming habits of users of a sports website.
• Security Flaws in Google Fast Pair protocol — More than a dozen headphone and speaker models have been found vulnerable to a new vulnerability (CVE-2025-36911, CVSS score: 7.1) in the Google Fast Pair protocol. Called WhisperPair, the attack allows threat actors to hijack a user’s accessories without user interaction. In certain scenarios, the attackers can also register as the owners of those accessories and track the movement of the real owners via the Google Find Hub. Google awarded the researchers $15,000 following responsible disclosure in August 2025. “WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent,” researchers at the COSIC group of KU Leuven said. “This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone. This attack succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 metres) and does not require physical access to the vulnerable device.” In related news, an information leak vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) have been uncovered in Xiaomi Redmi Buds versions 3 Pro through 6 Pro. “An attacker within Bluetooth radio range can send specially crafted RFCOMM protocol interactions to the device’s internal channels without prior pairing or authentication, enabling the exposure of sensitive call-related data or triggering repeatable firmware crashes,” CERT Coordination Center (CERT/CC) said.

🎥 Cybersecurity Webinars

• Your SOC Stack Is Broken — Here’s How to Fix It Fast: Modern SOC teams are drowning in tools, alerts, and complexity. This live session with AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cuts through the noise—showing what to build, what to buy, and what to automate for real results. Learn how top teams design efficient, cost-effective SOCs that actually work. Join now to make smarter security decisions.
• AI Is Rewriting Cloud Forensics — Learn How to Investigate Faster: Cloud investigations are getting harder as evidence disappears fast and systems change by the minute. Traditional forensics can’t keep up. Join Wiz’s experts to see how AI and context-aware forensics are transforming cloud incident response—helping teams capture the right data automatically, connect the dots faster, and uncover what really happened in minutes instead of days.
• Build Your Quantum-Safe Defense: Get Guidance for IT Leaders: Quantum computers could soon break the encryption that protects today’s data. Hackers are already stealing encrypted information now to decrypt it later. Join this Zscaler webinar to learn how post-quantum cryptography keeps your business safe—using hybrid encryption, zero trust, and quantum-ready security tools built for the future.

🔧 Cybersecurity Tools

• Vulnhalla: CyberArk open-sources a new tool that automates vulnerability triage by combining CodeQL analysis with AI models like GPT-4 or Gemini. It scans public code repositories, runs CodeQL queries to find potential issues, and then uses AI to decide which ones are real security flaws versus false positives. This helps developers and security teams quickly focus on genuine risks instead of wasting time sorting through noisy scan results.
• OpenClaw: A personal AI assistant running in Cloudflare Workers, connecting to Telegram, Discord, and Slack with secure device pairing. It uses Claude via Anthropic API and optional R2 storage for persistence—showcasing how AI agents can run safely in a sandboxed, serverless Cloudflare setup.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

Cybersecurity keeps moving fast. This week’s stories show how attacks, defenses, and discoveries keep shifting the balance. Staying secure now means staying alert, reacting fast, and knowing what’s changing around you.

The past few days proved that no one is too small to be a target and no system is ever fully safe. Every patch, every update, every fix counts — because threats don’t wait.

Keep learning, stay cautious, and keep your guard up. The next wave of attacks is already forming.

Ravie LakshmananFeb 02, 2026Vulnerability / Artificial Intelligence

A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link.

The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise.

“The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,” OpenClaw’s creator and maintainer Peter Steinberger said in an advisory.

“Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.”

“OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,” Steinberger said. “Unlike SaaS assistants where your data lives on someone else’s servers, OpenClaw runs where you choose – laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.”

Mav Levin, founding security researcher at depthfirst who is credited with discovering the shortcoming, said it can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page.

The problem is that clicking on the link to that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw’s server doesn’t validate the WebSocket origin header. This causes the server to accept requests from any website, effectively getting around localhost network restrictions.

A malicious web page can take advantage of the issue to execute client-side JavaScript on the victim’s browser that can retrieve an authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the victim’s OpenClaw instance.

To make matters worse, by leveraging the token’s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting “exec.approvals.set” to “off” and escape the container used to run shell tools by setting “tools.exec.host” to “gateway.”

“This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said. “Finally, to achieve arbitrary command execution, the attacker JavaScript executes a node.invoke request.”

When asked whether OpenClaw’s use of the API to manage the safety features constitutes an architectural limitation, Levin told The Hacker News in an emailed response that, “I would say the problem is those defenses (sandbox and safety guardrails) were designed to contain malicious actions of an LLM, as a result of prompt injection, for example. And users might think these defenses would protect from this vulnerability (or limit the blast radius), but they don’t.”

Steinberger noted in the advisory that “the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.”

“It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim’s browser acts as the bridge.”

Ravie LakshmananFeb 02, 2026Kerberos / Enterprise Security

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options.

The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates.

“NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” Mariam Gewida, Technical Program Manager II at Microsoft, explained. “However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.”

Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default –

• Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now)
• Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026)
• Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and requiring explicit re-enablement through new policy controls

Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future. This also requires organizations relying on NTLM to conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet,” Gewida said. “Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically.”

“The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).”

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks.

ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It’s an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant formerly known as both Clawdbot and Moltbot.

The analysis, which Koi conducted with the help of an OpenClaw bot named Alex, found that 335 skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS). This set has been codenamed ClawHavoc.

“You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov said. “The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.”

This step involves instructions for both Windows and macOS systems: On Windows, users are asked to download a file called “openclaw-agent.zip” from a GitHub repository. On macOS, the documentation tells them to copy an installation script hosted at glot[.]io and paste it into the Terminal app. The targeting of macOS is no coincidence, as reports have emerged of people buying Mac Minis to run the AI assistant 24×7.

Present within the password-protected archive is a trojan with keylogging functionality to capture API keys, credentials, and other sensitive data on the machine, including those that the bot already has access to. On the other hand, the glot[.]io script contains obfuscated shell commands to fetch next-stage payloads from an attacker-controlled infrastructure.

According to Koi, the malicious skills masquerade as

• ClawHub typosquats (e.g., clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub)
• Cryptocurrency tools like Solana wallets and wallet trackers
• Polymarket bots (e.g., polymarket-trader, polymarket-pro, polytrading)
• YouTube utilities (e.g., youtube-summarize, youtube-thumbnail-grabber, youtube-video-downloader)
• Auto-updaters (e.g., auto-updater-agent, update, updater)
• Finance and social media tools (e.g., yahoo-finance-pro, x-trends-tracker)
• Google Workspace tools claiming integrations with Gmail, Calendar, Sheets, and Drive
• Ethereum gas trackers
• Lost Bitcoin finders

In addition, the cybersecurity company said it identified skills that hide reverse shell backdoors inside functional code (e.g., better-polymarket and polymarket-all-in-one), or exfiltrate bot credentials present in “~/.clawdbot/.env” to a webhook[.]site (e.g., rankaj).

The development coincides with a report from OpenSourceMalware, which also flagged the same ClawHavoc campaign targeting OpenClaw users.

“The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems,” a security researcher who goes by the online alias 6mile said.

“All these skills share the same command-and-control infrastructure (91.92.242[.]30) and use sophisticated social engineering to convince users to execute malicious commands, which then steal crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.”

OpenClaw Adds a Reporting Option

The problem stems from the fact that ClawHub is open by default and allows anyone to upload skills. The only restriction at this stage is that a publisher must have a GitHub account that’s at least one week old.

The issue with malicious skills hasn’t gone unnoticed by OpenClaw’s creator Peter Steinberger, who has since rolled out a reporting feature that allows signed-in users to flag a skill. “Each user can have up to 20 active reports at a time,” the documentation states. “Skills with more than 3 unique reports are auto-hidden by default.”

The findings underscore how open-source ecosystems continue to be abused by threat actors, who are now piggybacking on OpenClaw’s sudden popularity to orchestrate malicious campaigns and distribute malware at scale.

In a report last week, Palo Alto Networks warned that OpenClaw represents what British programmer Simon Willison, who coined the term prompt injection, describes as a “lethal trifecta” that renders AI agents vulnerable by design due to their access to private data, exposure to untrusted content, and the ability to communicate externally.

The intersection of these three capabilities, combined with OpenClaw’s persistent memory, “acts as an accelerant” and amplifies the risks, the cybersecurity company added.

“With persistent memory, attacks are no longer just point-in-time exploits. They become stateful, delayed-execution attacks,” researchers Sailesh Mishra and Sean P. Morgan said. “Malicious payloads no longer need to trigger immediate execution on delivery. Instead, they can be fragmented, untrusted inputs that appear benign in isolation, are written into long-term agent memory, and later assembled into an executable set of instructions.”

“This enables time-shifted prompt injection, memory poisoning, and logic bomb–style activation, where the exploit is created at ingestion but detonates only when the agent’s internal state, goals, or tool availability align.”

Ravie LakshmananFeb 02, 2026Developer Tools / Malware

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer’s resources to push malicious updates to downstream users.

“On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader,” Socket security researcher Kirill Boychenko said in a Saturday report.

“These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases.”

The supply chain security company said that the supply chain attack involved the compromise of the developer’s publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized access. The malicious versions have since been removed from the Open VSX.

The list of identified extensions is below –

• FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
• I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
• vscode mindmap (oorzc.mind-map — version 1.0.61)
• scss to css (oorzc.scss-to-css-compile — version 1.3.4)

The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm. The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data.

At the same time, the malware is detonated only after the compromised machine has been profiled, and it has been determined that it does not correspond to a Russian locale, a pattern commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors to avoid domestic prosecution.

The kinds of information harvested by the malware include –

• Data from Mozilla Firefox and Chromium-based browsers (logins, cookies, internet history, and wallet extensions like MetaMask)
• Cryptocurrency wallet files (Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and TonKeeper)
• iCloud Keychain database
• Safari cookies
• Data from Apple Notes
• user documents from Desktop, Documents, and Downloads folders
• FortiClient VPN configuration files
• Developer credentials (e.g., ~/.aws and ~/.ssh)

The targeting of developer information poses severe risks as it exposes enterprise environments to potential cloud account compromise and lateral movement attacks.

“The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation,” Boychenko said.

A significant aspect of the attack is that it diverges from previously observed GlassWorm indicators in that it makes use of a compromised account belonging to a legitimate developer to distribute the malware. In prior instances, the threat actors behind the campaign have leveraged typosquatting and brandjacking to upload fraudulent extensions for subsequent propagation.

“The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions,” Socket said. “These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response.”