Salesforce is warning customers of an **escalating mass-scanning campaign** targeting misconfigured Experience Cloud instances, now linked to **ShinyHunters (UNC6240)**, which claims to have breached *hundreds of companies*—including 100 high-profile organizations—by exploiting overly permissive guest user permissions. The attackers are using a **modified AuraInspector tool** to extract data directly via the /s/sfsites/aura API endpoint, bypassing authentication for CRM objects. Salesforce emphasizes that this stems from **customer misconfigurations**, not a platform flaw, and urges immediate mitigation: auditing guest user permissions, setting org-wide defaults to *Private*, disabling public API access for guests, and reviewing Aura Event Monitoring logs for anomalies. This follows the **August 2025 Salesloft Drift OAuth breach**, where UNC6395/GRUB1 stole tokens to access Salesforce customer data, impacting over 700 organizations (e.g., Zscaler, Palo Alto Networks, Cloudflare). While earlier waves relied on stolen OAuth tokens, the latest campaign marks a **shift to exploiting misconfigured guest access**—though ShinyHunters is implicated in both. Salesforce and partners have revoked compromised tokens and disabled vulnerable integrations, but the new Aura/Experience Cloud attacks highlight persistent risks from improperly secured public-facing portals. The harvested data (e.g., names, phone numbers) is repurposed for **follow-on vishing and social engineering**, aligning with broader identity-based targeting trends.

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected. APT28, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. Since April 2024, APT28 has used two implants named BeardShell and Covenant in their attacks. BeardShell leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication and can execute PowerShell commands in a .NET runtime environment. BeardShell uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s. APT28 has modified the Covenant framework with deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols. Since July 2025, APT28 has used the Filen cloud provider with Covenant, previously using Koofr and pCloud services. Covenant is used as the primary implant, and BeardShell serves as the fallback tool. ESET believes that APT28's advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group's development team.

CISA has added three vulnerabilities to its KEV catalog due to evidence of active exploitation. These include CVE-2021-22054 in Omnissa Workspace One UEM, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2026-1603 in Ivanti Endpoint Manager. The vulnerabilities are being exploited by threat actors, including the Warlock ransomware crew. Federal agencies are ordered to apply patches by March 12 and March 23, 2026.

A phishing campaign targeting employees at financial and healthcare organizations uses Microsoft Teams to trick victims into granting remote access via Quick Assist. The attackers deploy a new malware strain called A0Backdoor, which employs sophisticated techniques to evade detection and maintain persistence. The campaign is linked to the BlackBasta ransomware group, but with new TTPs including digitally signed MSI installers and DNS MX-based C2 communication. The attackers use social engineering to gain trust, masquerading as IT staff and instructing victims to initiate a Quick Assist session. Once access is granted, they deploy malicious MSI files that mimic legitimate Microsoft components, using DLL sideloading to execute the A0Backdoor payload. The malware performs sandbox detection, collects host information, and communicates with C2 servers via DNS MX queries.

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185). Dutch intelligence agencies have confirmed that Russian state-sponsored hackers are targeting government officials, military personnel, and journalists via Signal and WhatsApp phishing campaigns. Signal has acknowledged the phishing attacks and emphasized that their encryption and infrastructure remain robust. Attackers impersonate a fake 'Signal Security Support Chatbot' to trick users into sharing verification codes and PINs. Once attackers gain access to an account, they can change the associated phone number to one under their control, allowing them to access the victim's contact list and incoming messages. Victims may regain access to their chat history after re-registering, potentially leading them to believe nothing unusual occurred. A second attack method involves abusing Signal's and WhatsApp's device linking functionality by sending victims a malicious QR code or link.

Ericsson Inc., the U.S. subsidiary of Ericsson, disclosed a data breach affecting an undisclosed number of employees and customers. The breach occurred after attackers compromised a service provider storing personal data for Ericsson. The incident was detected on April 28, 2025, with unauthorized access occurring between April 17 and April 22, 2025. The exposed data includes names, addresses, Social Security Numbers, financial information, and medical records. Ericsson is offering free identity protection services to affected individuals. The breach was reported to the FBI, and an investigation was conducted with external cybersecurity experts. No evidence of data misuse has been found, and no cybercrime group has claimed responsibility.

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Microsoft Teams will introduce a feature to automatically tag third-party bots in meeting lobbies, allowing organizers to control their access. This update is scheduled for May 2026 and will be available across all major platforms and cloud environments. The feature aims to prevent accidental admission of bots, ensuring organizers have explicit control over their presence in meetings. This development follows previous enhancements, including a call reporting feature and fraud-protection measures for calls, which help users identify and flag suspicious or unwanted calls.

A threat actor exploited multiple software vulnerabilities to steal data from at least 216 systems across 34 Active Directory domains. The attacker used a free-trial instance of Elastic Cloud's SIEM platform to collect, store, and analyze stolen data, turning a legitimate security tool into a repository for exfiltrated information. The campaign affected organizations across various sectors, including government, education, finance, and manufacturing. The infrastructure was taken down after discovery.

The FBI warns of phishing attacks where criminals impersonate U.S. city and county officials to target businesses and individuals requesting planning and zoning permits. Victims receive emails with permit details and are instructed to pay fraudulent fees via wire transfer, peer-to-peer payment, or cryptocurrency. The scammers use publicly available information to make their messages appear legitimate. The FBI advises verifying the legitimacy of such communications by checking email domains and contacting local government offices. Victims are urged to report incidents to the FBI's Internet Crime Complaint Center (IC3).

The Trump Administration has unveiled a new national cyber strategy focused on strengthening US digital defenses, countering foreign adversaries, and accelerating innovation. The strategy outlines six policy pillars to guide federal cybersecurity policy and resource allocation, emphasizing proactive measures and government coordination. The document frames cyberspace as central to US economic strength, national security, and technological leadership, highlighting the growing threats from hostile states and cyber-criminal groups. It prioritizes offensive cyber operations, law enforcement measures, and economic sanctions to deter attacks and dismantle criminal networks. Implementation of the strategy will depend on funding and operational capabilities, with experts noting the need for rapid classified offensive work contracting vehicles.

UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.

Password audits often miss high-risk accounts that attackers target, such as orphaned accounts, service accounts, and those with reused or breached credentials. Standard audits focus on complexity and expiry policies but fail to address contextual risks like over-privileged users or credentials exposed in previous breaches. Effective audits should include breached-password screening, continuous monitoring, and coverage of all account types, including dormant and service accounts.

Microsoft has released the KB5070311 optional preview cumulative update for Windows 11, addressing File Explorer freezes, search issues, and other bugs. The update includes 49 changes and is part of the monthly preview updates that precede Patch Tuesday releases. It fixes issues with explorer.exe process responsiveness, SMB share search problems, and LSASS instability. However, the update also introduced a new bug causing bright white flashes when launching File Explorer in dark mode. Microsoft has since fixed this issue with the December KB5072033 Patch Tuesday cumulative update. The update is available for manual installation and updates Windows 11 25H2 and 24H2 devices to builds 26200.7309 and 26100.7309, respectively. Additionally, Microsoft announced there will be no preview update in December 2025 due to minimal operations during the Western holidays, with normal updates resuming in January 2026. Microsoft is still working to fully address the File Explorer white flash issue in dark mode, with the bug fix rolling out to all Windows Insiders in the Beta and Dev channels who install the Windows 11 Build 26220.7961 (KB5079382) and Windows 11 Build 26300.7965 (KB5079385) preview builds. The latest Windows 11 preview builds also add support for voice typing (Windows key plus H) when renaming files in File Explorer and improve reliability when unblocking files downloaded from the internet to preview them in File Explorer. Starting in November, Microsoft began testing an optional Windows 11 feature that preloads File Explorer in the background to improve performance and speed up launch times.

The UK government has launched an Online Crime Centre as part of an expanded anti-fraud strategy. The centre will combine expertise from government, intelligence agencies, law enforcement, banks, mobile networks, and tech firms to disrupt cyber-criminal operations, including overseas scam compounds. The initiative aims to tackle a £14bn annual fraud issue by identifying and shutting down accounts, websites, and phone numbers used by fraudsters. The strategy also includes the use of AI to detect and stop suspicious bank fraud transfers and deploy 'scam-baiting chatbots' to gather intelligence and disrupt operations. Additionally, a new fraud victims charter will provide improved support and consistent advice for victims of cyber-fraud.

Transparent Tribe, a Pakistan-aligned threat actor, has leveraged AI-powered coding tools to develop malware written in niche programming languages like Nim, Zig, and Crystal. This malware, dubbed Vibeware, targets the Indian government and its embassies in multiple foreign countries. The use of AI-assisted malware industrialization allows the actor to flood target environments with disposable, polyglot binaries, evading detection. The campaign highlights a shift towards AI-assisted malware development, enabling threat actors to create more sophisticated and evasive malware. The use of niche programming languages makes it difficult for traditional security tools to detect and mitigate the threats effectively.

The 2026 Cyber 150 awards, announced by IT-Harvest, highlight the rapid growth of AI-focused cybersecurity startups. 22% of the winners are AI security firms, reflecting a significant trend in the industry. The awards recognize the fastest-growing mid-size cybersecurity companies worldwide, with a focus on innovation and market traction. The 2026 cohort includes 33 AI security companies, with notable entrants such as 7AI, Adaptive Security, and Noma Security. Tenex.ai, a US-based startup, ranked as the top-growing startup with a 318% growth rate. The awards also highlight the dominance of US-based companies, with 89 nominees from the US alone.

A previously undocumented Chinese threat actor, CL-UNK-1068, has been targeting critical infrastructure in South, Southeast, and East Asia since at least 2020. The campaign, attributed to cyber espionage with moderate-to-high confidence, has affected sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. The attackers use a mix of custom malware, open-source utilities, and LOLBINs to maintain persistence and exfiltrate data. The group employs tools like Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP) to target both Windows and Linux environments. They exploit web servers to deliver web shells, move laterally, and steal sensitive files. The attackers also use Mimikatz and other tools to dump passwords and extract credentials. Additionally, CL-UNK-1068 uses ScanPortPlus for network scanning and employs DLL side-loading through legitimate Python executables to execute malicious payloads under trusted processes.

Bitdefender is promoting its GravityZone security platform as a solution for mid-market organizations to achieve enterprise-level security with lean IT and security teams. The platform aims to simplify operations, reduce costs, and strengthen security posture, addressing the challenges of limited budgets and resources. The upcoming webinar highlights how GravityZone can help organizations demonstrate reduced risk and increased security posture to leadership, business partners, and customers. It also discusses reducing security fire-fighting and freeing up teams to focus on strategic projects.

TriZetto Provider Solutions, a healthcare IT company under Cognizant, suffered a data breach that exposed sensitive health data of over 3.4 million individuals. The breach began on November 19, 2024, and was detected on October 2, 2025. The exposed data includes names, addresses, Social Security numbers, and health insurance details. Affected providers were notified in December 2025, and customer notifications started in February 2026. TriZetto has enhanced its cybersecurity measures and offered free credit monitoring services to affected individuals. No financial data was compromised, and no misuse of the data has been reported. The breach was discovered in a web portal used by some of its healthcare provider customers, and TriZetto's platform is certified to SOC 2, EHNAC, and HITRUST.

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

Derrick Van Yeboah, a Ghanaian national, pleaded guilty to his role in a fraud ring that stole over $100 million from U.S. victims through business email compromise (BEC) attacks and romance scams. The operation, active from 2016 to May 2023, involved multiple accomplices and targeted vulnerable individuals and businesses. Van Yeboah, a high-ranking member, impersonated romantic partners to gain trust and then tricked victims into sending money. He also helped launder funds from other victims and participated in BEC attacks by impersonating senior corporate leaders or suppliers. Van Yeboah is set to pay over $10 million in restitution and faces up to 20 years in prison.

AI assistants, particularly OpenClaw, are rapidly gaining popularity among developers and IT workers due to their ability to autonomously manage tasks. However, their powerful capabilities and potential misconfigurations pose significant security risks. OpenClaw can access and manage users' digital lives, including emails, calendars, and various online services. Recent incidents, such as an AI assistant mass-deleting emails and exposing sensitive credentials, highlight the dangers of poorly secured AI agents. Attackers can exploit misconfigured OpenClaw interfaces to impersonate users, inject messages, and exfiltrate data. Additionally, supply chain attacks involving AI assistants demonstrate the ease with which malicious actors can compromise systems. The rise of AI assistants is shifting security priorities and blurring the lines between trusted coworkers and insider threats.

The Advocate General of the Court of Justice of the EU (CJEU) has issued an opinion stating that banks must immediately refund customers affected by unauthorized transactions due to phishing, even if the customer's negligence contributed to the fraud. The opinion clarifies that banks can later seek recovery of the losses if they can prove gross negligence or intentional misconduct by the customer. The case involved a Polish bank, PKO BP S.A., and a customer who fell victim to a phishing scam. The customer entered their credentials on a fake bank login page, leading to an unauthorized transaction. The bank refused to refund the victim, arguing the customer's negligence caused the loss. The Advocate General ruled that under the EU Payment Services Directive (PSD2), banks must first refund the victim unless they have reasonable grounds to suspect fraud.

Threat actors are exploiting the .arpa domain and IPv6 reverse DNS to evade phishing defenses. They abuse reverse DNS zones to host phishing sites, leveraging reputable DNS providers like Cloudflare and Hurricane Electric. The campaign uses short-lived phishing links and other techniques such as hijacking dangling CNAME records and subdomain shadowing. The attackers reserve IPv6 address space, configure additional DNS records, and use reverse DNS hostnames to redirect victims to phishing sites. The lack of WHOIS data and domain age information in the .arpa domain makes detection harder. Infoblox observed over 100 instances of hijacked CNAMEs from well-known organizations, including government agencies, universities, and retailers.

OpenAI has introduced Aardvark, an agentic security researcher powered by GPT-5, designed to automatically detect, assess, and patch security vulnerabilities in code repositories. The agent integrates into the software development pipeline to continuously monitor code changes and propose fixes. Aardvark has already identified at least 10 CVEs in open-source projects during its beta testing phase. The agent uses GPT-5's advanced reasoning capabilities and a sandboxed environment to validate and patch vulnerabilities. OpenAI envisions Aardvark as a tool to enhance security without hindering innovation. OpenAI has rolled out Codex Security, an evolution of Aardvark, which is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers. Codex Security has scanned over 1.2 million commits, identifying 792 critical and 10,561 high-severity findings. The tool leverages advanced models and automated validation to minimize false positives and propose actionable fixes.

The threat group Velvet Tempest, also tracked as DEV-0504, has been observed using the ClickFix technique and legitimate Windows utilities to deploy DonutLoader malware and CastleRAT backdoor in a simulated environment. The group, known for deploying multiple ransomware strains, conducted Active Directory reconnaissance, credential harvesting, and environment profiling over a 12-day period. Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix. Despite their history with ransomware, Termite ransomware was not deployed in this observed intrusion.

North Korean threat actors, specifically clusters Jasper Sleet and Coral Sleet, are using AI to enhance their IT worker scams. These groups employ AI to fabricate identities, maintain digital personas, and socially engineer potential employers. The AI tools help them research job postings, generate fake resumes, and create convincing digital identities. Once employed, they use AI to perform job tasks, generate code snippets, and develop web infrastructure for malicious purposes. The use of AI complicates detection and response efforts, making these scams more effective and harder to detect. Microsoft has observed Jasper Sleet using generative AI platforms to streamline the development of fraudulent digital personas, including generating culturally appropriate name lists and email address formats. Jasper Sleet also uses AI to review job postings for software development and IT-related roles on professional platforms, prompting the tools to extract and summarize required skills. Coral Sleet uses AI to quickly generate fake company sites, provision infrastructure, and test and troubleshoot their deployments. Threat actors are also using AI coding tools to generate and refine malicious code, troubleshoot errors, or port malware components to different programming languages. Some malware experiments show signs of AI-enabled malware that dynamically generate scripts or modify behavior at runtime. Threat actors are using jailbreaking techniques to trick LLMs into generating malicious code or content. Microsoft advises organizations to treat these schemes and similar activity as insider risks and focus on detecting abnormal credential use, hardening identity systems against phishing, and securing AI systems.

Anthropic, in partnership with Mozilla, identified 22 security vulnerabilities in Firefox using its Claude Opus 4.6 AI model. The vulnerabilities, discovered over two weeks in January 2026, include 14 high-severity, 7 moderate-severity, and 1 low-severity issues. These were addressed in Firefox 148, released late last month. The AI model detected a use-after-free bug in the browser's JavaScript within 20 minutes, highlighting its efficiency in vulnerability discovery. Anthropic also tested the AI's ability to develop exploits from the identified vulnerabilities, finding that it could only successfully create exploits in two cases out of several hundred attempts. The company emphasized the cost-effectiveness of identifying vulnerabilities compared to exploit development. One of the vulnerabilities, CVE-2026-2796, is a just-in-time (JIT) miscompilation in the JavaScript WebAssembly component with a CVSS score of 9.8. Mozilla confirmed the AI-assisted approach discovered 90 additional bugs, most of which have been fixed.

The U.S. Secret Service has seized 300 SIM servers and 100,000 SIM cards in the New York tri-state area, which were used to threaten U.S. government officials and posed an imminent threat to national security. The seizure occurred near the United Nations General Assembly, and the devices could be weaponized for various attacks on telecommunications infrastructure. The FBI is also investigating a breach affecting systems used to manage surveillance and wiretap warrants, which was addressed but details on scope and impact remain undisclosed. Early evidence suggests involvement of nation-state threat actors, including the Chinese hacker group Salt Typhoon, which compromised U.S. federal government systems for court-authorized network wiretapping requests in 2024. The FBI began investigating abnormal log information related to a system on its network on February 17, 2026, and the affected system contains law enforcement sensitive information, including returns from legal process such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.