A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026.

A suspected Chinese threat actor, tracked as UNC2814, has conducted a global espionage campaign since at least 2023, targeting telecom and government networks. The campaign has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more. The actor deployed a new C-based backdoor named GRIDTIDE, which abuses the Google Sheets API for command-and-control (C2) operations. The initial access vector is unknown, but previous exploits involved flaws in web servers and edge systems. GRIDTIDE performs host reconnaissance and supports commands for executing bash commands, uploading, and downloading files. Google, Mandiant, and partners disrupted the campaign by terminating associated Google Cloud projects and disabling known infrastructure. Organizations impacted by GRIDTIDE were notified, and support was offered to clean the infections. Google expects UNC2814 to resume activity using new infrastructure in the near future.

Multiple vulnerabilities in Anthropic's Claude Code AI-powered coding assistant allow remote code execution and API key exfiltration. The flaws exploit configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables. Three vulnerabilities were identified, with fixes released in versions 1.0.87, 1.0.111, and 2.0.65. Exploitation could lead to arbitrary code execution, data exfiltration, and unauthorized access to AI infrastructure. The vulnerabilities highlight the risks associated with AI-powered tools that execute commands and initiate network communication autonomously.

North Korean threat actors have **expanded the Contagious Interview campaign** to include **malicious Next.js repositories**, marking the latest evolution in their multi-stage infection chain targeting developers. The new wave, identified in February 2026, delivers **remote code execution (RCE) backdoors** via repositories disguised as legitimate Next.js projects or technical assessments. When victims clone and run these repositories, they trigger either (1) **auto-execution of malicious tasks via `.vscode/tasks.json`** upon workspace trust, or (2) **obfuscated code embedded in development assets** that fetches payloads when standard build commands are executed. The payloads establish a **persistent C2 channel** for data exfiltration and further compromise, leveraging **Node.js processes** to evade detection. This tactic builds on earlier methods, such as **malicious VS Code repositories** (January 2026) and **EtherRAT’s exploitation of React2Shell (CVE-2025-55182)** (December 2025), but introduces **Next.js-specific lures** tailored for web developers. The campaign continues to target **software developers, particularly in blockchain, cryptocurrency, and Web3 sectors**, blending **social engineering with technical deception**. The group collaborates with **North Korea’s fraudulent IT workers (WageMole)** to amplify credential theft and financial fraud, while consolidating hosting on **Vercel domains** and refining **AI-generated artifacts** to evade detection. The latest wave underscores the campaign’s **rapid adaptation**, combining **espionage-driven data theft** with **financial motives** through persistent, multi-layered infections.

IBM X-Force's 2025 Threat Intelligence Index reveals that 56% of tracked vulnerabilities required no authentication before exploitation. The report highlights the growing threat of infostealer credential theft, with 300,000 ChatGPT credentials discovered on the dark web. AI is being weaponized by attackers to find weak access points, create deepfakes, and exploit agentic AI systems, expanding the blast radius of compromises. Supply chain attacks have quadrupled over the last five years, with criminals and state-sponsored actors adopting advanced techniques, blurring the lines between their tactics.

Marquis Software Solutions has **filed a lawsuit** against SonicWall, alleging **gross negligence and misrepresentation** in the handling of its MySonicWall cloud backup breach, which directly enabled a **ransomware attack** disrupting 74 U.S. banks in August 2025. The lawsuit reveals that SonicWall introduced a **security gap via an API code change in February 2025**, allowing unauthorized access to firewall configuration backups—including AES-256-encrypted credentials and MFA scratch codes. Marquis, whose firewall was fully patched and MFA-enabled, confirms attackers exploited this stolen data to bypass defenses, contradicting earlier assumptions about unpatched devices. The breach exposed **personal and financial data** of Marquis’ clients, triggering **over 36 consumer class-action lawsuits** and prompting Marquis to seek damages, indemnification, and legal fees. The SonicWall incident began as a targeted compromise of its MySonicWall portal, initially reported in September 2025 as affecting fewer than 5% of customers but later revised to confirm **all cloud backup users** were impacted. Stolen configuration files—containing credentials, network topology, and encrypted secrets—fueled follow-on attacks, including the **Marquis ransomware breach** (January 2026 disclosure) and Akira ransomware campaigns abusing OTP seeds to bypass MFA. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but the Marquis lawsuit underscores the **long-tail risks** of exposed backup data, even post-containment. Over **950 unpatched SMA1000 appliances** remain exposed online, while CISA and SonicWall urge firmware updates, credential resets, and MFA enforcement.

The **ShinyHunters and Scattered Spider collaboration**, operating under the **Scattered Lapsus$ Hunters (SLH) alliance**, has escalated its extortion and social engineering tactics in **early 2026** by **recruiting women for vishing attacks** targeting IT help desks, offering **$500–$1,000 per successful call** alongside pre-written scripts. This calculated evolution aims to exploit psychological biases and bypass traditional attacker profiles, increasing the success rate of impersonation and credential harvesting. The group continues to combine **technical intrusions** with **psychological harassment, swatting, and media manipulation** to coerce payments, while leveraging **legitimate services, residential proxies, and tunneling tools** (e.g., Ngrok, Luminati) to evade detection. The alliance’s latest developments include the **ShinySp1d3r RaaS platform**, **Zendesk phishing campaigns**, and **targeted intrusions against financial sectors**, demonstrating a **multi-pronged expansion** in both **technical sophistication** and **psychological warfare**. Their tactics now involve **recruiting diverse social engineering operatives**, deploying **virtual machines for post-exploitation reconnaissance**, and exploiting **cloud APIs (e.g., Microsoft Graph)** to access Azure environments. Despite law enforcement arrests and shutdown claims, SLH remains a **high-risk, low-trust threat actor**, with **no guarantee of data deletion** post-payment and a pattern of **rebranding to evade pressure**. Victims are advised to **refuse engagement** beyond a firm "no payment" stance, as compliance only fuels further escalation and harassment.

OpenClaw, an AI-powered automation framework, has gained significant attention due to its potential security risks, particularly in its plugin ecosystem. The framework allows users to manage emails, schedules, and system tasks through modular 'skills' that can be installed from a marketplace called ClawHub. Security researchers have identified critical vulnerabilities, including remote code execution and credential theft, which have led to discussions across security research feeds, Telegram channels, and underground forums. While the framework has not yet been fully weaponized for mass exploitation, the supply chain risks associated with its plugin ecosystem are real and pose a significant threat.

IBM X-Force reports a 44% surge in cyberattacks targeting public-facing applications, primarily due to missing authentication controls and AI-enabled vulnerability scanning. Vulnerability exploitation led to 40% of incidents in 2025, while active ransomware and extortion groups grew by 49%, with publicly disclosed victim counts rising by 12%. AI is accelerating attacker operations, including reconnaissance and advanced ransomware attacks.

Ineffective triage processes in security operations centers (SOCs) are leading to increased business risks, including missed SLAs, higher costs per case, and more opportunities for real threats to evade detection. Five key issues—lack of real evidence, dependency on analyst seniority, delays in triage, over-escalation, and manual work—are identified as major contributors to these problems. High-performing teams are addressing these issues by leveraging execution evidence early in the triage process, using interactive sandboxes to validate behavior and reduce uncertainty. The use of sandboxes like ANY.RUN allows teams to see the full attack chain quickly, leading to faster, evidence-backed decisions. This approach reduces the cost per case, minimizes missed threats, and ensures consistent triage outcomes across shifts. Additionally, it helps in shrinking the time-to-decision, reducing escalation volumes, and increasing Tier 1 capacity by automating repetitive tasks.

Telephone-Oriented Attack Delivery (TOAD) emails, which contain only a phone number as the payload, are bypassing secure email gateways and becoming a significant threat. These attacks, which accounted for nearly 28% of gateway-bypassing detections, exploit the simplicity of a phone number to evade detection and manipulate victims into revealing sensitive information or granting remote access. The attacks are particularly effective due to their ability to blend in with legitimate business communications and the increasing sophistication of evasion tactics.

Peter Williams, a former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling at least eight zero-day exploits to a Russian cyber broker between 2022 and 2025. The exploits, stolen from Trenchant, were sold for $1,300,000 in cryptocurrency and were intended for the exclusive use of the U.S. government and select allies. The broker's clients include the Russian government, posing a significant national security threat. Williams used his privileged access to the company's network to steal the exploits and transmitted them via encrypted channels. The FBI has emphasized the severity of the crime, highlighting the potential impact on US national security. Williams now faces up to 10 years in prison and fines of $250,000 or twice the gain or loss pertinent to the offense. The case underscores the growing concern over the trade in commercial spyware and zero-day exploits, with international efforts underway to curb this activity. Trenchant, the cyber-capabilities business unit within L3Harris Technologies, was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities, with another employee, Jay Gibson, at the epicenter of the accusations. Peter Williams, 39, was sentenced to a little over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero. Williams was ordered to serve three years of supervised release with special conditions and forfeit illicit proceeds, including properties, clothing, jewelry, and luxury watches. The exploits could have been used against any manner of victim, civilian or military around the world, and engage in all manner of crime from cyber fraud, theft, and ransomware, to state directed spying and offensive cyber operations against military targets. Williams sold the trade secrets for up to $4 million in cryptocurrency. The actions are estimated to have incurred L3Harris $35 million in financial losses. The U.S. State Department designated Operation Zero, Sergey Sergeyevich Zelenyuk, and Special Technology Services LLC FZ (STS) under the Protecting American Intellectual Property Act (PAIPA). Zelenyuk is a Russian national and the director and owner of Operation Zero. Zelenyuk established STS in the U.A.E. to conduct business with various countries in Asia and the Middle East and likely get around U.S. sanctions imposed on Russian bank accounts. Operation Zero has offered up to $4 million in bounties for Telegram exploits and $20 million for tools that could be used to break into Android and iPhone devices. Operation Zero has sought to develop other cyber intelligence systems, including spyware and methods to extract personal identifying information and other sensitive data uploaded by users of artificial intelligence applications like large language models. The U.S. Treasury Department has sanctioned a Russian exploit broker who bought stolen hacking tools from a former executive of a U.S. defense contractor. The Department's Office of Foreign Assets Control (OFAC) designated Matrix LLC (doing business as Operation Zero and headquartered in St. Petersburg, Russia) on Tuesday, along with its owner, Sergey Sergeyevich Zelenyuk, and five associated individuals and companies. OFAC sanctioned the targets under the Protecting American Intellectual Property Act (PAIPA), a law specifically targeting intellectual property theft by foreign adversaries, the first time that law has been used since its enactment. The designations also coincide with the sentencing of Peter Williams, a 39-year-old Australian national and former general manager of Trenchant, a cybersecurity unit of U.S. defense contractor L3Harris that develops zero-day exploits and surveillance tools. Williams was sentenced Tuesday to 87 months in prison after pleading guilty in October to stealing eight zero-day exploits from Trenchant and selling them to Operation Zero for approximately $1.3 million in cryptocurrency, even though they were designed exclusively for use by the U.S. government and allied intelligence agencies. Operation Zero is offering millions of dollars in bounties to security researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications. The company, whose clients also include the Russian government, says it's selling zero-day exploits only to Russian private and government organizations. "Zelenyuk and Operation Zero trade in 'exploits'—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device'—the Department of the Treasury said. "Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company. Operation Zero then sold those stolen tools to at least one unauthorized user." OFAC also sanctioned Zelenyuk's UAE-based front company, Special Technology Services LLC, as well as two individuals with prior ties to Operation Zero (including Oleg Vyacheslavovich Kucherov, who is a suspected member of the Trickbot cybercrime gang) and a second exploit brokerage firm, Advance Security Solutions, with operations in the United Arab Emirates and Uzbekistan. The sanctions freeze all U.S.-held assets belonging to designated entities and individuals and expose American businesses and individuals conducting transactions with them to secondary sanctions or enforcement actions.

Zyxel has released security updates to address a critical command injection vulnerability (CVE-2025-13942) affecting over a dozen router models. The flaw allows unauthenticated attackers to execute OS commands via maliciously crafted UPnP SOAP requests. Successful exploitation requires both UPnP and WAN access to be enabled, with WAN access disabled by default. Zyxel also patched two high-severity post-authentication command-injection vulnerabilities (CVE-2025-13943 and CVE-2026-1459). Zyxel devices are frequently targeted in attacks due to their widespread use by internet service providers. The U.S. CISA is tracking 12 actively exploited Zyxel vulnerabilities. Additionally, Zyxel has no plans to patch two zero-day vulnerabilities (CVE-2024-40891 and CVE-2024-40891) affecting end-of-life routers, advising users to replace them with newer models.

Four malicious NuGet packages targeting ASP.NET developers were discovered, stealing sensitive data and creating persistent backdoors. Additionally, a malicious npm package named ambar-src was found to drop malware on Windows, Linux, and macOS systems, exfiltrating data to a Yandex Cloud domain. The NuGet packages, published between August 12 and 21, 2024, attracted over 4,500 downloads before being removed. The npm package, uploaded on February 13, 2026, amassed over 50,000 downloads before removal. The campaigns aim to compromise applications built by developers, granting attackers admin-level access and exfiltrating sensitive data.

A new Operational Technology Incident (OTI) Impact Score model, inspired by the Richter Scale, has been developed to measure the severity, reach, and duration of OT cyber incidents. The model aims to provide a standardized way to assess the actual effects of OT cyber incidents, which often get over- or under-hyped. The OTI Impact Score was unveiled at the S4x26 Conference in Miami and is designed to help business executives, governments, cyber insurers, the media, and the public understand the impact of OT attacks more accurately. The OTI Impact Score is calculated based on three criteria: severity (from minor disruption to catastrophic destruction), reach (geographic spread), and duration (length of time) of the incident. Volunteers from the ICS/OT industry will score OT cyber events via an online portal, with the goal of issuing the assessment within 12 hours. The model has been applied to past incidents, such as the 2021 Colonial Pipeline cyberattack, which received a high impact score of 3.9, and the 2024 Muleshoe water utility attack, which received a score of 0.0.

CISA has issued Emergency Directive (ED) 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems, which pose an unacceptable risk to federal networks. The directive requires immediate action from Federal Civilian Executive Branch (FCEB) agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities.

More than half of national security organizations still rely on manual processes to transfer sensitive data, creating systemic vulnerabilities and operational risks. Manual handling introduces delays, errors, and security gaps that adversaries can exploit, compromising mission readiness and decision-making. Automation is critical to addressing these risks, but legacy systems, procurement cycles, and cultural factors hinder its adoption.

The UK Information Commissioner's Office (ICO) has fined Reddit £14.47 million ($19.5 million) for collecting and using personal data of children under 13 without adequate safeguards. The ICO found that Reddit lacked meaningful age-verification systems until July 2025, despite its terms prohibiting underage users. The regulator estimates significant numbers of underage children used the platform, exposing them to harmful content. Reddit has announced plans to appeal the decision. The ICO also criticized Reddit for failing to carry out a data protection impact assessment (DPIA) to assess and mitigate risks to children on the platform before January 2025. Reddit introduced age verification for accessing mature content in July 2025, but the ICO noted that the age verification process is too easy to bypass.

Microsoft released the KB5077241 optional cumulative update for Windows 11, featuring 29 changes, including BitLocker reliability enhancements, a new network speed test tool, and native System Monitor (Sysmon) functionality. The update also improves taskbar behavior, adds support for WebP images as desktop backgrounds, and introduces Remote Server Administration Tools (RSAT) for Windows 11 Arm64 devices. This preview update allows admins to test new features and improvements before they are generally available. The update is optional and does not include security fixes, focusing instead on quality improvements.

CISA added a recently disclosed OS command injection vulnerability in FileZen (CVE-2026-25108) to its KEV catalog, confirming active exploitation. The flaw, with a CVSS v4 score of 8.7, allows authenticated users to execute arbitrary commands via crafted HTTP requests. Affected versions include 4.2.1 to 4.2.8 and 5.0.0 to 5.0.10. Exploitation requires the FileZen Antivirus Check Option to be enabled and user login with general privileges. Soliton Systems reported at least one incident of damage. Users are advised to update to version 5.0.11 or later and change passwords if compromised. FCEB agencies must apply fixes by March 17, 2026.

A financially motivated threat group, Diesel Vortex, has been conducting a phishing campaign since September 2025, targeting freight and logistics organizations in the U.S. and Europe. The group has stolen 1,649 unique credentials from critical platforms in the freight industry, using 52 domains and sophisticated phishing techniques. The campaign was disrupted through a coordinated effort involving multiple cybersecurity firms.

Wynn Resorts confirmed a data breach involving employee data after being listed on the ShinyHunters extortion gang's data leak site. The company activated incident response protocols and launched an investigation with external cybersecurity experts. The attackers claimed the stolen data had been deleted, and Wynn has not observed any evidence of misuse. The breach did not impact guest operations or physical properties, and affected employees are being offered credit monitoring and identity protection services.

A cybercrime service called 1Campaign enables threat actors to run malicious Google Ads that evade detection by security researchers. The platform uses cloaking techniques to show benign content to researchers while directing malicious content to potential victims. Operated by a developer known as 'DuppyMeister,' 1Campaign has been active for at least three years and provides a user-friendly dashboard for managing campaigns. The platform filters visitors in real-time based on geography, ISP, and device characteristics, allowing attackers to focus on relevant regions while avoiding scrutiny. In one instance, 99.4% of visitors were blocked, resulting in a success rate of just 0.6%. The system assigns a fraud risk score to each visitor, flagging those from cloud providers and security vendors. 1Campaign has been observed distributing traffic in multiple countries, including the United States, Canada, and Germany. The platform also offers a Google Ads launcher tool that helps operators bypass Google's policy limitations and impersonate legitimate brands. Despite Google's safeguards, 1Campaign's cloaking system makes static URL scanning less effective, necessitating more sophisticated detection methods.

A vulnerability named RoguePilot in GitHub Codespaces allowed attackers to inject malicious instructions into GitHub issues, which were then processed by GitHub Copilot. This enabled silent control of the AI agent in Codespaces, leading to the leakage of sensitive GITHUB_TOKENs. The flaw has been patched by Microsoft after responsible disclosure. The attack involved embedding malicious prompts within GitHub issues, which were then executed by Copilot when a user launched a Codespace from the issue. This allowed attackers to exfiltrate sensitive data, including GITHUB_TOKENs, to external servers under their control.

The ShinyHunters extortion group has leaked personal information from 12.4 million CarGurus accounts. The data includes email addresses, phone numbers, physical addresses, and financial application details. CarGurus has not confirmed the breach, but HaveIBeenPwned (HIBP) has verified the dataset, noting that 3.7 million records are new. The leaked data could be used for phishing attacks. CarGurus is a U.S.-based digital auto platform with an estimated 40 million monthly visitors. The breach follows a pattern of similar attacks by ShinyHunters, who often use social engineering to gain access to SaaS platforms like Salesforce and Microsoft 365.

A bug in Microsoft 365 Copilot, first detected on January 21, 2026, caused the AI assistant to summarize confidential emails, bypassing data loss prevention (DLP) policies. Microsoft confirmed the issue and began rolling out a fix in early February. The company is now expanding DLP controls to block Copilot from processing confidential documents across all storage locations, including local files, between late March and late April 2026. The full remediation timeline and scope of impact remain undisclosed.

The average cost of insider incidents surged 20% to nearly $20 million per organization in 2025, driven primarily by employee negligence related to shadow AI usage. Malicious insider activities accounted for 27% of losses, while negligence and mistakes amounted to $10.3 million per company. The report highlights the growing risks associated with undocumented AI use and the need for better AI governance policies.

A sophisticated phishing campaign impersonating Bitpanda combines credential theft with extensive personal data harvesting. The scheme uses a near-perfect replica of the legitimate platform to deceive users into providing sensitive information through a staged, fake multi-factor authentication (MFA) process. The attack begins with an email mimicking official Bitpanda communications, urging users to update their information or risk account suspension. Victims are directed to a fraudulent website that closely resembles the genuine Bitpanda login screen but uses a deceptive domain. Once credentials are entered, victims are prompted to provide additional personal information, including first and last name, telephone number, residential address, and date of birth. After completing the forms, users see a confirmation message and are redirected to the legitimate Bitpanda login page.

AI agents are increasingly operating autonomously within enterprises, performing tasks like infrastructure provisioning, customer support, and code writing. These agents behave as identities, using API keys, OAuth tokens, and service accounts, but are often not governed as such. Traditional identity and access management (IAM) is insufficient for AI agents due to their dynamic and context-driven nature. Intent-based permissioning is emerging as a critical security measure to ensure AI agents act within their approved missions.

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.