Don’t Hack On Me -- Situation Report February 18, 2026 // Weekly Security Operations Brief

TL;DR

• Situation: Chrome zero-day CVE-2026-2441 is being exploited now — update every Chromium browser you own

• Enemy Activity: Singapore telecom espionage, Shadow Campaigns across 37 countries, BeyondTrust exploited in hours, exfiltration-only ransomware surging 450%, Ivanti sleeper shells in European governments

• Friendly Forces: CISA adds 10+ vulns to KEV, Darktrace publishes BeyondTrust detection logic, 10 ICS advisories dropped

• Logistics: Palo Alto Networks closes $25B CyberArk acquisition — largest deal in security history

• AI Operations: OpenAI’s GPT-5.3-Codex rated “High” cyber risk, VoidLink is first AI-built malware framework, Microsoft discovers AI memory poisoning

• Personnel: Two cybersecurity pros convicted as BlackCat ransomware operators; CISA faces 40% workforce cuts

Situation

Google released an emergency Chrome update on Friday to patch CVE-2026-2441 — a high-severity (CVSS 8.8) use-after-free vulnerability in the Blink rendering engine’s CSS implementation that’s being actively exploited in the wild. It’s the first Chrome zero-day of 2026. Google confirmed exploitation exists while saying absolutely nothing about who’s doing it or who’s being targeted.

Here’s what makes this matter to everyone reading this: it’s not just Chrome. Every browser built on Chromium is affected. Edge, Brave, Opera, Vivaldi, Arc, Perplexity’s Comet browser — roughly 70% of global browser market share runs on a single engine. One vulnerability, one codebase, most of the internet’s browsers need a patch. Chrome’s fixed versions are 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux. Don’t wait for auto-update on an actively exploited zero-day. Go to chrome://settings/help, force the update, restart.

Enemy Activity

Singapore Mounts Largest Cyber Operation After UNC3886 Breaches All 4 Telcos - China-linked APT UNC3886 compromised all four of Singapore’s major telecom providers — Singtel, M1, StarHub, and SIMBA — using a zero-day firewall exploit. This is the most significant nation-state telecom compromise disclosed this year.

70 Orgs Hacked Across 37 Countries — Unit 42’s Shadow Campaigns - State-aligned cyberespionage group TGR-STA-1030 compromised over 70 organizations across 37 countries using only N-day exploits with patches available, some dating back to 2019.

BeyondTrust CVE-2026-1731: Exploited Within Hours of PoC Release - BeyondTrust patched CVE-2026-1731 (CVSS 9.9) — a critical pre-auth RCE. By February 13, exploitation was confirmed in the wild.

Exfiltration-Only Ransomware Surging 450% - Attackers are abandoning encryption entirely — no data locker needed, no EDR triggers.

Ivanti EPMM “Sleeper Shells” — European Commission, Dutch and Finnish Governments Breached - Ivanti EPMM vulnerabilities are under widespread exploitation with dormant “sleeper” web shells planted.

Friendly Forces

CISA Adds 10+ Vulnerabilities to KEV Catalog in February - CISA added vulnerabilities including SolarWinds Web Help Desk, six Microsoft zero-days, and BeyondTrust CVE-2026-1731. If you’re not using KEV as a private-sector patching signal, start.

Darktrace Publishes BeyondTrust CVE-2026-1731 Detection Analysis - Actionable content for security teams building detections.

CISA Releases 10+ ICS Advisories for Critical Infrastructure - OT/ICS teams should review these immediately.

Logistics

Palo Alto Networks Closes $25B CyberArk Acquisition — Largest in Security History - Identity Security becomes PANW’s third core pillar. Machine identities already outnumber human identities 80-to-1, and AI agent identities are the next frontier.

AI Operations

OpenAI Built an AI That Can Hack Hardened Targets - GPT-5.3-Codex is the first AI model OpenAI classifies as “High” risk for cybersecurity. Their answer: Trusted Access for Cyber, backed by $10M in API credits for defensive research.

VoidLink: First Malware Framework Built by AI - 88,000 lines of code, targets AWS, Azure, GCP, Alibaba, and Tencent cloud environments. A single developer produced what would normally require a team.

Microsoft Discovers AI Recommendation Poisoning - One click can poison an AI assistant’s memory, causing subtly biased recommendations.

Personnel

Two Cybersecurity Pros Plead Guilty as BlackCat/ALPHV Ransomware Affiliates - A ransomware negotiator and an incident responder were secretly running attacks. This is the insider threat case that should make every security organization reconsider vetting.

CISA Faces 40% Workforce Cuts — Red Teams Dismantled - Up to 1,300 positions on the chopping block. The irony is not lost on anyone.

What Does This Mean to Me?

If you’re in security operations: Update Chrome and every Chromium-based browser in your environment right now. Check exposure against BeyondTrust and Ivanti vulnerabilities. Hunt for IOCs from the Unit 42 Shadow Campaigns report.

If you’re in leadership: Three themes - the Chromium monoculture risk, identity as the new perimeter (PANW/CyberArk deal), and the insider threat conviction that should be a board-level conversation.

If you’re breaking in: Pay attention to VoidLink. Learn cloud security. The gap between “one person with AI” and “a team without it” is closing fast.

The Debrief

This week’s SitRep has AI fingerprints all over it. VoidLink proved that a single developer with an AI coding agent can produce an 88,000-line malware framework. AI is the multiplier on both sides. The teams that adopt AI into their security workflows now will be setting the pace. Everyone else will be patching to keep up.

End of SitRep. Stay alert. Don’t let them hack on you.

Subscribe to Don’t Hack On Me | donthackonme.com

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.

Don’t Hack On Me — Signal February 16, 2026

The Story

Google released an emergency Chrome update on Friday to patch CVE-2026-2441 — a high-severity (CVSS 8.8) use-after-free vulnerability in Chrome’s CSS engine that’s being actively exploited in the wild. It’s the first Chrome zero-day of 2026, and Google is doing what Google always does: confirming exploitation exists while saying absolutely nothing about who’s doing it or who’s being targeted.

The vulnerability is an iterator invalidation bug in CSSFontFeatureValuesMap — Chrome’s implementation of CSS font feature values. When Chrome parses stylesheets and applies them to the DOM, certain sequences of operations cause premature memory deallocation. An attacker can reallocate that freed memory with malicious data, redirecting execution flow. The attack is delivered via a crafted HTML page, meaning phishing links or compromised websites are the likely vector. Security researcher Shaheen Fazim discovered and reported the flaw on February 11. Google patched it two days later on February 13.

Here’s the part that matters: this isn’t just a Chrome problem. Every browser built on Chromium is affected — Microsoft Edge, Brave, Opera, Vivaldi, Arc, and any other Chromium-based browser you’re running. That’s roughly 70% of global browser market share running on a single engine. One vulnerability, one codebase, and most of the internet’s browsers need a patch. Chrome’s fixed versions are 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux. Other Chromium browsers will ship their own patches as they pull in the fix.For context, Chrome had roughly 8 actively exploited zero-days in 2025 and 7 in 2024. That’s averaging close to one per month. Browser zero-days aren’t rare events anymore — they’re a recurring line item in your patching calendar.

What Does This Mean to Me?

If you’re in security operations: Update Chrome right now. Don’t wait for the auto-update cycle — this is an actively exploited zero-day, and you don’t know where this is going to show up. Go to chrome://settings/help, force the update, and restart your browser. If you manage endpoints, push the update through MDM immediately. Don’t rely on auto-update for a zero-day.

And it’s not just Chrome. Chromium is the backbone of almost everything. Edge, Brave, Opera, Vivaldi — and it goes beyond the obvious ones. Perplexity’s Comet browser runs on Chromium. Arc runs on Chromium. If it’s a browser and it’s not Firefox or Safari, it’s probably Chromium. Every one of those needs to be updated once their vendor ships the fix. Make sure you know which Chromium-based browsers are running in your environment, because your users might be on browsers your asset inventory doesn’t even track.

Everyone should have automatic browser updates enabled — that’s table stakes. But for an actively exploited zero-day, automatic isn’t fast enough. Manual update. Now.

If you’re in leadership: The Chromium monoculture is something worth thinking about. One vulnerability in one codebase just put ~70% of the world’s browsers at risk. Google patches fast — two days from report to fix is impressive — and Chrome’s sandbox architecture limits the blast radius of any single exploit. That’s the upside. The downside is that when the Chromium engine has a flaw, the attack surface is enormous.

This isn’t a “switch browsers” argument. The security benefits of Chromium’s architecture and update cadence are real. But it is an argument for making sure your browser patching is as tight as your OS patching. Browser zero-days are averaging one per month across 2024 and 2025. That’s not a spike — it’s the baseline. If your patching program doesn’t treat browser updates with the same urgency as OS patches, it’s time to fix that.

The bigger picture: We’ve normalized browser zero-days. Chrome had 7 in 2024, 8 in 2025, and the first one of 2026 just dropped. Google’s response is always the same — confirm exploitation, withhold details, ship a patch. The 2-day turnaround is genuinely good. But the cadence tells you something: browsers are one of the most valuable attack surfaces on the internet, and threat actors are investing heavily in finding and exploiting browser vulnerabilities. The best defense is the simplest one: keep your browser updated, and when a zero-day drops, don’t wait. Update now.

Stay alert. Don’t let them hack on you.Subscribe to Don’t Hack On Me | donthackonme.com

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.

Don’t Hack On Me — Signal February 15, 2026

The Story

On February 5, OpenAI released GPT-5.3-Codex — and quietly made history. It’s the first AI model that OpenAI itself classifies as “High” risk for cybersecurity under their Preparedness Framework. That classification means OpenAI believes the model can automate end-to-end cyber operations against reasonably hardened targets, or automate the discovery and exploitation of operationally relevant vulnerabilities. Read that again. The company that built it is telling you it can hack things.

The capability curve has been steep. OpenAI’s models went from a 27% success rate on capture-the-flag cybersecurity challenges (GPT-5, August 2025) to 76% (GPT-5.1-Codex-Max, November 2025). GPT-5.3-Codex pushes that further. The company also has Aardvark, an agentic security researcher in private beta that scans codebases, reasons over entire repositories, finds vulnerabilities, and proposes patches. Aardvark has already discovered and responsibly disclosed vulnerabilities that received 10 CVE identifiers in open source projects.

So what’s OpenAI’s answer to releasing a model that can hack hardened targets? A program called Trusted Access for Cyber — an identity and trust-based framework that gates enhanced cyber capabilities behind verification. Vetted security professionals get access. Everyone else gets guardrails. Individual users can verify their identity; enterprises can request trusted access for teams. There’s also an invite-only tier for security researchers who need more permissive models. OpenAI is backing it with $10 million in API credits for defensive cyber research.

Not everyone is satisfied with the safeguards. The Midas Project, an AI safety watchdog, pointed out that GPT-5.3-Codex triggered OpenAI’s own “high risk” threshold but was deployed without the specific misalignment safeguards the Preparedness Framework calls for at that level. OpenAI’s response: those safeguards are only required when high cyber capability occurs in conjunction with long-range autonomy. The model is a powerful tool, not an autonomous agent — the distinction matters.

Source:Trusted Access for Cyber (OpenAI, February 5, 2026

Who’s Covering This

• Fortune — “Unprecedented cybersecurity risks.” Focuses on the tension between capability advancement and safety. (February 5, 2026)

• OpenAI System Card — The technical system card detailing the “High” cybersecurity risk classification and mitigation approach. (February 5, 2026)

• SC Media — Covers the Trusted Access launch and $10 million in API credits for defensive research. (February 2026)

• OpenAI — Strengthening Cyber Resilience — OpenAI’s broader strategy post explaining how they’re planning for models that could develop zero-day exploits against well-defended systems. (February 2026)

• OpenAI — Introducing Aardvark — The agentic security researcher that scans codebases and has already found 10 CVEs in open source projects. (October 2025)

If you’re in cybersecurity operations: This is a tools story, and you should think about it the way you think about every powerful tool that’s come through this industry. Cobalt Strike was supposed to be a penetration testing tool. Metasploit was supposed to be a penetration testing tool. Both ended up in the hands of threat actors. That’s going to happen with AI cyber capabilities too — it’s not a question of if, it’s a question of when. The question is whether defenders get to use these tools first.

OpenAI’s Trusted Access program is an attempt to put these capabilities in the hands of the good guys before the bad guys figure it out on their own. If you’re a security practitioner or your team does vulnerability management, pen testing, or code review — apply. Get in early. Start experimenting with what these models can do for your workflows now, because the attackers aren’t waiting for an access program. The $10 million in API credits is real money on the table for defensive research. Take advantage of it.

If you’re in leadership: The models are getting better — fast. OpenAI went from 27% on CTF challenges to 76% in three months. GPT-5.3-Codex is even better. And OpenAI isn’t the only one: Hacktron AI found the BeyondTrust variant through AI-enabled analysis just weeks ago. This isn’t theoretical anymore. AI systems are finding real vulnerabilities at production scale.

What does that mean for your program? Vulnerability volume is going to increase. AI is going to find more bugs faster — both by the good guys doing responsible disclosure and by the bad guys scanning for exploitable targets. Your vulnerability management program needs to be ready for a world where the rate of CVE discovery accelerates. FIRST is already projecting 50,000+ CVEs in 2026 — a record. The organizations that integrate AI into their defensive workflows early will have an advantage. The ones that don’t will be patching faster just to keep up.

The safety debate around the Midas Project’s criticism is worth watching but shouldn’t distract from the practical reality: OpenAI’s logic makes sense here. A high-capability tool without autonomous agency is still just a tool — it needs a human operator. The risk profile is fundamentally different from an autonomous agent that can chain operations independently. The real risk isn’t the model itself. It’s who gets access and what they do with it.

The bigger picture: Every generation of security tooling follows the same pattern. A powerful capability emerges. It gets built for defense. It ends up in offense. The defenders who adopted early had the advantage; the ones who waited were playing catch-up. We saw it with Metasploit, we saw it with Cobalt Strike, and we’re going to see it with AI cyber capabilities. Sometimes you don’t know what software is going to be used for — even Sam Altman has said they’ve been surprised by how their models get applied. The capability is here. The question isn’t whether AI can hack things — OpenAI just told you it can. The question is whether you’re going to use it to find the holes before someone else does.

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.

Don’t Hack On Me — Signal

February 15, 2026

The Story

Palo Alto’s Unit 42 dropped a report on February 5 detailing what they’re calling the “Shadow Campaigns” — a state-aligned cyberespionage operation that compromised over 70 organizations across 37 countries in the past year. The group, tracked as TGR-STA-1030 (also known as UNC6619), has been active since at least January 2024 and hit some of the highest-value targets on the board: national law enforcement agencies, ministries of finance and foreign affairs, a parliament, a senior elected official, and national telecom providers. Between November and December 2025 alone, they conducted active reconnaissance against government infrastructure in 155 countries. That’s roughly one in five nations on earth.

The technical details are serious. The group deployed a previously unknown Linux kernel rootkit called ShadowGuard — an eBPF-based rootkit that runs in kernel space without appearing as a loadable module, making it extremely difficult to detect with conventional tools. It can hide up to 32 processes simultaneously, intercept system calls, and conceal files and directories. They also rotated through Cobalt Strike, VShell (a Go-based C2), Havoc, SparkRat, and Sliver across different phases of the campaign. Their persistence toolkit included Behinder and Godzilla web shells, plus GOST and FRPS tunneling tools.

Here’s where it gets interesting — and where the story becomes about more than just TTPs. Unit 42’s published report attributed TGR-STA-1030 to a “state-aligned group that operates out of Asia” with “activity patterns aligned with GMT+8.” That’s deliberately vague. On February 12, Reuters reported that the original draft of the report attributed the campaign to China. According to Reuters, Palo Alto Networks executives — not the researchers — ordered the attribution stripped. The reason: fear of retaliation from Beijing. Palo Alto has five offices in China and was among roughly 15 U.S. and Israeli cybersecurity firms that China has banned on national security grounds. The company denied the claims.

Source: The Shadow Campaigns: Uncovering Global Espionage (Unit 42, February 5, 2026)

Who’s Covering This

• Reuters — Broke the exclusive that Palo Alto execs overrode researchers and stripped China attribution from the report due to fear of retaliation from Beijing. The real story behind the story. (February 12, 2026)

• BleepingComputer — Emphasizes the reconnaissance scope: 155 countries scanned, 37 compromised, critical infrastructure across the board. (February 5, 2026)

• SecurityWeek — Focuses on victim types — ministries, law enforcement, border control — and the ShadowGuard rootkit discovery. (February 5, 2026)

• The Hacker News — Technical breakdown of the breach scale, phishing lures, and the Diaoyu loader malware. (February 6, 2026)

• SC Media — Covers the attribution controversy angle — corporate self-censorship in threat intelligence reporting. (February 2026)

What Does This Mean to Me?

If you’re in the security operations: Here’s the thing that matters most: this group used zero zero-days. Every exploit in their toolkit was an N-day — known vulnerabilities with patches available, some dating back to 2019. They weaponized Microsoft Exchange RCE, SAP Solution Manager privilege escalation, Atlassian Crowd (CVE-2019-11580), and D-Link RCE, among others. A state-aligned group that compromised 70+ organizations across 37 countries did it with bugs you’ve had patches for. That’s your action item. Check your exposure against the CVEs listed in the Unit 42 report. Hunt for the IOCs — they published IP addresses, domains, and file hashes. And if you’re running Linux infrastructure, understand that eBPF-based rootkits like ShadowGuard represent a real detection gap. Traditional kernel module monitoring won’t catch it. Start looking at eBPF monitoring capabilities in your stack.

If you’re in leadership: The attribution controversy is worth paying attention to — but not for the reasons the headlines suggest. Reuters reporting that Palo Alto stripped China attribution under corporate pressure is a reminder that threat intelligence from vendors is filtered through commercial interests. That’s always been true, but it’s rarely this visible. Factor that into how you consume vendor threat intel.

But here’s the bigger point: it doesn’t matter who the adversary is. Whether this is China, Russia, or anyone else operating out of GMT+8 — the vulnerabilities they exploited are the same. The patches are the same. The defensive actions are the same. We spend too much time in this industry debating flags and not enough time patching the CVEs from 2019 that state-sponsored groups are still using to walk through the front door. The targeting in this campaign aligned with geopolitical interests — rare earth mining deals, diplomatic pressure points, trade negotiations — but the exploitation was pure opportunism against unpatched systems. Attribution is interesting. Patching is what keeps you from being in the next report.

The bigger picture: A state-aligned espionage group hit 70 organizations across 37 countries using nothing but known vulnerabilities, commodity C2 frameworks, and one novel rootkit. They compromised parliaments, ministries, and law enforcement agencies. And when the security vendor that discovered it tried to tell the world who did it, corporate leadership said no. Every part of that sentence should bother you — but the part you can actually control is whether your systems are patched. Start there.

Stay alert. Don’t let them hack on you.

Subscribe to Don’t Hack On Me

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.

Don’t Hack On Me — Signal February 14, 2026

The Story

Remember the BeyondTrust vulnerability that let Chinese state-sponsored group Silk Typhoon breach the U.S. Treasury Department in late 2024? Same product. Same WebSocket endpoint. New code path. And this time it’s worse.

CVE-2026-1731 is a critical (CVSS 9.9) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). An unauthenticated attacker can execute arbitrary OS commands via specially crafted requests — no credentials required, no user interaction needed. It affects RS versions 25.3.1 and prior and PRA versions 24.3.4 and prior. Roughly 8,500 self-hosted instances are exposed to the internet, and BeyondTrust serves 20,000+ customers including 75% of the Fortune 100.

Here’s where it gets interesting: this vulnerability was discovered by Hacktron AI through AI-enabled variant analysis of CVE-2024-12356 — the same vulnerability class that enabled the Treasury breach. An AI system found a variant of a nation-state-exploited flaw through automated analysis. That’s a first worth paying attention to.

The timeline is aggressive. BeyondTrust published advisory BT26-02 on February 6 and auto-patched SaaS customers on February 2. A proof-of-concept exploit hit GitHub on February 10. GreyNoise detected active reconnaissance probing within 24 hours. Attackers are already in the wild — Arctic Wolf confirmed exploitation attempts deploying the SimpleHelp RMM tool for persistence and lateral movement. CISA added CVE-2026-1731 to the Known Exploited Vulnerabilities catalog on February 13 with a remediation deadline of February 16. That’s a three-day window. CISA doesn’t do that unless it’s bad.

Source: BT26-02 Security Advisory (BeyondTrust, February 6, 2026)

Who’s Covering This

• Rapid7 — Technical breakdown of the vulnerability, affected versions, and fix versions. (February 9, 2026)

• GreyNoise — Active scanning detected within 24 hours of PoC release. Also observed the old Silk Typhoon exploit chain (CVE-2024-12356 + CVE-2025-1094) still being replayed as recently as January 2026. (February 12, 2026)

• The Hacker News — Confirmed in-the-wild exploitation of the CVSS 9.9 vulnerability. (February 2026)

• Hacktron AI — The discoverers. Describes how AI-enabled variant analysis found the flaw and the responsible disclosure process. (February 6, 2026)

• CISA — Added to KEV catalog with a February 16 remediation deadline. (February 13, 2026)

• Arctic Wolf — Detected attackers exploiting CVE-2026-1731 to deploy SimpleHelp RMM tool for persistence and lateral movement. (February 2026)

What Does This Mean to Me?

If you’re in security operations: If your organization runs BeyondTrust Remote Support or Privileged Remote Access on-prem, this is a drop-everything patch. Self-hosted instances need to be updated immediately — CISA’s three-day window ends February 16. SaaS customers were auto-patched on February 2, but verify with your BeyondTrust admin. While you’re at it, hunt for indicators of the SimpleHelp RMM tool in your environment — Arctic Wolf confirmed attackers are deploying it post-exploitation for persistence and lateral movement. If you had unpatched instances exposed to the internet before the fix, assume possible compromise and scope an investigation.

Also worth noting: GreyNoise observed the old Silk Typhoon exploit chain (CVE-2024-12356) still being replayed as recently as January 2026. If you patched the first one but haven’t patched this new variant, you’re still exposed on the same endpoint.

If you’re in leadership: This is the same product that enabled a nation-state breach of the U.S. Treasury, and it’s the same vulnerability class on the same endpoint. That’s a pattern, not a coincidence. If your organization relies on BeyondTrust for privileged access — and if you’re in the Fortune 100, there’s a 75% chance you do — this should trigger a broader conversation about your architecture. Privileged access tools sit at the heart of your trust model. When they have pre-auth RCE flaws, attackers don’t need credentials. They don’t even need to knock.

The AI discovery angle matters for your strategy too. This is one of the first major CVEs discovered by an AI system through variant analysis. That’s going to accelerate. Vulnerability discovery is getting faster on both sides — AI is finding bugs before and after the bad guys. The good news: responsible disclosure worked here. Hacktron found it, reported it, BeyondTrust patched it. But the window between disclosure and exploitation is shrinking to hours, not days. Your patching programs need to match that pace.

The bigger picture: We’re going to see more of this. AI-enabled variant analysis means that when a vulnerability class is found in a product, every related code path in that product gets scrutinized at machine speed. For defenders, that’s ultimately good — bugs get found and fixed faster. For attackers, it means they can automate the same analysis. The race between discovery and exploitation is getting faster on both sides. The organizations that survive are the ones that can patch at the speed the threat demands. CISA giving a three-day remediation window is the clearest signal yet that the old “patch within 30 days” cadence is dead for critical vulns.

Stay alert. Don’t let them hack on you.

Subscribe to Don't Hack On Me

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.

February 11, 2026 // Weekly Security Operations Brief

TL;DR

• Situation: 135K OpenClaw AI agents exposed with critical RCE vulns — AI agents are the new shadow IT

• Enemy Activity: Notepad++ supply chain owned by Lotus Blossom for 6 months; Microsoft patches 6 zero-days; Google disrupts massive proxy network; Signal phishing warning

• Friendly Forces: SANS Protocol SIFT brings MCP to forensics; Wiz maps 70+ SDLC attack techniques; EDR silencing detection rules; security scorecarding guide

• Logistics: Trail of Bits releases sandboxed Claude Code container; Cisco drops AI skill scanner

• AI Operations: Google reports on threat actor AI misuse; Microsoft’s top 10 Copilot agent risks; the agent identity crisis

• Personnel: SANS ICS Command Briefing 2026

• The Debrief: Marcus’s take on the AI agent era

Situation

This week, the security industry woke up to a problem it should have seen coming: AI agents are everywhere, and nobody’s securing them.

Over 135,000 OpenClaw AI agents were found exposed to the internet with critical RCE vulnerabilities. Researchers at Bitdefender and SecurityScorecard flagged the exposure. Roughly 386 malicious Skills were discovered on ClawHub targeting crypto wallets, LinkedIn, and Reddit -- racking up over 7,000 downloads before anyone noticed. Kaspersky published a deep-dive showing that default OpenClaw settings ship with no authentication on admin interfaces, and misconfigured reverse proxies expose everything. A fake ClawdBot VS Code extension was caught installing ScreenConnect RAT. And Moltbook, the AI-only social network, had a Supabase misconfiguration leaking every agent’s secret API keys.

This isn’t a single vulnerability. It’s a systemic failure. AI agents behave like users but execute like software. They have persistent memory, tool autonomy, and the ability to chain actions across systems -- and our security models were never built for that. As 1Password put it this week: agent identities need to be treated like new hires, with time-bound, revocable access. If your org is deploying AI agents and you haven’t thought about identity, permissions, and monitoring for them, this is your wake-up call.

Enemy Activity

Notepad++ Supply Chain Compromised by Chinese State Hackers (Lotus Blossom)

The Notepad++ project disclosed that its sole update server was compromised by Lotus Blossom, a China-linked APT, between June and December 2025. Attackers selectively pushed malicious updates to targets in Vietnam, El Salvador, Australia, and the Philippines. Kaspersky found they rotated C2 servers, downloaders, and payloads monthly -- using Cobalt Strike, Metasploit, and a novel “Chrysalis” backdoor. IT admins running Notepad++ with elevated privileges were prime targets. Six months of access before detection. That’s the real story here.

Microsoft February 2026 Patch Tuesday: 6 Zero-Days, 58 Flaws

Microsoft patched 58 vulnerabilities including six actively exploited zero-days and five Critical-rated flaws. The standout: CVE-2026-21510, a Windows Shell Security Feature Bypass that lets attackers bypass SmartScreen and Shell warning dialogs through crafted shortcut files. Microsoft also began rolling out new Secure Boot certificates ahead of the June 2026 legacy cert expiration. Patch now.

Google GTIG Disrupts IPIDEA, One of the World’s Largest Residential Proxy Networks

Google’s Threat Intelligence Group took down IPIDEA, which controlled 13 proxy/VPN brands and used malicious SDKs distributed through trojanized VPNs and uncertified Android TV boxes. Over 550 threat groups from China, DPRK, Iran, and Russia were observed using IPIDEA exit nodes in a single week. Google Play Protect removed 600+ Android apps. This is what large-scale infrastructure takedowns look like.

German BfV and BSI Warn of State-Sponsored Signal Phishing

Germany’s domestic intelligence agency (BfV) and federal cybersecurity agency (BSI) issued a joint advisory warning of state-sponsored phishing attacks targeting Signal users. If your org uses Signal for sensitive comms, share this advisory with your team.

Friendly Forces

SANS Protocol SIFT: First Autonomous Framework Integrating MCP

SANS released Protocol SIFT, an autonomous forensics framework built on the Model Context Protocol (MCP). It orchestrates 200+ utilities in the SIFT Workstation, letting analysts match the velocity of AI-powered threats with deterministic, court-admissible evidence. This is the kind of tooling that changes how DFIR teams operate.

Wiz SITF: SDLC Infrastructure Threat Framework

New open-source framework from Wiz mapping 70+ attack techniques across five SDLC pillars (Endpoint/IDE, VCS, CI/CD, Registry, Production). Includes an Attack Flow Visualizer for drag-and-drop threat modeling that runs entirely client-side. If you’re building or securing CI/CD pipelines, this is worth a look.

EDR Silencing Techniques and Detection

Purple Team published an overview of six EDR silencing methods -- WFP abuse, hosts file modification, NRPT manipulation, IPSec filters, routing table tampering, and IPMute -- along with a SIGMA detection rule for WFP-blocked outbound connections. If you run an EDR, you should know how attackers try to blind it.

Security Scorecarding Programs That Work

Rami McCarthy published an overview of scorecarding in security programs with real-world examples from Chime, Netflix, GitHub, and Atlassian. Practical guidance for teams trying to measure security posture without drowning in vanity metrics.

Logistics

Trail of Bits: Claude Code DevContainer for Security Audits

Trail of Bits released a sandboxed devcontainer for running Claude Code in bypass mode safely during security audits. They also dropped Dropkit, a CLI for managing DigitalOcean droplets with automated setup and lifecycle management. Security-conscious AI tooling from a team that understands the risks.

Cisco Releases Skill Scanner for AI Agent Security

Cisco published Skill Scanner, an open-source tool for analyzing Claude and OpenAI skills for prompt injection, data exfiltration, and malicious code. As AI agent ecosystems grow, tools like this become essential for supply chain security.

AI Operations

Google GTIG: How Threat Actors Are Misusing AI

Google’s Threat Intelligence Group published a new report on how threat actors use AI for gathering information, creating realistic phishing, and developing malware. The report also flagged frequent model extraction attacks -- corporate espionage targeting private AI models. Notably, APT actors aren’t yet directly attacking frontier models. They’re using them as tools, just like everyone else.

Microsoft: Top 10 Security Risks for Copilot Studio Agents

Microsoft published a guide on the top 10 security risks for Copilot Studio agents and how to detect and prevent them. Organizations are rapidly deploying these agents, and threat actors are equally fast at exploiting misconfigured AI workflows. If your org is building Copilot agents, this is required reading.

The Identity Problem for AI Agents

Multiple sources converged on the same theme this week: legacy IAM is static, but AI agents are non-deterministic. Daniel Miessler published security hardening recommendations for OpenClaw. 1Password argued that agent identities need the same rigor as human identities -- time-bound access, revocable credentials, full audit trails. The consensus is clear: agents should not inherit human permissions. They need their own identity layer.

Personnel

SANS ICS Command Briefing 2026

SANS announced the ICS Command Briefing 2026 and a virtual roundtable on Agile Incident Response spanning SOC, cloud, OT, and executive teams. If you’re in ICS/OT security or leading cross-functional IR, these are worth putting on the calendar.

The Debrief

Issue #001 lands in a week that makes one thing clear: the AI agent era didn’t announce itself. It just showed up -- with 135,000 exposed instances, malicious Skills on agent marketplaces, and security models that haven’t caught up.

We’ve been here before. Shadow IT. Cloud sprawl. Container explosion. Every time a new paradigm arrives, security teams are the last to know and the first expected to secure it. The difference this time is velocity. AI agents don’t wait for change management. They chain tools, make decisions, and act autonomously -- which is exactly what makes them useful and exactly what makes them dangerous.

The organizations that get ahead of this won’t be the ones that ban AI agents. They’ll be the ones that treat agent identity, agent permissions, and agent monitoring with the same rigor they apply to human users. Start there.

Stay alert. Don’t let them hack on you.

Subscribe to Don’t Hack On Me | donthackonme.com

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.