Don’t Hack On Me -- Situation Report February 18, 2026 // Weekly Security Operations Brief

TL;DR

• Situation: Chrome zero-day CVE-2026-2441 is being exploited now — update every Chromium browser you own

• Enemy Activity: Singapore telecom espionage, Shadow Campaigns across 37 countries, BeyondTrust exploited in hours, exfiltration-only ransomware surging 450%, Ivanti sleeper shells in European governments

• Friendly Forces: CISA adds 10+ vulns to KEV, Darktrace publishes BeyondTrust detection logic, 10 ICS advisories dropped

• Logistics: Palo Alto Networks closes $25B CyberArk acquisition — largest deal in security history

• AI Operations: OpenAI’s GPT-5.3-Codex rated “High” cyber risk, VoidLink is first AI-built malware framework, Microsoft discovers AI memory poisoning

• Personnel: Two cybersecurity pros convicted as BlackCat ransomware operators; CISA faces 40% workforce cuts

Situation

Google released an emergency Chrome update on Friday to patch CVE-2026-2441 — a high-severity (CVSS 8.8) use-after-free vulnerability in the Blink rendering engine’s CSS implementation that’s being actively exploited in the wild. It’s the first Chrome zero-day of 2026. Google confirmed exploitation exists while saying absolutely nothing about who’s doing it or who’s being targeted.

Here’s what makes this matter to everyone reading this: it’s not just Chrome. Every browser built on Chromium is affected. Edge, Brave, Opera, Vivaldi, Arc, Perplexity’s Comet browser — roughly 70% of global browser market share runs on a single engine. One vulnerability, one codebase, most of the internet’s browsers need a patch. Chrome’s fixed versions are 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux. Don’t wait for auto-update on an actively exploited zero-day. Go to chrome://settings/help, force the update, restart.

Enemy Activity

Singapore Mounts Largest Cyber Operation After UNC3886 Breaches All 4 Telcos - China-linked APT UNC3886 compromised all four of Singapore’s major telecom providers — Singtel, M1, StarHub, and SIMBA — using a zero-day firewall exploit. This is the most significant nation-state telecom compromise disclosed this year.

70 Orgs Hacked Across 37 Countries — Unit 42’s Shadow Campaigns - State-aligned cyberespionage group TGR-STA-1030 compromised over 70 organizations across 37 countries using only N-day exploits with patches available, some dating back to 2019.

BeyondTrust CVE-2026-1731: Exploited Within Hours of PoC Release - BeyondTrust patched CVE-2026-1731 (CVSS 9.9) — a critical pre-auth RCE. By February 13, exploitation was confirmed in the wild.

Exfiltration-Only Ransomware Surging 450% - Attackers are abandoning encryption entirely — no data locker needed, no EDR triggers.

Ivanti EPMM “Sleeper Shells” — European Commission, Dutch and Finnish Governments Breached - Ivanti EPMM vulnerabilities are under widespread exploitation with dormant “sleeper” web shells planted.

Friendly Forces

CISA Adds 10+ Vulnerabilities to KEV Catalog in February - CISA added vulnerabilities including SolarWinds Web Help Desk, six Microsoft zero-days, and BeyondTrust CVE-2026-1731. If you’re not using KEV as a private-sector patching signal, start.

Darktrace Publishes BeyondTrust CVE-2026-1731 Detection Analysis - Actionable content for security teams building detections.

CISA Releases 10+ ICS Advisories for Critical Infrastructure - OT/ICS teams should review these immediately.

Logistics

Palo Alto Networks Closes $25B CyberArk Acquisition — Largest in Security History - Identity Security becomes PANW’s third core pillar. Machine identities already outnumber human identities 80-to-1, and AI agent identities are the next frontier.

AI Operations

OpenAI Built an AI That Can Hack Hardened Targets - GPT-5.3-Codex is the first AI model OpenAI classifies as “High” risk for cybersecurity. Their answer: Trusted Access for Cyber, backed by $10M in API credits for defensive research.

VoidLink: First Malware Framework Built by AI - 88,000 lines of code, targets AWS, Azure, GCP, Alibaba, and Tencent cloud environments. A single developer produced what would normally require a team.

Microsoft Discovers AI Recommendation Poisoning - One click can poison an AI assistant’s memory, causing subtly biased recommendations.

Personnel

Two Cybersecurity Pros Plead Guilty as BlackCat/ALPHV Ransomware Affiliates - A ransomware negotiator and an incident responder were secretly running attacks. This is the insider threat case that should make every security organization reconsider vetting.

CISA Faces 40% Workforce Cuts — Red Teams Dismantled - Up to 1,300 positions on the chopping block. The irony is not lost on anyone.

What Does This Mean to Me?

If you’re in security operations: Update Chrome and every Chromium-based browser in your environment right now. Check exposure against BeyondTrust and Ivanti vulnerabilities. Hunt for IOCs from the Unit 42 Shadow Campaigns report.

If you’re in leadership: Three themes - the Chromium monoculture risk, identity as the new perimeter (PANW/CyberArk deal), and the insider threat conviction that should be a board-level conversation.

If you’re breaking in: Pay attention to VoidLink. Learn cloud security. The gap between “one person with AI” and “a team without it” is closing fast.

The Debrief

This week’s SitRep has AI fingerprints all over it. VoidLink proved that a single developer with an AI coding agent can produce an 88,000-line malware framework. AI is the multiplier on both sides. The teams that adopt AI into their security workflows now will be setting the pace. Everyone else will be patching to keep up.

End of SitRep. Stay alert. Don’t let them hack on you.

Subscribe to Don’t Hack On Me | donthackonme.com

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.