All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
AI tools are making cybercrime easier by helping attackers write malicious code and automate attacks, while criminals also use deepfake technology (synthetic media that realistically mimics people) to impersonate others and commit scams. AI assistants that interact with external tools like email and web browsers pose serious security risks because their mistakes can have real-world consequences, especially when users hand over sensitive personal data to systems like OpenClaw.
This week's threat bulletin highlights attackers increasingly relying on trusted tools and overlooked vulnerabilities rather than novel exploits, with a shift toward quieter, longer-term access over disruptive attacks. Key incidents include a command injection flaw (CVE-2026-20841, a severity rating of 8.8 out of 10) in Windows Notepad that allows remote code execution through malicious Markdown links, over 510 advanced persistent threat operations (coordinated cyberattacks by nation-states or organized groups) targeting 67 countries with 173 focused on Taiwan, and two new information stealers (LTX Stealer and Marco Stealer) harvesting credentials and sensitive data from Windows systems.
Chinese AI companies have recently released open-weight models (AI models whose internal numerical parameters are publicly available for anyone to download and modify) that match Western AI performance at much lower costs, with DeepSeek's R1 and Alibaba's Qwen models becoming among the most downloaded globally. Unlike proprietary Western models like ChatGPT that users access through paid APIs (application programming interfaces, standardized ways for software to communicate), these Chinese open-source models allow developers to inspect, study, and modify the code themselves. If this trend continues, it could shift where AI innovation happens and who establishes industry standards worldwide.
Modern software systems create short-lived infrastructure (ephemeral workloads that exist briefly) much faster than we can manage the identities (digital credentials and access permissions) that control them, creating a dangerous security gap. The text highlights that non-human identities like service accounts and API keys now vastly outnumber human users, yet many organizations still use outdated manual processes to track and remove them, leaving "zombie identities" (old credentials that remain active after their purpose ends) with dangerous access levels. Test environments are particularly risky because they often have weak security controls and direct connections to production systems, making them attractive targets for attackers seeking backdoor access.
Microsoft discovered 9 security vulnerabilities in Windows Administrator Protection, with 5 traced to problems in UI Access implementation, a feature designed to let accessibility tools (like screen readers) interact with administrator-level windows while maintaining security boundaries. The vulnerability stems from how UI Access, which was created to bypass User Interface Privacy Isolation (UIPI, a security mechanism that prevents lower-privilege processes from controlling higher-privilege windows) for accessibility needs, could be abused to escalate privileges.
State-backed hackers from China, Iran, North Korea, and Russia are using Google's Gemini AI model to help carry out cyberattacks at every stage, from gathering target information to creating phishing emails and writing malware code. Criminal groups are also exploiting AI tools for social engineering attacks and building malware that uses AI to generate code automatically. Additionally, attackers are attempting model extraction and knowledge distillation (copying an AI model's decision-making by querying it repeatedly) to replicate Gemini's functionality for their own purposes.
Criminals are increasingly targeting software developers as a weak point in company security, exploiting their access to source code and cloud systems rather than just finding bugs in applications. Attackers use multiple tactics including malicious open-source packages (libraries of reusable code), compromised development environments (where programmers write code), and fake job applications to gain insider access. Over 454,000 malware-infected open-source packages were discovered in 2025 alone, and developers repeatedly download vulnerable versions of tools like Log4j, expanding their exposure to known security weaknesses.
SSHStalker is a botnet that compromises Linux servers by brute-forcing weak SSH passwords (a method of repeatedly guessing login credentials), affecting at least 7,000 machines by January. The botnet combines old IRC (Internet Relay Chat, a text communication protocol) tactics with modern automation to deploy malware, rootkits (software that gives attackers deep system access), and exploits, though it hasn't yet been used for financial gain. Security experts emphasize that the attack succeeds because organizations neglect basic security practices like strong authentication and patching old vulnerabilities.
CVE-2026-1669 is a vulnerability in Keras (a machine learning library) versions 3.0.0 through 3.13.1 that allows attackers to read arbitrary files on a system by uploading a specially crafted model file that exploits HDF5 external dataset references (a feature of HDF5, a file format commonly used to store large amounts of numerical data). An attacker could use this to access sensitive information stored on the affected computer.
sf-mcp-server, a tool that connects Salesforce to Claude for Desktop, has a command injection vulnerability (CWE-78, a flaw where attackers inject malicious commands into user input). The vulnerability exists because the software unsafely uses child_process.exec (a function that runs shell commands) with user-controlled input, allowing attackers to execute arbitrary shell commands with the server's privileges.
LangChain's RecursiveUrlLoader (a web crawler that follows links across pages) had a security flaw in versions before 1.1.14 where its preventOutside option used weak URL comparison that attackers could bypass. An attacker could trick the crawler into visiting unintended domains by creating links with similar prefixes, or into accessing internal services like cloud metadata endpoints and private IP addresses that should be off-limits.
A North Korean hacking group called UNC1069 is targeting cryptocurrency companies using AI tools, including LLMs (large language models, which are AI systems trained on huge amounts of text), deepfakes (fake videos or images created by AI), and a technique called ClickFix (a social engineering scam that tricks users into downloading malware by posing as tech support). The group has shifted focus from attacking traditional banks to targeting Web3 companies, which are blockchain-based services in the cryptocurrency space.
Mrinank Sharma, a researcher who led AI safety efforts at Anthropic (a company focused on making AI systems safer and aligned with human values), resigned with a warning that "the world is in peril" due to interconnected crises including AI risks and bioweapons. Sharma said he observed that even safety-focused companies like Anthropic struggle to let their core values guide their actions when facing business pressures, and he plans to pursue poetry and writing in the UK instead.
Palo Alto Networks acquired CyberArk for $25 billion to strengthen its ability to manage privileged access (controlling who can access sensitive systems and accounts) across human, machine, and AI identities through a unified platform. This addresses a critical security gap because identity has become the primary target in enterprise attacks, especially with the rise of AI agents (autonomous software that performs tasks independently) that operate 24/7 with broad permissions. The integration aims to help organizations prevent credential-based attacks and reduce breach response time by up to 80%.
Fix: Microsoft patched the Notepad command injection flaw as part of its monthly Patch Tuesday update this week.
The Hacker NewsOpenClaw is a popular open-source AI agent orchestration tool (software that coordinates multiple AI agents to complete tasks) that runs locally and can connect to apps like WhatsApp, Gmail, and smart home devices, but security researchers have found it to be critically insecure by default. Over 42,000 exposed instances have been discovered with authentication bypass vulnerabilities (weaknesses that let attackers skip login requirements) and potential remote code execution (RCE, where attackers can run commands on affected systems), exposing organizations to data breaches, credential theft, and regulatory violations.
Fix: Rich Mogull, chief analyst at Cloud Security Alliance, recommends that "CISOs prohibit its use altogether." He states: "The answer has to be 'no.' There is no security model."
CSO OnlineFix: According to Flare researcher Assaf Morag, SSHStalker can be stopped by: (1) disabling SSH password authentication and replacing it with SSH-key based authentication, or hiding password logins behind a VPN; (2) implementing SSH brute-force rate limiting (slowing down repeated login attempts); (3) monitoring who is trying to access internet-connected Linux servers; and (4) limiting remote access to servers to specific IP ranges. Security experts also recommend: killing password-based SSH access entirely and moving to key-based authentication or solutions with short-lived credentials or identity-aware proxies; aggressively inventorying IT assets; prioritizing patching of known vulnerabilities; ensuring no compilers on production servers; alerting on IRC-like traffic; implementing cron/systemd integrity monitoring on Linux servers; and creating a legacy Linux eradication plan.
CSO OnlineCompanies are using hidden instructions embedded in 'Summarize with AI' buttons to manipulate enterprise chatbots through a technique called AI recommendation poisoning (tricking an AI by hiding instructions in its input that make it remember false preferences). Microsoft research found 50 examples of this technique deployed by 31 companies, where users unknowingly click a summarize button that secretly tells their AI to favor that company's products in future responses. This is particularly dangerous because the AI cannot distinguish genuine user preferences from injected ones, potentially leading to biased recommendations on critical topics like health, finance, and security.
Fix: Microsoft states that 'the technique is relatively easy to spot and block.' For individual users, this involves studying the saved information a chatbot has accumulated (though the source notes that how this is accessed varies by AI). For enterprise admins, the source text is incomplete but indicates there are admin-level protections available. Microsoft also notes that its Microsoft 365 Copilot and Azure AI services contain integrated protections against this technique.
CSO OnlineSolarWinds Web Help Desk has a security control bypass vulnerability (a weakness that lets attackers skip security checks) that could allow someone without login credentials to access restricted features. This vulnerability is actively being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesNotepad++ has a vulnerability in its WinGUp updater where downloaded updates are not checked for authenticity (integrity check, a process that verifies a file hasn't been tampered with). An attacker could intercept update traffic and trick users into downloading and running malicious code, giving the attacker the same permissions as the user. This vulnerability is currently being exploited in real attacks.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesApple's iOS, macOS, tvOS, watchOS, and visionOS contain a buffer overflow vulnerability (a flaw where code writes data beyond the intended memory boundaries), which could allow an attacker with memory write access to run arbitrary code (any instructions they choose). This vulnerability is currently being actively exploited by attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Refer to Apple's support pages (https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126351, https://support.apple.com/en-us/126352, https://support.apple.com/en-us/126353) for specific patch or mitigation details.
CISA Known Exploited VulnerabilitiesMicrosoft Configuration Manager has an SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands), allowing unauthenticated attackers to send malicious requests that could let them execute commands on the server or database. This vulnerability is currently being actively exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Update LangChain to version 1.1.14 or later, which fixes this vulnerability.
NVD/CVE Database