Tracking Threats, Incidents, and Vulnerabilities
Tracking Threats, Incidents, and Vulnerabilities
DDoS attacks, originating in 1996, remain a persistent problem due to known weaknesses in internet architecture and organizational structures. The growth of the internet has amplified the impact of these attacks, exploiting vulnerabilities in IoT devices and combining network overloads with targeted disruptions to business processes.
https://www.igorslab.de/en/30-years-of-ddos-why-a-structural-problem-persists/
Notepad++ was hijacked by state-sponsored hackers, likely Chinese, compromising update traffic from June to December 2025. The former hosting provider confirmed the server was breached, allowing attackers to redirect Notepad++ updates. All security vulnerabilities were addressed by December 2, 2025, and the site was migrated to a more secure host. Users are advised to download v8.9.1, which includes security enhancements, and manual updates. No specific indicators of compromise were found during the investigation.
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
TLDR: CTM360's research reveals over 30,000 fraudulent online shops impersonating fashion brands globally, part of a sophisticated scheme called FraudWear. These scams feature realistic e-commerce structures, targeting consumers through ad-driven marketing and localized tactics, exploiting trust in legitimate brands to harvest personal and payment information without delivering products. The scale and infrastructure of such operations make them persistently difficult to combat, necessitating a shift in cybersecurity strategies.
https://thehackernews.com/expert-insights/2026/02/ctm360-research-reveals-30000-fake.html
Russia-linked APT28 hackers exploit latest Microsoft Office zero-day, targeting Ukrainian government and EU organizations. Ukraine's CERT reports rapid weaponization of the CVE-2026-21509 vulnerability, leading to phishing campaigns and malware deployment via malicious DOC files. Microsoft has issued patches, but concerns about increasing cyberattacks persist due to slow user updates.
https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
Civil society alleges NSO Group, a spyware manufacturer with a history of human rights violations, is using diplomatic initiatives like the Pall Mall Process to rehabilitate its image despite reports of abuses. While NSO claims engagement in reining in spyware misuse, officials from France and the UK affirm they did not invite NSO's participation. Critics stress that NSO's history, including targeting journalists and activists, undermines its claims of responsible governance, while calls for exclusion from future negotiations are growing amid concerns over accountability and transparency.
https://therecord.media/spyware-maker-pall-mall-process-reputation
Over 230 malicious packages, dubbed “skills,” targeting the OpenClaw AI assistant have been released in a week, posing as legitimate tools to distribute malware that steals sensitive information like API keys and passwords. The malware exploits misconfigurations in OpenClaw's admin interface and employs social engineering tactics to infect users' systems, using a seemingly crucial tool called ‘AuthTool' to deliver payloads. To mitigate risks, users are advised to carefully verify the safety of skills before use and adopt security measures such as isolating the AI assistant in a virtual environment.
Fake party invitations are being used in a scam to trick victims into installing ScreenConnect, a remote access tool, on their Windows computers. Victims receive emails that appear friendly and informal, leading to a seemingly innocent invitation link. Clicking the link downloads an MSI file disguised as an invitation, which silently installs ScreenConnect, allowing attackers full control of the victim's computer. The scam exploits human curiosity and urgency, often going unnoticed until suspicious behavior occurs on the system. To protect against this scam, users should be wary of unsolicited invitations, avoid running unknown MSI files, and verify invitations through other channels.
Notepad++ update servers were compromised by a likely Chinese state-sponsored group from June to December 2025. Attackers intercepted update traffic, redirecting users to malicious binaries due to inadequate validation of update packages. Following the breach, Notepad++ enhanced security measures, including stricter validation processes and plans to implement XMLDSig in future updates to prevent such incidents.
175,000 exposed Ollama AI servers across 130 countries present significant remote code execution risks due to insufficient security. Researchers found 7.23 million observations and highlighted a core of 23,000 persistent hosts, with many capable of executing code and interacting with external systems, heightening threat levels. Security risks include resource hijacking, spam, and prompt injection attacks, particularly as many hosts lack adequate monitoring. The global infrastructure complicates traditional governance, necessitating improved security measures for edge-deployed AI models.
https://cyberpress.org/175k-exposed-ollama-hosts-allow-remote-code-execution/
Extreme TLDR:
14 malicious ClawdBot skills, posing as crypto trading tools, distribute malware targeting ByBit, Polymarket, and others. Skills leverage social engineering for credential theft on macOS and Windows. They exploit a lack of security in ClawHub, using deceptive documentation to trick users into executing harmful commands. The campaign relies on a centralized C2 infrastructure for data theft, with multiple skills still available online.
https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
TA584 Cyber Threat Overview: TA584 is a prominent threat actor monitored by Proofpoint, known for rapid innovation in attack strategies. In 2025, it evolved its tactics, employing ClickFix social engineering, targeting various regions, and introducing new malware (Tsundere Bot). This actor showed a significant increase in campaign frequency, tripling monthly attacks by year's end, with a focus on quick campaign turnover and a variety of delivery methods. Its recent approach contrasts earlier patterns, highlighting its adaptability to cybersecurity defenses.
https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access
Aisuru botnet set a record with a 31.4 Tbps DDoS attack, targeting telecoms and IT firms. Cloudflare mitigated this “Night Before Christmas” attack, which peaked at 200 million requests per second. The botnet, leveraging compromised devices, continues to increase DDoS incidents, with a 121% rise in attacks over 2025.
AI assistant Clawdbot was renamed Moltbot due to trademark issues, leading to impersonation campaigns. Attackers exploited the transition by creating typosquat domains and a cloned, clean code GitHub repository to mislead users, aiming for potential supply-chain attacks. Despite no immediate malware, the impersonation strategy relies on trust, risking users' API keys and data over time. Users are advised to verify sources and maintain scrutiny during transitions, while maintainers should preemptively secure domains and manage renames carefully.
Pillar Security introduces RedGraph, the first attack surface mapping and continuous testing platform for AI agents, providing visibility and security for AI infrastructures. The platform addresses rising threats identified in “Operation Bizarre Bazaar,” an orchestrated campaign focused on exploiting exposed AI systems for unauthorized access and resale on digital marketplaces. Key risks include compute theft, data exfiltration, and lateral movement within networks. Recommendations for mitigation involve enabling authentication, auditing server exposure, and implementing strict security controls. The ongoing threat necessitates transparency and proactive defense measures in AI environments.
Two high-severity vulnerabilities in the n8n workflow automation platform could lead to remote code execution by authenticated users. Discovered by JFrog Security Research, these vulnerabilities include CVE-2026-1470 (eval injection, CVSS 9.9) and CVE-2026-0863 (Python task executor bypass, CVSS 8.5). Exploiting these flaws may allow attackers to gain full control of n8n instances, especially in internal execution mode. Users are advised to update to specific safe versions to mitigate these risks.
https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html
