Alerts

Critical vm2 Sandbox Escape Vulnerability Allows Arbitrary Code Execution on Host Systems (CVE-2026-22709)

A critical vulnerability in vm2, a widely-used Node.js sandbox library, allows attackers to completely bypass sandbox isolation and execute arbitrary code on host machines. The flaw carries a CVSS severity score of 9.8, the highest possible rating for a remotely exploitable vulnerability. The vulnerability, tracked as CVE-2026-22709, affects

Breaches

Salt Typhoon Hacked Downing Street Mobile Phones for Years, Exposing Senior UK Government Communications

Chinese state-sponsored hackers compromised mobile phones of senior Downing Street officials for several years, exposing private communications of some of the closest aides to three British prime ministers, according to a report by The Telegraph. The espionage operation, attributed to the Beijing-linked threat group Salt Typhoon, targeted phones of senior

Threats

Fake Notepad++ and 7-Zip Websites Distribute Weaponized RMM Tools to Deploy Backdoor Malware

Threat actors are exploiting legitimate Remote Monitoring and Management software as an initial infection vector, distributing weaponized RMM tools through fake download sites impersonating popular utilities like Notepad++, 7-Zip, Telegram, and ChatGPT, according to research published by ASEC. The campaigns represent a shift in attacker tactics. Traditionally, threat actors deployed

Threats

Pakistan-Linked APT Targets Indian Government with New Golang Malware Using GitHub for Command and Control

A Pakistan-linked advanced persistent threat group is targeting Indian government entities with three previously undocumented malware tools that leverage private GitHub repositories for command-and-control communication, according to research published by Zscaler ThreatLabz. The campaign, dubbed Gopher Strike, deploys a new downloader called GOGITTER, a backdoor named GITSHELLPAD, and a shellcode

Alerts

CISA Adds Four Vulnerabilities to KEV Catalog Including Critical SmarterMail Authentication Bypass

CISA has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, including two critical flaws in SmarterTools SmarterMail that could allow unauthenticated attackers to achieve full administrative compromise of mail servers. Federal agencies must apply mitigations by February 16, 2026. Critical SmarterMail Authentication Bypass The most severe addition is CVE-2026-23760,

Alerts

Microsoft Office Zero-Day Under Active Exploitation Bypasses OLE Security Mitigations (CVE-2026-21509)

Microsoft has disclosed an actively exploited zero-day vulnerability in Microsoft Office that allows attackers to bypass security features designed to protect users from malicious OLE and COM controls. The vulnerability was publicly disclosed and is confirmed under active exploitation. The flaw, tracked as CVE-2026-21509, carries a CVSS score of 7.

Threats

Russian Malware Toolkit Guarantees Chrome Web Store Approval for $6,000

A malware-as-a-service toolkit circulating on Russian cybercrime forums offers turnkey website spoofing capabilities disguised as a Chrome extension, with its premium tier guaranteeing publication on the official Chrome Web Store, according to research published by Varonis. The toolkit, dubbed Stanley after the seller's alias, sells for $2,000

Threats

WinRAR Vulnerability Exploited to Deploy Fileless Quasar RAT Without User Consent

A malware campaign is actively exploiting a WinRAR path validation vulnerability to deliver a fileless remote access trojan without requiring macros, exploit kits, or elevated privileges, according to research published by CYFIRMA. The attack chain abuses archive extraction behavior to silently establish persistence before any visible malware execution occurs. The

Threats

Bank of England Finds Financial Firms Failing Basic Cybersecurity Controls

The Bank of England's CBEST cybersecurity assessment program has found widespread failures in basic cybersecurity practices across UK financial institutions, according to a thematic report published jointly by the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority. The findings, derived from 13 threat-led penetration tests of

Breaches

Clop Ransomware Group Claims 43 Victims in Massive 24-Hour Breach Wave

The Clop ransomware group has posted 43 new victims to its dark web leak site within a 24-hour period, targeting organizations across the United States, Canada, United Kingdom, Europe, and New Zealand. The wave of listings includes major brands such as Hilton Hotels and The Weather Company, parent of Weather.

Threats

Sandworm Deployed New DynoWiper Malware Against Poland Energy Grid in Failed Attack

Russian state-linked threat group Sandworm targeted Poland's energy infrastructure in late 2025 with a previously undocumented data-wiping malware called DynoWiper, according to new research from ESET. Security experts have described the intrusion as one of the largest cyberattacks the country has faced in years. The attack failed to

Breaches

Instagram Vulnerability Exposed Private Photos Without Authentication, Meta Silently Patched and Denied Report

A server-side vulnerability in Instagram allowed unauthenticated attackers to access private photos and captions without logging in or having a follower relationship, according to security researcher Jatin Banga who published a full disclosure this week after a 102-day interaction with Meta's bug bounty program. Meta silently patched the