Cybersecurity News | Daily Recap [18 Feb 2026]

hendryadrian.com

hendryadrian.com

Exploited Zero-days

• UNC6201 has exploited a hardcoded-credential zero-day (CVE-2026-22769) in Dell RecoverPoint to gain unauthenticated root persistence and deploy GRIMBOLT/SLAYSTYLE implants using stealth techniques like Ghost NICs – Dell Zero-day, Dell Ghost NICs

Active Exploits & KEV

• CISA warns that a patched arbitrary file-upload flaw in Taiwan firm TeamT5 (CVE-2024-7694) is actively exploited and has been added to the Known Exploited Vulnerabilities catalog – TeamT5 KEV
• Attackers deployed dormant backdoors in Ivanti EPMM to bypass patching of recent zero-days, enabling persistent access despite updates – Ivanti Backdoors

High-impact Flaws

• A critical flaw in the CleanTalk WordPress plugin (CVE-2026-1490, CVSS 9.8) could let unauthenticated actors install plugins across ~200,000 sites and enable RCE – CleanTalk Flaw
• Critical and high-severity vulnerabilities in popular VSCode extensions (combined downloads > 128 million) can leak local files or lead to RCE; maintainers failed to respond to disclosures – VSCode Flaws
• An exposed admin subdomain in DavaIndia’s Next.js platform allowed creation of a super-admin account and access to customer orders and inventory before the issue was fixed and confirmed closed by CERT-In – DavaIndia Flaw

Firmware & Supply-chain

• Kaspersky uncovered a firmware backdoor named Keenadu injected via signed OTA updates that hooks Zygote, uses an AKServer/AKClient module loader, and has impacted over 13,700 Android tablets worldwide – Keenadu Backdoor
• Notepad++ added a “double-lock” update verification (GitHub-signed installer + XMLDSig-signed XML) after a supply-chain compromise attributed to the Lotus Blossom group and the Chrysalis backdoor – Notepad++ Double-lock

Malware & Espionage

• Acronis TRU revealed the targeted cyber-espionage campaign CRESCENTHARVEST that lures Iranian dissidents with protest-themed files and uses signed Google executables for DLL sideloading to deploy a flexible RAT for surveillance – CRESCENTHARVEST

AI, Cloud & API Risks

• OpenAI rolled out Lockdown Mode and Elevated Risk labels to restrict network interactions and mitigate prompt-injection data exfiltration for high-risk enterprise users – Lockdown Mode
• Researchers demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be abused as stealthy C2 proxies, blending malicious traffic into legitimate enterprise browsing – AI as C2
• Ireland’s DPC opened a large-scale GDPR probe into Grok for AI-generated nonconsensual deepfakes (including alleged child images), exposing potential fines up to 4% of global revenue under data-protection rules – Grok Deepfakes
• Cloud forensics and automated, context-aware incident response are urged as cloud attacks outpace traditional IR, while experts warn AI is expanding the API attack blast radius – Cloud Forensics, API Blast Radius

Data Leaks & Privacy

• Threat actors are offering millions of Eurail user records for sale, potentially exposing passenger data at scale – Eurail Records
• Canada Goose says a leaked dataset attributed to ShinyHunters appears to be historical customer-transaction data and not from company systems, while the group continues credential-harvesting campaigns – Canada Goose
• Citizen Lab found traces of Cellebrite extraction tools on Kenyan activist Boniface Mwangi’s phone, suggesting state use of commercial spyware and prompting calls for vendor transparency – Cellebrite Kenya

Developer & App Security

• Scan of 5 million JavaScript bundles found > 42,000 exposed tokens (including GitLab/GitHub keys), prompting new SPA-focused secrets detection to catch secrets baked into builds – JS Secrets

OT & ICS Security

• Security experts warn Industrial Control Systems remain exposed due to legacy hardware and protocols and call for OT-aware zero trust, microsegmentation, CTEM, and AI-assisted monitoring to defend critical infrastructure – ICS Insights

Law Enforcement & Legal Actions

• A Glendale man was sentenced to 57 months for running darknet drug storefronts that shipped cocaine, meth, MDMA, and ketamine nationwide after an FBI JCODE-led probe dismantled the operation – Darknet Sentencing
• Polish police detained an alleged cybercriminal tied to Phobos ransomware in actions connected to Operation Aether, following disruption of the group blamed for attacks on >1,000 organizations and ~$16 million in extortion payments – Phobos Arrest
• A Spanish court ordered NordVPN and ProtonVPN to block 16 LaLiga piracy sites within Spain and preserved evidence in a dynamic-IP blocking order that VPNs say they were not notified about – Spain VPN Order

Industry Moves & Funding

• Palo Alto Networks agreed to acquire security firm Koi in a reported $400 million transaction as it expands its product portfolio – Palo Alto Deal
• Vulnerability intelligence startup VulnCheck raised $25 million in Series B funding to scale CVE tracking, exploit detection, and prioritized patching capabilities – VulnCheck Funding

Guidance & Service Incidents

• The UK’s NCSC warned SMEs they are prime targets for opportunistic attacks and urged adoption of the government-backed Cyber Essentials baseline to close the awareness–action gap – NCSC Warning
• Microsoft Teams experienced an outage affecting users in the United States and Europe that disrupted meeting joins, sign-ins, and chats due to a caching configuration change that was rolled back – Teams Outage

Cybersecurity News | Daily Recap – hendryadrian.com