This week demonstrates that the cyber threat space is constantly evolving. Across platforms, tools, and industries, new threats, new strategies, and new security flaws are emerging — frequently simultaneously. There are some developments that make headlines.
Others have a lasting effect but remain in the background. Collectively, they influence how defenders should currently approach exposure, response, and readiness. "Cuckoo Stealer is a feature-rich macOS infostealer and RAT that maintains encrypted HTTPS command-and-control communications, removes quarantine attributes, and creates LaunchAgent persistence. In addition to more than 20 cryptocurrency wallet apps, it gathers browser credentials, session tokens, macOS Keychain information, Apple Notes, messaging sessions, and VPN and FTP configurations.The application of "dscl.
-authonly" has been seen in Atomic Stealer attacks in the past.
A 47-year-old man has been arrested by Poland's Central Bureau for Combating Cybercrime (CBZC) authorities due to possible connections to the Phobos ransomware group. He could be imprisoned for up to five years. "These campaigns specifically targeted sectors like government and corporate entities in addition to disseminating generic spam."
The attacks mainly targeted Atlassian Jira-using organizations and ran from late December 2025 to late January 2026. Financial gain was probably the primary goal, as the emails were designed to entice recipients to open them and click on malicious links. This would start a chain of redirects powered by the Keitaro Traffic Distribution System (TDS) and ultimately lead them to pages selling investment scams and online casino landing sites. America.
The patch must be applied by Federal Civilian Executive Branch (FCEB) agencies by March 11, 2026, after the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-22175 to its Known Exploited Vulnerabilities (KEV) catalog on February 18, 2026. CISA stated that "when requests to the internal network for webhooks are enabled, GitLab contains a server-side request forgery (SSRF) vulnerability." According to the Polish Army, "modern vehicles equipped with advanced communication systems and sensors can collect and transmit data, so their presence in protected zones requires appropriate safety regulations."
To guarantee the highest standards of defense infrastructure protection, preventive measures that adhere to NATO and other allies' practices have been implemented.
They are a part of a larger process of modifying security protocols to meet the demands of modern critical infrastructure protection and the evolving technological landscape.In order to get around email security measures, malicious actors are misusing valid invoices and dispute notifications from reliable suppliers like Dropbox Sign (formerly HelloSign), Apple, PayPal, and DocuSign. "When creating an invoice or notification, these platforms frequently let users add a custom note or enter a "seller name," according to INKY, which is owned by Casey. "By entering a phone number and scam instructions into those user-controlled fields, attackers take advantage of this feature.
According to a related development, as early as July 2025, Germany's Federal Office for Information Security (BSI) urged organizations to audit their systems for indicators of compromise (IoCs) and reported evidence of exploitation since the summer of 2025. According to recent research by Irregular, passwords created directly by a large language model (LLM) are inherently insecure even though they might seem strong because "LLMs are designed to predict tokens – the opposite of securely and uniformly sampling random characters." Instead of relying on conventional secure password generation techniques, the artificial intelligence (AI) security firm claimed to have identified LLM-generated passwords in the real world while working on code development tasks.
"People and coding agents should not rely on LLMs to generate passwords," the company stated.
"Secure password generation is incompatible with LLMs' optimized outputs, which are predictable and believable. Instead of using LLM-output passwords, AI coding agents should be instructed to generate passwords using secure techniques. The threat actor "padded the malware with millions of repeats of a colorful Vietnamese phrase translating to 'f*** you, Morphisec,'" according to Morphisec's most recent analysis of Noodlophile, indicating that the operators were not overly excited about being discovered.
According to security researcher Michael Gorelik, "not just to vent frustration over disrupted campaigns, but also to bloat the file and crash AI-based analysis tools that are based on the Python disassemble library – dis.dis(obj)."
A stack buffer overflow vulnerability that, in some circumstances, could result in remote code execution attacks has been fixed by the OpenSSL project. The way the library handles Cryptographic Message Syntax data is where the vulnerability, identified as CVE-2025-15467, lies. Threat actors can run malicious code and crash OpenSSL by using CMS packets with maliciously constructed AEAD parameters.
