⚡ Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack, LLM Backdoors and More

Cyber threats are no longer coming from just malware or exploits. They’re showing up inside the tools, platforms, and ecosystems organizations use every day. As companies connect AI, cloud apps, developer tools, and communication systems, attackers are following those same paths.

A clear pattern this week: attackers are abusing trust. Trusted updates, trusted marketplaces, trusted apps, even trusted AI workflows. Instead of breaking security controls head-on, they’re slipping into places that already have access.

This recap brings together those signals — showing how modern attacks are blending technology abuse, ecosystem manipulation, and large-scale targeting into a single, expanding threat surface.

⚡ Threat of the Week

OpenClaw announces VirusTotal Partnership — OpenClaw has announced a partnership with Google’s VirusTotal malware scanning platform to scan skills that are being uploaded to ClawHub as part of a defense-in-depth approach to improve the security of the agentic ecosystem. The development comes as the cybersecurity community has raised concerns that autonomous artificial intelligence (AI) tools’ persistent memory, broad permissions, and user‑controlled configuration could amplify existing risks, leading to prompt injections, data exfiltration, and exposure to unvetted components. This has also been complemented by the discovery of malicious skills on ClawHub, a public skills registry to augment the capabilities of AI agents, once again demonstrating that marketplaces are a gold mine for criminals who populate the store with malware to prey on developers. To make matters worse, Trend Micro disclosed that it observed malicious actors on the Exploit.in forum actively discussing the deployment of OpenClaw skills to support activities such as botnet operations. Another report from Veracode revealed that the number of packages on npm and PyPI with the name “claw” has increased exponentially from nearly zero at the start of the year to over 1,000 as of early February 2026, providing new avenues for threat actors to smuggle malicious typosquats. “Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations,” Trend Micro said. “Open-source agentic tools like OpenClaw require a higher baseline of user security competence than managed platforms.” 

Bad Actors Are Using New AI Capabilities and Powerful AI Agents

Traditional firewalls and VPNs aren’t helping—instead, they’re expanding your attack surface and enabling lateral threat movement. They’re also more easily exploited with AI-powered attacks. It’s time for Zero Trust + AI.

Learn More ➝

🔔 Top News

• German Agencies Warn of Signal Phishing — Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The attacks have been mainly directed at high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. The attack chains exploit legitimate PIN and device linking features in Signal to take control of victims’ accounts.
• AISURU Botnet Behind 31.4 Tbps DDoS Attack — The botnet known as AISURU/Kimwolf has been attributed to a record-setting distributed denial-of-service (DDoS) attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds. The attack took place in November 2025, according to Cloudflare, which automatically detected and mitigated the activity. AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025. In all, DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour.
• Notepad++ Hosting Infrastructure Breached to Distribute Chrysalis Backdoor — Between June and October 2025, threat actors quietly and very selectively redirected traffic from Notepad++’s updater program, WinGUp, to an attacker-controlled server that downloaded malicious executables. While the attacker lost their foothold on the third-party hosting provider’s server on September 2, 2025, following scheduled maintenance where the server firmware and kernel were updated. However, the attackers still had valid credentials in their possession, which they used to continue routing Notepad++ update traffic to their malicious servers until at least December 2, 2025. The adversary specifically targeted the Notepad++ domain by taking advantage of its insufficient update verification controls that existed in older versions of Notepad++. The findings show that updates cannot be treated as trusted just because they come from a legitimate domain, as the blind spot can be abused as a vector for malware distribution. The sophisticated supply chain attack has been attributed to a threat actor known as Lotus Blossom. “Attackers prize distribution points that touch a large population,” a Forrester analysis said. “Update servers, download portals, package managers, and hosting platforms become efficient delivery systems, because one compromise creates thousands of downstream victims.”
• DockerDash Flaw in Docker AI Assistant Leads to RCE — A critical-severity bug in Docker’s Ask Gordon AI assistant can be exploited to compromise Docker environments. Called DockerDash, the vulnerability exists in the Model Context Protocol (MCP) Gateway’s contextual trust, where malicious instructions embedded into a Docker image’s metadata labels are forwarded to the MCP and executed without validation. This is made possible because the MCP Gateway does not distinguish between informational metadata and runnable internal instructions. Furthermore, the AI assistant trusts all image metadata as safe contextual information and interprets commands in metadata as legitimate tasks. Noma Security named the technique meta-context injection. It was addressed by Docker with the release of version 4.50.0 in November 2025.
• Microsoft Develops Scanner to Detect Hidden Backdoors in LLMs — Microsoft has developed a scanner designed to detect backdoors in open-weight AI models in hopes of addressing a critical blind spot for enterprises that are dependent on third-party large language models (LLMs). The company said it identified three observable indicators that suggest the presence of backdoors in language models: a shift in how a model pays attention to a prompt when a hidden trigger is present, almost independently from the rest of the prompt; models tend to leak their own poisoned data, and partial versions of the backdoor can still trigger the intended response. “The scanner we developed first extracts memorized content from the model and then analyzes it to isolate salient substrings,” Microsoft noted. “Finally, it formalizes the three signatures above as loss functions, scoring suspicious substrings and returning a ranked list of trigger candidates.”

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-25049 (n8n), CVE-2026-0709 (Hikvision Wireless Access Point), CVE-2026-23795 (Apache Syncope), CVE-2026-1591, CVE-2026-1592 (Foxit PDF Editor Cloud), CVE-2025-67987 (Quiz and Survey Master plugin), CVE-2026-24512 (ingress-nginx), CVE-2026-1207, CVE-2026-1287, CVE-2026-1312 (Django), CVE-2026-1861, CVE-2026-1862 (Google Chrome), CVE-2026-20098 (Cisco Meeting Management), CVE-2026-20119 (Cisco TelePresence CE Software and RoomOS), CVE-2026-0630, CVE-2026-0631, CVE-2026-22221, CVE-2026-22222, CVE-2026-22223, CVE-2026-22224, CVE-2026-22225, CVE-2026-22226, 22227, CVE-2026-22229 (TP-Link Archer BE230), CVE-2026-22548 (F5 BIG-IP), CVE-2026-1642 (F5 NGINX OSS and NGINX Plus), and CVE-2025-6978 (Arista NG Firewall).

📰 Around the Cyber World

• OpenClaw is Riddled With Security Concerns — The skyrocketing popularity of OpenClaw (née Clawdbot and Moltbot) has attracted cybersecurity worries. With artificial intelligence (AI) agents having entrenched access to sensitive data, giving “bring-your-own-AI” systems privileged access to applications and the user conversations carries significant security risks. The architectural concentration of power means AI agents are designed to store secrets and execute actions – features that are all essential to meet their objectives. But when they are misconfigured, the very design that serves as their backbone can collapse multiple security boundaries at once. Pillar Security has warned that attackers are actively scanning exposed OpenClaw gateways on port 18789. “The traffic included prompt injection attempts targeting the AI layer — but the more sophisticated attackers skipped the AI entirely,” researchers Ariel Fogel and Eilon Cohen said. “They connected directly to the gateway’s WebSocket API and attempted authentication bypasses, protocol downgrades to pre-patch versions, and raw command execution.” Attack surface management firm Censys said it identified 21,639 exposed OpenClaw instances as of January 31, 2026. “Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust,” said Hudson Rock. “Without encryption-at-rest or containerization, the ‘Local-First’ AI revolution risks becoming a goldmine for the global cybercrime economy.”
• Prompt Injection Risks in MoltBook — A new analysis of MoltBook posts has revealed several critical risks, including “506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploiting agent psychology,” anti-human manifestos receiving hundreds of thousands of upvotes, and unregulated cryptocurrency activity comprising 19.3% of all content,” according to Simula Research Laboratory. British programmer Simon Willison, who coined the term prompt injection in 2022, has described Moltbook as the “most interesting place on the internet right now.” Vibe, coded by its creator, Matt Schlicht, Moltbook marks the first time AI agents built atop the OpenClaw platform can communicate with each other, post, comment, upvote, and create sub-communities without human intervention. While Moltbook is pitched as a way to offload tedious tasks, equally apparent are the security pitfalls, given the deep access the AI agents have to personal information. Prompt injection attacks hidden in natural language text can instruct an AI agent to reveal private data.
• Malicious npm Packages Use EtherHiding Technique — Cybersecurity researchers have discovered a set of 54 malicious npm packages targeting Windows systems that use an Ethereum smart contract as a dead drop resolver to fetch a command-and-control (C2) server to receive next-stage payloads. This technique, codename EtherHiding, is notable because it makes takedown efforts more difficult, allowing the operators to modify the infrastructure without making any changes to the malware itself.”The malware includes environment checks designed to evade sandbox detection, specifically targeting Windows systems with 5 or more CPUs,” Veracode said. Other capabilities of the malware include system profiling, registry persistence via a COM hijacking technique, and a loader to execute the second-stage payload delivered by the C2. The C2 server is currently inactive, making it unclear what the exact motives are.
• Ukraine Rolls Out Verification for Starlink — Ukraine has rolled out a verification system for Starlink satellite internet terminals used by civilians and the military after confirming that Russian forces have begun installing the technology on attack drones. The Ukrainian government has introduced a mandatory allowlist for Starlink terminals, as part of which only verified and registered devices will be allowed to operate in the country. All other terminals will be automatically disconnected.
• Cellebrite Tech Used Against Jordanian Civil Society — The Jordanian government used Cellebrite digital forensic software to extract data from phones belonging to at least seven Jordanian activists and human rights defenders between late 2023 and mid-2025, according to a new report published by the Citizen Lab. The extractions occurred while the activists were being interrogated or detained by authorities. Some of the recent victims were activists who organized protests in support of Palestinians in Gaza. Citizen Lab said it uncovered iOS and Android indicators of compromise tied to Cellebrite in all four phones it forensically analyzed. It’s suspected that authorities have been using Cellebrite since at least 2020.
• ShadowHS, a Fileless Linux Post‑Exploitation Framework — Threat hunters have discovered a stealthy Linux framework that runs entirely in memory for covert, post-exploitation control. The activity has been codenamed ShadowHS by Cyble. “Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems,” the company said. “The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions.” The framework supports various dormant modules that support credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and data exfiltration.
• Incognito Operator Gets 30 Years in Prison — Rui-Siang Lin, 24, was sentenced to 30 years in U.S. prison for his role as an administrator of Incognito Market, which facilitated millions of dollars’ worth of drug sales. Lin ran Incognito Market from January 2022 to March 2024 under the moniker “Pharaoh,” enabling the sale of more than $105 million of narcotics. Incognito Market allowed about 1,800 vendors to sell to a customer base exceeding 400,000 accounts. In all, the operation facilitated about 640,000 narcotics transactions. Lin was arrested in May 2024, and he pleaded guilty to the charges later that December. “While Lin made millions, his offenses had devastating consequences,” said U.S. Attorney Jay Clayton. “He is responsible for at least one tragic death, and he exacerbated the opioid crisis and caused misery for more than 470,000 narcotics users and their families.”
• INC Ransomware Group’s Slip-Up Proves Costly — Cybersecurity firm Cyber Centaurs said it has helped a dozen victims recover their data after breaking into the backup server of the INC Ransomware group, where the stolen data was dumped. The INC group started operations in 2023 and has listed more than 100 victims on its dark web leak site. “While INC Ransomware demonstrated careful planning, hands-on execution, and effective use of legitimate tools (LOTL), they also left behind infrastructure and artifacts that reflected reuse, assumption, and oversight,” the company said. “In this instance, those remnants, particularly related to Restic, created an opening that would not normally exist in a typical ransomware response.”
• Xinbi Marketplace Accounts for $17.9B in Total Volume — A new analysis from TRM Labs has revealed that the illicit Telegram-based guarantee marketplace known as Xinbi has continued to remain active, while those of its competitors, Haowang (aka HuiOne) Guarantee and Tudou Guarantee, dropped by 100% and 74%, respectively. Wallets associated with Xinbi have received approximately $8.9 billion and processed roughly $17.9 billion in total transaction volume. “Guarantee services attract illicit actors by offering informal escrow, wallet services, and marketplaces with minimal due diligence, making them a critical laundering facilitator layer,” the blockchain intelligence firm said.
• XBOW Uncovers 2 IDOR Flaws in Spree — AI-powered offensive security platform discovered two previously unknown Insecure Direct Object Reference (IDOR) vulnerabilities (CVE-2026-22588 and CVE-2026-22589) in Spree, an open-source e-commerce platform, that allows an attacker to access guest address information without supplying valid credentials or session cookies and retrieve other users’ address information by editing an existing, legitimate order. The issues were fixed in Spree version 5.2.5.

🎥 Cybersecurity Webinars

• Cloud Forensics Is Broken — Learn From Experts What Actually Works: Cloud attacks move fast and often leave little usable evidence behind. This webinar explains how modern cloud forensics works—using host-level data and AI to reconstruct attacks faster, understand what really happened, and improve incident response across SOC teams.
• Post-Quantum Cryptography: How Leaders Secure Data Before Quantum Breaks It: Quantum computing is advancing fast, and it could eventually break today’s encryption. Attackers are already collecting encrypted data now to decrypt later when quantum power becomes available. This webinar explains what that risk means, how post-quantum cryptography works, and what security leaders can do today—using practical strategies and real deployment models—to protect sensitive data before quantum threats become reality.

🔧 Cybersecurity Tools

• YARA Rule Skill (Community Edition): It is a tool that helps an AI agent write, review, and improve YARA detection rules. It analyzes rules for logic errors, weak strings, and performance problems using established best practices. Security teams use it to strengthen malware detection, improve rule accuracy, and ensure rules run efficiently with fewer false positives.
• Anamnesis: It is a research framework that tests how LLM agents turn a vulnerability report and a small trigger PoC into working exploits under real defenses (ASLR, NX, RELRO, CFI, shadow stack, sandboxing). It runs controlled experiments to see what bypasses work, how consistent the results are across runs, and what that implies for practical risk.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

The takeaway this week is simple: exposure is growing faster than visibility. Many risks aren’t coming from unknown threats, but from known systems being used in unexpected ways. Security teams are being forced to watch not just networks and endpoints, but ecosystems, integrations, and automated workflows.

What matters now is readiness across layers — software, supply chains, AI tooling, infrastructure, and user platforms. Attackers are operating across all of them at once, blending old techniques with new access paths.

Staying secure is no longer about fixing one flaw at a time. It’s about understanding how every connected system can influence the next — and closing those gaps before they’re chained together.