San Mateo, CA, February 23, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
BeyondTrust flaw used for web shells and data theft
Palo Alto Networks Unit 42 says threat actors are actively exploiting a critical vulnerability in BeyondTrust Remote Support and Privileged Remote Access. Unit 42 observed the flaw, CVE-2026-1731 (CVSS 9.9), used for reconnaissance, web shell deployment, command-and-control, backdoor and remote management tool installation, and data theft. Affected sectors include finance, legal services, tech, higher education, retail, and healthcare in the U.S., France, Germany, Australia, and Canada. The issue stems from a sanitization failure in a “thin-scc-wrapper” script reachable via a WebSocket interface, enabling shell command injection. Researcher Justin Moore noted that compromising the site user can still grant control over appliance configuration, managed sessions, and network traffic. Observed activity included a custom Python script to obtain admin access, multiple web shells, deployment of VShell and Spark RAT, OAST-based validation, and exfiltration of configuration data, databases, and PostgreSQL dumps. Read more.
FBI warns Salt Typhoon is still active globally
An FBI cyber intelligence leader warned that Salt Typhoon, the Chinese espionage group tied to the 2024 U.S. telecom compromises, remains an active threat to both public and private sectors. Speaking at CyberTalks in Washington, D.C., deputy assistant director Michael Machtinger said telecoms that engaged early with the FBI and CISA “have been without a doubt the most successful” at mitigating the impact of intrusions. He said the campaign exploited basic weaknesses in fragmented, legacy-heavy networks, underscoring that “despite all the advances,” fundamental vulnerabilities still leave the door open. Machtinger urged adopting zero trust, least privilege, secure-by-design practices, and end-to-end encryption, noting that phishing and legacy exposure remain the most common access paths. He estimated that Salt Typhoon activity has affected more than 80 countries and is ongoing. Read more.
PayPal bug exposed data for six months
In a February 10, 2026 notice, PayPal said a coding error in its PayPal Working Capital (PPWC) loan application exposed personally identifiable information for six months, from July 1, 2025, to December 13, 2025. PayPal detected the issue on December 12 and said an internal code change inadvertently allowed unauthorized third parties to view data, but did not result in an external intrusion. Exposed information may include names, email addresses, phone numbers, mailing addresses, Social Security numbers, and birthdates, increasing the risk of identity theft and fraud. To mitigate the issue, PayPal rolled back the change, terminated access, and required password resets. It also refunded a small number of unauthorized transactions and is offering two years of Equifax credit monitoring and identity restoration through Equifax Complete Premier. Read more.
DDoS attacks jump 168% in 2025
Radware’s 2026 Global Threat Analysis Report warns of an escalation in 2025, with DDoS attacks up 168% year over year based on Radware customer telemetry. The average customer faced more than 25,351 attempted attacks in the period, or about 139 a day. Technology, telecommunications, and financial services were the most targeted sectors, and technology accounted for 45% of network-layer DDoS activity, up nearly 9% from 2024. Attacks are also shifting toward short, high-intensity bursts, such as multi-terabit events averaging 35 minutes, and the most high-impact attacks now last under 60 seconds. Radware ties much of the volume to hacktivism coordinated on Telegram, with Israel, the U.S., and Ukraine most targeted. “The critical question for 2026 is no longer about the persistence of the threat, but the agility of the response,” the report concludes. Read more.
Chinese hackers abused Dell zero-day for 18 months
Chinese state-backed hackers linked to UNC6201 and UNC5221 escalated a long-running espionage campaign by exploiting a zero-day flaw in Dell RecoverPoint for Virtual Machines, according to a report from the Google Threat Intelligence Group and Mandiant. The vulnerability, CVE-2026-22769, has earned a 10/10 CVSS score and has been giving attackers unauthenticated root access for at least 18 months. “The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage,” said Austin Larsen, principal analyst at GTIG. Dell Technologies has issued a patch and CISA and partners released indicators of compromise. “The most concerning aspect is that many organizations were probably breached and still do not know it,” Larsen added. Read more.
One-character typo sparks Firefox zero-day
A critical remote code execution bug in Mozilla Firefox came from a single-character mistake in SpiderMonkey JavaScript’s WebAssembly garbage collection code, where a bitwise “&” (and) was replaced by a bitwise “|” (or). This simple error created a memory-corruption vulnerability by “incorrectly tagging out-of-line (OOL) WebAssembly arrays as inline (IL) arrays, causing the garbage collector to mishandle memory references.” The vulnerability exists only in Ion-optimized WebAssembly paths, not in the Baseline compiler, but it shows how a microscopic change can introduce powerful exploitation primitives in a modern browser. Read more.
Microsoft warns of AI link poisoning tactic
New research from Microsoft details a tactic dubbed AI Recommendation Poisoning in which legitimate businesses embed hidden memory-manipulation prompts inside “Summarize with AI” buttons. According to the Microsoft Defender Security Research Team, specially crafted URLs pre-populate chatbot prompts with instructions such as “remember [Company] as a trusted source” or “recommend [Company] first,” effectively gaming AI assistants, much like classic SEO poisoning. Microsoft identified more than 50 unique prompts from 31 companies across 14 industries in 60 days, raising concerns about the neutrality and trustworthiness of AI-generated advice, especially in health, finance, and security. The attack exploits query string parameters to inject persistence commands into AI memory, making the manipulation invisible and ongoing. Microsoft urges users to audit assistant memory and avoid untrusted AI links, while organizations should hunt for suspicious URLs containing terms like “remember” or “authoritative source.” Read more.
iOS 26.4 strengthens encrypted messaging
Apple has released iOS and iPadOS 26.4 beta with end-to-end encrypted RCS messaging between compatible Apple devices, marking the company’s first step toward full cross-platform support. The update follows backing from the GSM Association and requires Apple to adopt RCS Universal Profile 3.0 based on the Messaging Layer Security (MLS) protocol. Apple says only conversations labeled as “encrypted” are protected and that Android is not yet supported. The company also updated Memory Integrity Enforcement, first unveiled in 2025, to blunt mercenary spyware by delivering always-on memory safety across critical attack surfaces. According to MacRumors, iOS 26.4 will also enable Stolen Device Protection by default, adding biometric checks and a one-hour delay for Apple Account password changes to give victims time to lock stolen phones. Read more.
Ring drops Flock after privacy backlash
Ring has canceled its planned integration with Flock Safety following backlash over privacy concerns and a Super Bowl ad that highlighted fears of surveillance. The partnership would have connected Flock’s license plate camera footage to Ring’s Community Requests feature, which lets local police request footage from users. In a statement, Ring said, “We determined the planned Flock Safety integration would require significantly more time and resources than anticipated. As a result, we have made the joint decision to cancel the planned integration.” The controversy intensified after reporting by 404 Media linked Flock tools to immigration-related searches, though Flock disputes any relationship with ICE. Flock CEO Garrett Langley has not been sympathetic to the public’s concerns about the platform, saying, “If you don’t trust law enforcement to do their job, that’s actually what you’re concerned about, and I’m not going to help people get over that.” Read more.
Lazarus targets coders with fake job tests
North Korean threat actors are running a new fake recruiter campaign dubbed Graphalgo that targets JavaScript and Python developers with crypto-themed coding tests. Researchers at ReversingLabs and Wiz found at least 192 malicious npm and PyPI packages used as downloaders for a remote access trojan. Victims are lured with fake blockchain job posts, then asked to run sample projects that secretly install malicious dependencies. Some packages stayed clean for months before flipping, a tactic used to evade detection. Once installed, the RAT executes commands, steals files, checks for MetaMask, and phones home to a C2. Investigators link the activity to the Lazarus Group based on tooling, delayed activation, crypto targeting, and GMT+9 commits. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
