Hello, world! I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into what kept us up at night recently in cybersecurity and AI security.
AI News:
First Android Malware Integrating Google's Gemini AI Discovered
Security researchers identified PromptSpy, the initial known Android malware incorporating generative AI into its operation. Masquerading as a legitimate Chase Bank application, it leverages Google's Gemini to monitor device screens in real-time and receive guidance on maintaining its position in recent apps to prevent closure. The malware provides attackers with complete device control, captures lockscreen credentials, records screen activity, and prevents removal through invisible overlays on uninstall buttons. It has never been distributed through Google Play, and devices with Google Play Services receive automatic protection.
Infostealers Now Extract OpenClaw AI Agent Files for Identity Theft
Security analysts detected an active infostealer infection where attackers extracted a victim's complete OpenClaw AI agent setup, including authentication credentials, private encryption keys, and personal memory files containing activity logs, private communications, and calendar information. The malware employed broad file-sweeping techniques rather than specialized modules. Stolen files enable attackers to remotely access the victim's local AI instance and authenticate messages as the victim's device.
Security Researchers Discover OpenClaw Log Poisoning Method
Security experts found that OpenClaw records unfiltered User-Agent and Origin header values from WebSocket connections, enabling attackers to inject nearly 15,000 characters into log files that the AI agent may subsequently process. When users request debugging assistance, the agent could ingest compromised logs and have its analysis manipulated. Testing showed OpenClaw's safety mechanisms detected and blocked the injected content, though researchers noted the payload capacity allows for more sophisticated attempts. The issue was resolved in version 2026.2.13.
Microsoft Copilot Bug Exposed Confidential Emails Despite DLP Policies
A Microsoft 365 Copilot defect caused the AI assistant to access and summarize emails from Sent Items and Drafts folders since late January, even when those messages had confidentiality labels and data loss prevention policies restricting automated processing. Microsoft acknowledged a coding error permitted Copilot to access labeled content and deployed a fix in early February. The company clarified the bug didn't grant unauthorized access to information users couldn't already see, and by mid-February stated the underlying issue was resolved for most customers.
Self-Propagating NPM Worm Targets AI Development Tools
A newly identified NPM worm steals API credentials, tokens, and environment settings from developer systems while spreading through the NPM ecosystem using compromised maintainer accounts to publish malicious package versions. The worm uses typosquatting for initial installation and delays malicious activity by 48 hours to evade detection. Once operational, it injects malicious MCP server settings into AI coding platforms including Claude Code, Cursor, and VS Code, modifies global Git configurations, and transmits stolen information to attacker infrastructure. Any potentially infected system should be considered fully compromised with all credentials immediately rotated.
Cline CLI Compromise Silently Deployed OpenClaw on Developer Systems
On February 17, 2026, an unauthorized actor used a compromised npm publishing credential to release cline@2.3.0 to the npm registry, where it remained available for roughly eight hours before deprecation. The modification consisted solely of a postinstall script that quietly installed OpenClaw. The credential compromise is believed to stem from the GitHub Actions cache poisoning vulnerability documented by researcher Adnan Khan who privately reported the underlying flaw six weeks prior before public disclosure on February 9. Users who installed or updated Cline CLI on February 17 should upgrade to version 2.4.0 or higher and execute npm uninstall -g openclaw for removal.
Microsoft Publishes Research on Authenticating Real vs AI-Generated Media
Microsoft Research released an evaluation examining three approaches for confirming whether digital content is authentic or AI-generated: secure provenance through C2PA standards, imperceptible watermarking, and soft hash fingerprinting. The analysis determined that high-confidence verification is possible when C2PA provenance manifests are implemented in secure settings, becoming more dependable when combined with imperceptible watermarks as redundancy. The research also identified sociotechnical provenance attacks as a new threat category, where genuine content can appear synthetic and synthetic content can appear genuine. Fingerprinting was determined insufficient for high-confidence validation with significant scalability costs, though useful for manual forensics.
Claude-Assisted Smart Contract Error Results in $1.8 Million DeFi Loss
DeFi protocol Moonwell suffered approximately $1.8 million in losses following a critical pricing mistake in code co-written with Claude Opus 4.6, according to GitHub records. The misconfiguration caused an oracle to display cbETH's price as roughly $1.12 instead of its actual $2,200 market value, triggering liquidation bots to immediately target cbETH collateral positions and creating $1.78 million in bad debt. Moonwell's incident report doesn't reference AI involvement, attributing the problem solely to oracle misconfiguration. The event has generated security community discussion about AI-assisted smart contract development risks.
Low-Skill Attacker Uses Commercial AI to Compromise 600+ Fortinet Devices
Amazon Threat Intelligence monitored a financially motivated actor who utilized multiple commercial generative AI platforms to compromise over 600 FortiGate devices spanning more than 55 countries. The actor demonstrated low-to-medium technical capabilities but employed AI to create attack strategies, develop custom tools, and coordinate post-exploitation activities at a scale previously requiring much larger teams. Initial access derived entirely from exposed management interfaces and weak single-factor authentication, with no FortiGate vulnerabilities exploited. After gaining access, the actor focused on Active Directory environments and Veeam backup servers, consistent with pre-ransomware patterns.
Anthropic Launches Claude Code Security in Limited Preview
Anthropic introduced Claude Code Security, currently available in limited research preview for Enterprise and Team customers. Using Claude Opus 4.6, their team identified over 500 vulnerabilities in production open-source codebases that remained undetected for decades, and open-source maintainers can request free, expedited access.
OpenAI Releases Smart Contract Security Benchmark
OpenAI and Paradigm launched EVMbench, a benchmark evaluating AI agents on their capability to identify, repair, and exploit high-severity smart contract vulnerabilities sourced from 120 curated vulnerabilities across 40 actual audits. Accompanying the release, OpenAI pledged $10 million in API credits supporting defensive cybersecurity research, particularly for open-source software and critical infrastructure.
Critical Flaw in 72 Million Install VS Code Extension Enables File Theft
Security researchers discovered a critical vulnerability in the Live Server VS Code extension, installed over 72 million times, permitting unauthenticated attackers to extract files from developer machines simply by sending malicious links while the extension operates. Live Server lacks default CORS protections, allowing any remote webpage to execute cross-origin requests to localhost:5500 and recursively access and steal files including source code, environment settings, API credentials, and passwords. The vulnerability was disclosed in August 2025 with no maintainer response as of current reporting.
Attackers Weaponize Google Services to Distribute OS-Specific Malware
Security analysts identified a global malware operation abusing Google Groups, Google Docs, and Google Drive for malware distribution, with over 4,000 malicious Google Groups and 3,500 Google-hosted URLs detected in their dataset. The campaign employs malicious redirectors detecting victim operating systems and delivering tailored payloads: Windows users receive Lumma infostealer harvesting browser credentials, saved passwords, and session cookies before exfiltration, while Linux users receive Ninja Browser, a trojan disguised as a privacy-focused Chromium browser that silently installs malicious extensions, steals credentials, and establishes daily scheduled tasks for attacker-controlled updates. Targeted brand names are embedded in malicious Google content for credibility, with victims including customers of major financial and technology organizations.
Eurail Confirms Customer Data Including Passport Numbers Being Sold
Eurail B.V. acknowledged a security breach resulting in unauthorized access to customer information, including order and reservation details, basic identity and contact information, and in certain cases passport numbers, issuing countries, and expiration dates. The compromised data has been listed for sale on the dark web with a sample dataset published on Telegram, though Eurail states it doesn't retain bank or credit card information. Affected customers are advised to update Rail Planner app passwords, monitor bank accounts for suspicious activity, and remain cautious of unsolicited communications requesting personal details.
Nearly 1 Million Figure Fintech Accounts Exposed in Social Engineering Attack
Blockchain-native fintech Figure Technology Solutions was breached through a social engineering attack where an employee was manipulated into providing access, resulting in data theft from over 950,000 accounts including names, email addresses, phone numbers, physical addresses, and birth dates. The ShinyHunters extortion group claimed responsibility and published 2.5GB of stolen information on their dark web leak site.
Hackers Access France's National Bank Account Registry Using Stolen Credentials
The French Ministry of Finance revealed that a threat actor utilized credentials stolen from a civil servant to access FICOBA, France's centralized national bank account registry, exposing information from approximately 1.2 million accounts. The compromised data includes bank account details such as RIBs and IBANs, account holder identity information, physical addresses, and in certain cases taxpayer identification numbers. FICOBA remains offline while the Ministry of Finance, DGFiP, and ANSSI work to restore the system with strengthened security.
—
That's all for now… Stay informed and protected.