Cloudy Journey

Friday, February 13, 2026

The Good, the Bad and the Ugly in Cybersecurity – Week 7

The Good | Authorities Crack Down on Identity, Romance Baiting & Phishing Schemes

Two individuals have been indicted for a years-long scheme that used stolen identities from 3,000 victims to siphon $3 million from sportsbooks. Amitoj Kapoor and Siddharth Lillaney allegedly bought personally identifying information (PII) on dark markets and Telegram, opened thousands of fake accounts on FanDuel, DraftKings, and BetMGM, and harvested new-user bonuses.

The pair allegedly used background-check services to pass verification checks and cashed out winnings via prepaid cards into controlled accounts. Prosecutors have filed for charges of fraud, identity theft, and money laundering charges carrying several decades in prison.

In further crackdowns on fraudulent schemes, a dual Chinese and St. Kitts & Nevis fugitive has been sentenced in absentia to 20 years for orchestrating a romance baiting crypto scam worth over $73 million.

Daren Li built trust with victims via messaging and dating apps before steering them into fake investments, then laundering the stolen funds through shell companies, U.S. bank accounts, and cryptocurrency platforms using assets like Tether. Arrested in 2024, Li fled two months ago while awaiting sentencing. Investigators tied the syndicate to hundreds of millions in laundered crypto and wider global losses.

Police in the Netherlands have arrested a man for allegedly selling access to JokerOTP, a phishing-as-a-service (PhaaS) tool that intercepts one-time passwords to hijack accounts. The suspect, the third arrest in a three-year long probe, allegedly marketed licenses via Telegram to criminals who used automated calls to impersonate trusted companies and trick victims into revealing codes and sensitive data.

Authorities say the service enabled over 28,000 attacks across 13 countries, causing roughly $10 million in losses and targeting accounts on PayPal, Venmo, Coinbase, and Apple. While investigations continue, dozens of JokerOTP bot buyers have already been identified and face prosecution in due time.

The Bad | APT Groups Weaponize Google Gemini in All Stages of Cyber Kill Chain

State-backed hackers and cybercriminals are increasingly exploiting Google’s Gemini AI to streamline their attacks from initial reconnaissance to post-compromise operations. According to new research, actors linked to China, Iran, North Korea, and Russia used the model for target profiling, phishing lure generation, translation, coding, vulnerability testing, command-and-control development, and data exfiltration.

Some operatives even posed as cybersecurity experts to trick the AI tool into producing detailed exploitation plans, including remote code execution (RCE) and web-application (WAF) firewall bypass techniques against specific targets in the U.S.

Iranian-linked threat group APT42 leveraged the model to accelerate social engineering campaigns and tailor malicious tools, while others integrated AI-assisted capabilities into malware such as a CoinBait phishing kit and HonestCue malware launcher. Criminal groups also used generative AI in ClickFix campaigns that delivered infostealing malware through deceptive troubleshooting ads. Researchers also noted signs of AI-generated code in malware artifacts, indicating that generative platforms are already shaping attacker toolchains.

Beyond direct abuse, the report observed attempts to extract and replicate Gemini itself through large-scale querying and “knowledge distillation” techniques, in which actors use data from one model to train fresh, more advanced ones. While this mostly threatens AI vendors’ intellectual property, it could also eventually affect end users of the tool as AI-as-a-Service continues to rise.

Google says it has disabled the malicious accounts and continues to harden its defenses to limit misuse and make it more difficult to exploit. However, researchers warn that AI integration will likely accelerate threat actor capabilities across cybercrime ecosystems, lowering barriers to entry and increasing the speed, scale, and sophistication of future attacks.

The Ugly | China-Based Actors Hit Major Singaporean Telcos in Ongoing Espionage Campaign

Singapore’s Cyber Security Agency (CSA) revealed this week that the China-linked threat actor UNC3886 has targeted each of the country’s four largest telecommunications (teleco) providers – Singtel, StarHub, M1, and Simba Telecom – at least once last year.

Using sophisticated tools and zero-day exploits, the APT gained limited access to critical systems. While it did not disrupt services or exfiltrate sensitive customer data, rootkits helped UNC3886 maintain stealthy persistence while siphoning technical data to support operational objectives.

CSA has since responded with “Operation Cyber Guardian”, an 11-month long campaign bringing together over 100 investigators across six government agencies to support. Authorities closed access points in the teleco networks, expanded monitoring, and blocked attempts to pivot into banking, transport, or healthcare networks. The agency also emphasized that while UNC3886’s intrusions were deliberate and well-planned, mitigation measures were able to prevent major disruption.

Active since at least 2022, the PRC-based actor is known to target virtualization technologies and edge devices, often fabricating scenarios to test and exploit vulnerabilities without triggering alerts. Previous activity included targeting telecommunications networks in the U.S. and Canada with the goal of developing cross-border espionage capabilities.

CSA described UNC3886 as “an advanced persistent threat with deep capabilities”, noting that the recent campaign demonstrates the ongoing risk to critical national infrastructure. The agency stressed the importance of cyber defense readiness, stating that rapid remediation, monitoring, and coordinated response measures continue to be key to containing the attacks and protecting Singapore’s teleco sector.

from SentinelOne https://ift.tt/0m6QH9P
via IFTTT

Vault certificates and secrets inventory reporting: Improve visibility and audit readiness

HashiCorp Vault users need to have continuous answers to questions like:

What secrets and certificates do we have?
What do we know about them?
Do any of them require action?

Typically this is done by collecting and analyzing logs, or additional visibility tools in HCP Vault Dedicated. Now, HCP Vault users have access to additional visibility and reporting capabilities with certificates and secrets inventory reporting, a new feature set now available in beta.

These new dashboards visualize access patterns, secret usage, and policy adherence for improved compliance and reporting. Learn more about these features in this post.

The reporting gap in secrets and certificate management

Teams need to understand what secrets and certificates exist, where they’re used, who owns them, and whether they comply with policy. When that information is spread across fragmented silos, risk assessment becomes impossible and audits turn into a scramble.

Teams can spend weeks, or months, tracking down certificate details across multiple systems and manually reconciling inconsistent records. In many cases, they end up building custom integrations or stitching together multiple tools just to assemble the evidence auditors need, pulling time and budget away from higher-value security and platform work.

This pressure is especially high in regulated industries such as finance, insurance, and government. Regulatory frameworks increasingly require organizations to show demonstrable control over sensitive credentials and the systems that rely on them. Without reliable reporting, proving that control becomes a recurring fire drill.

Centralizing secrets and certificate management on one security platform with standardized workflows and policy is the first step to fixing this gap, but that security platform also needs great reporting features, or you’ll still be scrambling.

Secrets and certificates inventory reporting features

Secrets and certificates inventory reporting provides a comprehensive view of all secrets managed by Vault, giving teams the ability to drill into critical details with:

Full inventory visibility: Understand what secrets exist, where they live, and how they're distributed across your environment
Lifecycle insights:
- Identify risky, long-lived secrets
- Evaluate when a secret was last accessed or rotated
- Make informed decisions about lifecycle management using data to drive decisions as well as policy
Advanced filtering: Explore secrets by type, distribution, and access patterns to pinpoint areas that need attention
Exportable data: Export reports in CSV and JSON formats to feed into compliance workflows, SIEM tools, or GRC platforms like ServiceNow

These features go beyond simple dashboards, with actionable intelligence that helps security teams end reactive bad practices and become fully proactive at identifying risks and demonstrating compliance (without the manual overhead).

Inventory reporting availability

Secrets inventory reporting is available for Azure and AWS clusters for HCP Vault Dedicated customers. Customers can toggle on reporting for new and existing clusters.

Inventory reports are supported for the following secrets engines:

Key-Value secrets engine v1
Key-Value secrets engine v2
Database secrets engine
PKI secrets engine

Certificates inventory reporting is available for the following certificate types:

SCEP
ACME
Vault self-signed certificates

We plan to support additional credentials in the near future.

How inventory reporting supports CISOs, GRC analysts, and security engineers

Secrets and certificates inventory reporting is designed for the team members who live at the intersection of security and governance:

The CISO preparing a board presentation on risk reduction — they need a simple, single pane of glass
The GRC analyst who needs to quickly compile evidence for an audit — they don't want to scan hundreds of repositories one-by-one
The security engineer trying to clean up years of accumulated credentials — they need to quickly understand which are in use and which can be safely decommissioned (HCP Vault Radar is also a key piece of this workflow)

By surfacing this data directly within the Vault ecosystem, teams no longer need to build custom tooling or rely on incomplete audit logs to answer fundamental questions about their secrets posture.

A look at the inventory reporting UI

The HCP Vault Dedicated UI has two inventory reporting tabs:

Secrets Inventory
Certificates Inventory

Secrets inventory

In the secrets inventory tab, you'll see each secret with a name, type, engine, mount path, create date, access date, and modification date. Users can create saved views to quickly show information with relevant filters, sorting, and column selection. The Secrets Inventory tab has three saved views out of the box:

Unused secrets: Static secrets that have not been accessed in 90+ days
Upcoming secret rotations: Auto-rotating secrets that are scheduled to rotate in less than 30 days
Long-lived secrets: All secrets that have not been updated in 90+ days

The user can customize views by selecting and deselecting fields or applying other filters. These customizations can then be saved as saved views. Another useful tool is the search bar, which allows the user to easily look for specific secrets by name.

To use this data in certain external tools, the user may export the records with a choice of either JSON or CSV file format.

Certificates inventory

In the Certificates Inventory tab, you'll see each certificate’s name, status, role, validity, mount path, type, and issuer. You’ll also see two preconfigured quick filters:

Expired certificates: Certificates that have passed the designated validity period
Revoked certificates: Certificates invalidated by the issuing certificate authority (CA).

In the Clusters tab above the certificates and secrets inventory tabs, a column for reporting will show whether reporting has been “Enabled” or “Disabled”. A cluster can be deployed without immediately enabling reporting, but we recommend enabling reporting upon deployment. Having a gap between cluster deployment and reporting enablement will result in timestamps that only start being recorded upon enablement.

Toggle reporting on for the cluster and apply the changes to enable reporting
After a complete scan of this cluster, the data in the secrets and certificates inventory tabs will then be populated and timestamped to the enablement time
Events will be recorded only from that point forward
Since certificates are not stored in Vault, in the case of Certificates Inventory, only newly issued certificates and newly expired certificates will have event data

Getting started

Certificates and secrets inventory reporting is now available in public beta for HCP Vault Dedicated Plus tier customers, with future plans to extend support to Vault Enterprise self-managed deployments. Customers can enable reporting from the Active Resources page in HCP or directly on HCP Vault Dedicated clusters.

For organizations operating under security and compliance requirements, this improves visibility and makes it easier to gather the evidence auditors ask for.

from HashiCorp Blog https://ift.tt/LemJHnj
via IFTTT

Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs

A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL.

Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments.

However, the group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, GTIG added.

"Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs [large language models]," GTIG said.

"Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup."

Recent phishing campaigns have involved the threat actor impersonating legitimate national and local Ukrainian energy organizations to obtain unauthorized access to organizational and personal email accounts.

The group is also said to have masqueraded as a Romanian energy company that works with customers in Ukraine, in addition to targeting a Romanian firm and conducting reconnaissance on Moldovan organizations.

To enable its operations, the threat actor generates email address lists tailored to specific regions and industries based on their research. The attack chains seemingly contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware.

Typically disguised with a double extension to pass off as a PDF document (*.pdf.js), CANFAIL is an obfuscated JavaScript malware that's designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper. In parallel, it displays a fake "error" message to the victim.

Google said the threat actor is also linked to a campaign called PhantomCaptcha that was disclosed by SentinelOne SentinelLABS in October 2025 as targeting organizations associated with Ukraine's war relief efforts through phishing emails that direct recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver a WebSocket-based trojan.

from The Hacker News https://ift.tt/6WNI1pr
via IFTTT

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have trained their sights on the defense industrial base (DIB) sector, according to findings from Google Threat Intelligence Group (GTIG).

The tech giant's threat intelligence division said the adversarial targeting of the sector is centered around four key themes: striking defense entities deploying technologies on the battlefield in the Russia-Ukraine War, directly approaching employees and exploitation of the hiring process by North Korean and Iranian actors, use of edge devices and appliances as initial access pathways for China-nexus groups, and supply chain risk stemming from the breach of the manufacturing sector.

"Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare," GTIG said. "Further, the 'evasion of detection' trend [...] continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools altogether."

Some of the notable threat actors that have participated in the activity include -

APT44 (aka Sandworm) has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine. This includes the use of a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal's desktop app.
TEMP.Vermin (aka UAC-0020) has used malware like VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT using lure content revolving around drone production and development, anti-drone defense systems, and video surveillance security systems.
UNC5125 (aka FlyingYeti and UAC-0149) has conducted highly targeted campaigns focusing on frontline drone units. It has used a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators, and distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator based in Ukraine.
UNC5125 is also said to have leveraged an Android malware called GREYBATTLE, a bespoke version of the Hydra banking trojan, to steal credentials and data by distributing it via a website spoofing a Ukrainian military artificial intelligence company.

UNC5792 (aka UAC-0195) has exploited secure messaging apps to target Ukrainian military and government entities, as well as individuals and organizations in Moldova, Georgia, France, and the U.S. The threat actor is notable for weaponizing Signal's device linking feature to hijack victim accounts.
UNC4221 (aka UAC-0185) has also targeted secure messaging apps used by Ukrainian military personnel, using tactics similar to UNC5792. The threat actor has also leveraged an Android malware called STALECOOKIE that mimics Ukraine's battlefield management platform DELTA to steal browser cookies. Another tactic employed by the group is the use of ClickFix to deliver the TINYWHALE downloader that, in turn, drops the MeshAgent remote management software.
UNC5976, a Russian espionage cluster that has conducted a phishing campaign delivering malicious RDP connection files that are configured to communicate with actor-controlled domains mimicking a Ukrainian telecommunications company.
UNC6096, a Russian espionage cluster that has conducted malware delivery operations via WhatsApp using DELTA-related themes to deliver a malicious LNK shortcut within an archive file that downloads a secondary payload. Attacks aimed at Android devices have been found to deliver malware called GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.
UNC5114, a suspected Russian espionage cluster that has delivered a variant of an off-the-shelf Android malware called CraxsRAT by masquerading it as an update for Kropyva, a combat control system used in Ukraine.
APT45 (aka Andariel) has targeted South Korean defense, semiconductor, and automotive manufacturing entities with SmallTiger malware.
APT43 (aka Kimsuky) has likely leveraged infrastructure mimicking German and U.S. defense-related entities to deploy a backdoor called THINWAVE.
UNC2970 (aka Lazarus Group) has conducted the Operation Dream Job campaign to target aerospace, defense, and energy sectors, in addition to relying on artificial intelligence (AI) tools to conduct reconnaissance on its targets.
UNC1549 (aka Nimbus Manticore) has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD. The group is known to orchestrate Lazarus Group-style Dream Job campaigns to trick users into executing malware or giving up credentials under the guise of legitimate employment opportunities.
UNC6446, an Iranian-nexus threat actor that has used resume builder and personality test applications to distribute custom malware to targets in the aerospace and defense vertical across the U.S. and the Middle East.
APT5 (aka Keyhole Panda and Mulberry Typhoon) has targeted current and former employees of major aerospace and defense contractors with tailored phishing lures.
UNC3236 (aka Volt Typhoon) has conducted reconnaissance activity against publicly hosted login portals of North American military and defense contractors, while using the ARCMAZE obfuscation framework to conceal its origin.
UNC6508, a China-nexus threat cluster that targeted a U.S.-based research institution in late 2023 by leveraging a REDCap exploit to drop a custom malware named INFINITERED that's capable of persistent remote access and credential theft after intercepting the application's software upgrade process.

In addition, Google said it has also observed China-nexus threat groups utilizing operational relay box (ORB) networks for reconnaissance against defense industrial targets, thereby complicating detection and attribution efforts.

"While specific risks vary by geographic footprint and sub-sector specialization, the broader trend is clear: the defense industrial base is under a state of constant, multi-vector siege," Google said. "Financially motivated actors carry out extortion against this sector and the broader manufacturing base, like many of the other verticals they target for monetary gain."

"The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today."

from The Hacker News https://ift.tt/GTpcx47
via IFTTT

UAT-9921 Deploys VoidLink Malware to Target Technology and Financial Sectors

A previously unknown threat actor tracked as UAT-9921 has been observed leveraging a new modular framework called VoidLink in its campaigns targeting the technology and financial services sectors, according to findings from Cisco Talos.

"This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity," researchers Nick Biasini, Aaron Boyd, Asheer Malhotra, and Vitor Ventura said. "UAT-9921 uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network."

VoidLink was first documented by Check Point last month, describing it as a feature-rich malware framework written in Zig designed for long-term, stealthy access to Linux-based cloud environments. It's assessed to be the work of a single developer with assistance from a large language model (LLM) to flesh out its internals based on a paradigm called spec-driven development.

In another analysis published earlier this week, Ontinue pointed out that the emergence of VoidLink presents a new concern where LLM-generated implants, packed with kernel-level rootkits and features to target cloud environments, can further lower the skill barrier required to produce hard-to-detect malware.

Per Talos, UAT-9921 is believed to possess knowledge of the Chinese language, given the language of the framework, and the toolkit appears to be a recent addition. It is also believed that the development was split across teams, although the extent of the demarcation between development and the actual operations remains unclear.

"The operators deploying VoidLink have access to the source code of some [kernel] modules and some tools to interact with the implants without the C2," the researchers noted. "This indicates inner knowledge of the communication protocols of the implants."

VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has also been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan.

The cybersecurity company said it's aware of multiple VoidLink-related victims dating back to September 2025, indicating that work on the malware may have commenced much earlier than the November 2025 timeline pieced together by Check Point.

VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. It supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics.

The framework also comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly.

"The C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for a known vulnerability, which just happens to be on an internal web server," Talos said.

"The C2 doesn't necessarily need to have all these tools available — it may have an agent that will do its research and prepare the tool for the operator to use. With the current VoidLink compile-on-demand capability, integrating such a feature should not be complex. Keep in mind that all of this will happen while the operator continues to explore the environment."

Another defining trait of VoidLink is its auditability and the existence of a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. This suggests that the developers of the framework kept oversight in mind when designing it, raising the possibility that the activity may be part of red team exercises.

What's more, there are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

"This is a near-production-ready proof of concept," Talos said. "VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility."

from The Hacker News https://ift.tt/ntG5QuZ
via IFTTT

How to solve the context size issues with context packing with Docker Model Runner and Agentic Compose

If you’ve worked with local language models, you’ve probably run into the context window limit, especially when using smaller models on less powerful machines. While it’s an unavoidable constraint, techniques like context packing make it surprisingly manageable.

Hello, I’m Philippe, and I am a Principal Solutions Architect helping customers with their usage of Docker. In my previous blog post, I wrote about how to make a very small model useful by using RAG. I had limited the message history to 2 to keep the context length short.

But in some cases, you’ll need to keep more messages in your history. For example, a long conversation to generate code:

- generate an http server server in golang
- add a human structure and a list of humans
- add a handler to add a human to the list
- add a handler to list all humans
- add a handler to get a human by id
- etc...

Let’s imagine we have a conversation for which we want to keep 10 messages in the history. Moreover, we’re using a very verbose model (which a lot of tokens), so we’ll quickly encounter this type of error:

error: {
    code: 400,
    message: 'request (8860 tokens) exceeds the available context size (8192 tokens), try increasing it',
    type: 'exceed_context_size_error',
    n_prompt_tokens: 8860,
    n_ctx: 8192
  },
  code: 400,
  param: undefined,
  type: 'exceed_context_size_error'
}

What happened?

Understanding context windows and their limits in local LLMs

Our LLM has a context window, which has a limited size. This means that if the conversation becomes too long… It will bug out.

This window is the total number of tokens the model can process at once, like a short-term working memory. Read this IBM article for a deep dive on context window

In our example in the code snippet above, this size was set to 8192 tokens for LLM engines that power local LLM, like Docker Model Runner, Ollama, Llamacpp, …

This window includes everything: system prompt, user message, history, injected documents, and the generated response. Refer to this Redis post for more info.

Example: if the model has 32k context, the sum (input + history + generated output) must remain ≤ 32k tokens. Learn more here.

It’s possible to change the default context size (up or down) in the compose.yml file:

models:
  chat-model:
    model: hf.co/qwen/qwen2.5-coder-3b-instruct-gguf:q4_k_m
    # Increased context size for better handling of larger inputs
    context_size: 16384

You can also do this with Docker with the following command: docker model configure –context-size 8192 ai/qwen2.5-coder `

And so we solve the problem, but only part of the problem. Indeed, it’s not guaranteed that your model supports a larger context size (like 16384), and even if it does, it can very quickly degrade the model’s performance.

Thus, with hf.co/qwen/qwen2.5-coder-3b-instruct-gguf:q4_k_m, when the number of tokens in the context approaches 16384 tokens, generation can become (much) slower (at least on my machine). Again, this will depend on the model’s capacity (read its documentation). And remember, the smaller the model, the harder it will be to handle a large context and stay focused.

Tips: always provide an option (a /clear command for example) in your application to empty the message list, or to reduce it. Automatic or manual. Keep the initial system instructions though.

So we’re at an impasse. How can we go further with our small models?

Well, there is still a solution, which is called context packing.

Using context packing to fit more information into limited context windows

We can’t indefinitely increase the context size. To still manage to fit more information in the context, we can use a technique called “context packing”, which consists of having the model itself summarize previous messages (or entrust the task to another model), and replace the history with this summary and thus free up space in the context.

So we decide that from a certain token limit, we’ll have the history of previous messages summarized, and replace this history with the generated summary.

I’ve therefore modified my example to add a context packing step. For the exercise, I decided to use another model to do the summarization.

Modification of the compose.yml file

I added a new model in the compose.yml file: ai/qwen2.5:1.5B-F16

models:
  chat-model:
    model: hf.co/qwen/qwen2.5-coder-3b-instruct-gguf:q4_k_m

  embedding-model:
    model: ai/embeddinggemma:latest

  context-packing-model:
    model: ai/qwen2.5:1.5B-F16

Then:

I added the model in the models section of the service that runs our program.
I increased the number of messages in the history to 10 (instead of 2 previously).
I set a token limit at 5120 before triggering context compression.
And finally, I defined instructions for the “context packing” model, asking it to summarize previous messages.

excerpt from the service:

golang-expert-v3:
build:
    context: .
    dockerfile: Dockerfile
environment:

    HISTORY_MESSAGES: 10
    TOKEN_LIMIT: 5120
    # ...
   
configs:
    - source: system.instructions.md
    target: /app/system.instructions.md
    - source: context-packing.instructions.md
    target: /app/context-packing.instructions.md

models:
    chat-model:
    endpoint_var: MODEL_RUNNER_BASE_URL
    model_var: MODEL_RUNNER_LLM_CHAT

    context-packing-model:
    endpoint_var: MODEL_RUNNER_BASE_URL
    model_var: MODEL_RUNNER_LLM_CONTEXT_PACKING

    embedding-model:
    endpoint_var: MODEL_RUNNER_BASE_URL
    model_var: MODEL_RUNNER_LLM_EMBEDDING

You’ll find the complete version of the file here: compose.yml

System instructions for the context packing model

Still in the compose.yml file, I added a new system instruction for the “context packing” model, in a context-packing.instructions.md file:

context-packing.instructions.md:
content: |\
    You are a context packing assistant.
    Your task is to condense and summarize provided content to fit within token limits while preserving essential information.
    Always:
    - Retain key facts, figures, and concepts
    - Remove redundant or less important details
    - Ensure clarity and coherence in the condensed output
    - Aim to reduce the token count significantly without losing critical information

    The goal is to help fit more relevant information into a limited context window for downstream processing.

All that’s left is to implement the context packing logic in the assistant’s code.

Applying context packing to the assistant’s code

First, I define the connection with the context packing model in the Setup part of my assistant:

const contextPackingModel = new ChatOpenAI({
  model: process.env.MODEL_RUNNER_LLM_CONTEXT_PACKING || `ai/qwen2.5:1.5B-F16`,
  apiKey: "",
  configuration: {
    baseURL: process.env.MODEL_RUNNER_BASE_URL || "http://localhost:12434/engines/llama.cpp/v1/",
  },
  temperature: 0.0,
  top_p: 0.9,
  presencePenalty: 2.2,
});

I also retrieve the system instructions I defined for this model, as well as the token limit:

let contextPackingInstructions = fs.readFileSync('/app/context-packing.instructions.md', 'utf8');

let tokenLimit = parseInt(process.env.TOKEN_LIMIT) || 7168

Once in the conversation loop, I’ll estimate the number of tokens consumed by previous messages, and if this number exceeds the defined limit, I’ll call the context packing model to summarize the history of previous messages and replace this history with the generated summary (the assistant-type message: [“assistant”, summary]). Then I continue generating the response using the main model.

excerpt from the conversation loop:

 let estimatedTokenCount = messages.reduce((acc, [role, content]) => acc + Math.ceil(content.length / 4), 0);
  console.log(` Estimated token count for messages: ${estimatedTokenCount} tokens`);

  if (estimatedTokenCount >= tokenLimit) {
    console.log(` Warning: Estimated token count (${estimatedTokenCount}) exceeds the model's context limit (${tokenLimit}). Compressing conversation history...`);

    // Calculate original history size
    const originalHistorySize = history.reduce((acc, [role, content]) => acc + Math.ceil(content.length / 4), 0);

    // Prepare messages for context packing
    const contextPackingMessages = [
      ["system", contextPackingInstructions],
      ...history,
      ["user", "Please summarize the above conversation history to reduce its size while retaining important information."]
    ];

    // Generate summary using context packing model
    console.log(" Generating summary with context packing model...");
    let summary = '';
    const summaryStream = await contextPackingModel.stream(contextPackingMessages);
    for await (const chunk of summaryStream) {
      summary += chunk.content;
      process.stdout.write('\x1b[32m' + chunk.content + '\x1b[0m');
    }
    console.log();

    // Calculate compressed size
    const compressedSize = Math.ceil(summary.length / 4);
    const reductionPercentage = ((originalHistorySize - compressedSize) / originalHistorySize * 100).toFixed(2);

    console.log(` History compressed: ${originalHistorySize} tokens → ${compressedSize} tokens (${reductionPercentage}% reduction)`);

    // Replace all history with the summary
    conversationMemory.set("default-session-id", [["assistant", summary]]);

    estimatedTokenCount = compressedSize

    // Rebuild messages with compressed history
    messages = [
      ["assistant", summary],
      ["system", systemInstructions],
      ["system", knowledgeBase],
      ["user", userMessage]
    ];
  }

You’ll find the complete version of the code here: index.js

All that’s left is to test our assistant and have it hold a long conversation, to see context packing in action.

docker compose up --build -d
docker compose exec golang-expert-v3 node index.js

And after a while in the conversation, you should see the warning message about the token limit, followed by the summary generated by the context packing model, and finally, the reduction in the number of tokens in the history:

Estimated token count for messages: 5984 tokens
Warning: Estimated token count (5984) exceeds the model's context limit (5120). Compressing conversation history...
Generating summary with context packing model...
Sure, here's a summary of the conversation:

1. The user asked for an example in Go of creating an HTTP server.
2. The assistant provided a simple example in Go that creates an HTTP server and handles GET requests to display "Hello, World!".
3. The user requested an equivalent example in Java.
4. The assistant presented a Java implementation that uses the `java.net.http` package to create an HTTP server and handle incoming requests.

The conversation focused on providing examples of creating HTTP servers in both Go and Java, with the goal of reducing the token count while retaining essential information.
History compressed: 4886 tokens → 153 tokens (96.87% reduction)

This way, we ensure that our assistant can handle a long conversation while maintaining good generation performance.

Summary

The context window is an unavoidable constraint when working with local language models, particularly with small models and on machines with limited resources. However, by using techniques like context packing, you can easily work around this limitation. Using Docker Model Runner and Agentic Compose, you can implement this pattern to support long, verbose conversations without overwhelming your model.

All the source code is available on Codeberg: context-packing. Give it a try!

from Docker https://ift.tt/GAa90gF
via IFTTT

Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

Cybersecurity researchers have discovered a malicious Google Chrome extension that's designed to steal data associated with Meta Business Suite and Facebook Business Manager.

The extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is marketed as a way to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. The extension has 33 users as of writing. It was first uploaded to the Chrome Web Store on March 1, 2025.

However, the browser add-on also exfiltrates TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor, Socket said.

"The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local," security researcher Kirill Boychenko said.

"In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business 'People' CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor."

By targeting users of Meta Business Suite and Facebook Business Manager, the threat actor behind the operation has leveraged the extension to conduct data collection and exfiltration without users' knowledge or consent.

While the extension does not have capabilities to steal password-related information, the attacker could obtain such information beforehand from other sources, such as infostealer logs or credential dumps, and then use the stolen codes to gain unauthorized access to victims' accounts.

The full scope of the malicious add-on's capabilities is listed below -

Steal TOTP seed (a unique, alphanumeric code that's used to generate time-based one-time passwords) and 2FA code
Target Business Manager "People" view by navigating to facebook[.]com and meta[.]com and build a CSV file with names, email addresses, roles and permissions, and their status and access details.
Enumerate Business Manager-level entities and their linked assets and build a CSV file of Business Manager IDs and names, attached ad accounts, connected pages and assets, and billing and payment configuration details.

Socket warned that despite the low number of installs, the extension gives the threat actor enough information to identify high-value targets and mount follow-on attacks.

"CL Suite by @CLMasters shows how a narrow browser extension can repackage data scraping as a 'tool' for Meta Business Suite and Facebook Business Manager," Boychenko said.

"Its people extraction, Business Manager analytics, popup suppression, and in-browser 2FA generation are not neutral productivity features, they are purpose-built scrapers for high-value Meta surfaces that collect contact lists, access metadata, and 2FA material straight from authenticated pages."

Chrome Extensions Hijack VKontakte Accounts

The disclosure comes as Koi Security found that about 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles.

The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating Cross-Site Request Forgery (CSRF) tokens to bypass VK's security protections, and maintaining persistent control.

The activity has been traced to a threat actor operating under the GitHub username 2vk, who has relied on VK's own social network to distribute malicious payloads and build a follower base through forced subscriptions. The names of the extensions are listed below -

VK Styles - Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
VK Music - audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
Music Downloader - VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
vksaver - music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
VKfeed - Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)

One of the defining traits of the campaign is the use of a VK profile's ("vk[.]com/m0nda") HTML metadata tags as a dead drop resolver to conceal the next-stage payload URLs and, therefore, evade detection. The next-stage payload is hosted in a public repository named "-" that's associated with 2vk. Present in the payload is obfuscated JavaScript that's injected into every VK page the victim visits.

The repository is still accessible as of writing, with the file, simply named "C," receiving a total of 17 commits between June 2025 and January 2026, as the operator refined and added new functionality.

"Each commit shows deliberate refinement," security researcher Ariel Cohen said. "This isn't sloppy malware - it's a maintained software project with version control, testing, and iterative improvements."

VK Styles has primarily affected Russian-speaking users, who are VK's main demographic, as well as users across Eastern Europe, Central Asia, and Russian diaspora communities globally. The campaign is assessed to be active since at least June 22, 2025, when the initial version of the payload was pushed to the "-" repository.

Fake AI Chrome Extensions Steal Credentials, Emails

The findings also coincide with the discovery of another coordinated campaign dubbed AiFrame, where a cluster of 32 browser add-ons advertised as artificial intelligence (AI) assistants for summarization, chat, writing, and Gmail assistance are being used to siphon sensitive data. These extensions have been collectively installed by more than 260,000 users.

"While these tools appear legitimate on the surface, they hide a dangerous architecture: instead of implementing core functionality locally, they embed remote, server-controlled interfaces inside extension-controlled surfaces and act as privileged proxies, granting remote infrastructure access to sensitive browser capabilities," LayerX researcher Natalie Zargarov said.

The names of the malicious extensions are as follows -

AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl)
Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl)
ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek)
AI Sidebar (ID: gghdfkafnhfpaooiolhncejnlgglhkhe)
Grok (ID: cgmmcoandmabammnhfnjcakdeejbfimn)
Asking Chat Gpt (ID: phiphcloddhmndjbdedgfbglhpkjcffh)
ChatGBT (ID: pgfibniplgcnccdnkhblpmmlfodijppg)
Chat Bot GPT (ID: nkgbfengofophpmonladgaldioelckbe)
Grok Chatbot (ID: gcdfailafdfjbailcdcbjmeginhncjkb)
Chat With Gemini (ID: ebmmjmakencgmgoijdfnbailknaaiffh)
XAI (ID: baonbjckakcpgliaafcodddkoednpjgf)
Google Gemini (ID: fdlagfnfaheppaigholhoojabfaapnhb)
Ask Gemini (ID: gnaekhndaddbimfllbgmecjijbbfpabc)
AI Letter Generator (ID: hgnjolbjpjmhepcbjgeeallnamkjnfgi)
AI Message Generator (ID: lodlcpnbppgipaimgbjgniokjcnpiiad)
AI Translator (ID: cmpmhhjahlioglkleiofbjodhhiejhei)
AI For Translation (ID: bilfflcophfehljhpnklmcelkoiffapb)
AI Cover Letter Generator (ID: cicjlpmjmimeoempffghfglndokjihhn)
AI Image Generator Chat GPT (ID: ckneindgfbjnbbiggcmnjeofelhflhaj)
Ai Wallpaper Generator (ID: dbclhjpifdfkofnmjfpheiondafpkoed)
Ai Picture Generator (ID: ecikmpoikkcelnakpgaeplcjoickgacj)
DeepSeek Download (ID: kepibgehhljlecgaeihhnmibnmikbnga)
AI Email Writer (ID: ckicoadchmmndbakbokhapncehanaeni)
Email Generator AI (ID: fnjinbdmidgjkpmlihcginjipjaoapol)
DeepSeek Chat (ID: gohgeedemmaohocbaccllpkabadoogpl)
ChatGPT Picture Generator (ID: flnecpdpbhdblkpnegekobahlijbmfok)
ChatGPT Translate (ID: acaeafediijmccnjlokgcdiojiljfpbe)
AI GPT (ID: kblengdlefjpjkekanpoidgoghdngdgl)
ChatGPT Translation (ID: idhknpoceajhnjokpnbicildeoligdgh)
Chat GPT for Gmail (ID: fpmkabpaklbhbhegegapfkenkmpipick)

Once installed, these extensions render a full-screen iframe overlay pointing to a remote domain ("claude.tapnetic[.]pro"), allowing the attackers to remotely introduce new capabilities without requiring a Chrome Web Store update. When instructed by the iframe, the add-ons query the active browser tab and invoke a content script to extract readable article content using Mozilla's Readability library.

The malware also supports the capability to start speech recognition and exfiltrate the resulting transcript to the remote page. What's more, a smaller set of the extensions contain functionality to specifically target Gmail by reading visible email content directly from the document object model (DOM) when a victim visits mail.google[.]com.

"When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension's logic and transmitted to third-party backend infrastructure controlled by the extension operator," LayerX said. "As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers."

287 Chrome Extensions Exfiltrate Browsing History

The developments show how web browser extensions are increasingly being abused by bad actors to harvest and exfiltrate sensitive data by passing them off as seemingly legitimate tools and utilities.

A report published by Q Continuum last week found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

"It was shown in the past that Chrome extensions are used to exfiltrate user browser history that is then collected by data brokers such as Similarweb and Alexa," the researcher said.

Given the risks involved, users are recommended to adopt a minimalist approach by only installing necessary, well-reviewed tools from official stores. It's also essential to periodically audit installed extensions for any signs of malicious behavior or excessive permission requests.

Other ways that users and organizations can ensure greater security include using separate browser profiles for sensitive tasks and implementing extension allowlisting to block those that are malicious or non-compliant.

from The Hacker News https://ift.tt/ni3LhEz
via IFTTT

npm’s Update to Harden Their Supply Chain, and Points to Consider

In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don’t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks – here’s what you need to know for a safer Node community.

Let’s start with the original problem

Historically, npm relied on classic tokens: long-lived, broadly scoped credentials that could persist indefinitely. If stolen, attackers could directly publish malicious versions to the author’s packages (no publicly verifiable source code needed). This made npm a prime vector for supply-chain attacks. Over time, numerous real-world incidents demonstrated this point. Shai-Hulud, Sha1-Hulud, and chalk/debug are examples of recent, notable attacks.

npm’s solution

To address this, npm made the following changes:

npm revoked all classic tokens and defaulted to session-based tokens instead. The npm team also improved token management. Interactive workflows now use short-lived session tokens (typically two hours) obtained via npm login, which defaults to MFA for publishing.
The npm team also encourages OIDC Trusted Publishing, in which CI systems obtain short-lived, per-run credentials rather than storing secrets at rest.

In combination, these practices improve security. They ensure credentials expire quickly and require a second factor during sensitive operations.

Two important issues remain

First, people need to remember that the original attack on tools like ChalkJS was a successful MFA phishing attempt on npm’s console. If you look at the original email attached below, you can see it was an MFA-focused phishing email (nothing like trying to do the right thing and still getting burned). The campaign tricked the maintainer into sharing both the user login and one-time password. This means in the future, similar emails could get short-lived tokens, which still give attackers enough time to upload malware (since that would only take minutes).

Second, MFA on publish is optional. Developers can still create 90-day tokens with MFA bypass enabled in the console, which are extremely similar to the classic tokens from before.

These tokens allow you to read and write to a token author’s maintained packages. This means that if bad actors gain access to a maintainer’s console with these token settings, they can publish new, malicious packages (and versions) on that author’s behalf. This circles us back to the original issue with npm before they adjusted their credential policies.

To be clear, more developers using MFA on publish is good news, and future attacks should be fewer and smaller. However, making OIDC and MFA on-publish optional still leaves the core issue unresolved.

In conclusion, if (1) MFA phishing attempts to npm’s console still work and (2) access to the console equals access to publish new packages/versions, then developers need to be aware of the supply-chain risks that still exist.

Recommendations

In the spirit of open source security, here are three recommendations that we hope GitHub and npm will consider in the future.

Ideally, they continue to push for the ubiquity of OIDC in the long term. OIDC is very hard to compromise and would almost completely erase the issues surrounding supply-chain attacks.
More realistically, enforcing MFA for local package uploads (either via an email code or a one-time password) would further reduce the blast radius of worms like Shai-Hulud. In other words, it would be an improvement to not allow custom tokens that bypass MFA.
At a minimum, it would be nice to add metadata to package releases, so developers can take precautions and avoid packages (or maintainers) who do not take supply chain security measures.

In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, identity-bound credentials become the norm — and MFA bypass is no longer required for automation — supply-chain risk from compromised build systems remains materially present.

A new way to do it

This entire time, we’ve been talking about supply-chain attacks by uploading packages to npm on a maintainer’s behalf. If we could build every npm package from verifiable upstream source code rather than downloading the artifact from npm, we’d be better off. That’s exactly what Chainguard does for its customers with Chainguard Libraries for JavaScript.

We’ve looked at the public database for compromised packages across npm and discovered that for 98.5% of malicious packages, the malware was not present in the upstream source code (just the published artifact). This means an approach of building from source would reduce your attack surface by some 98.5%, based on past data, because Chainguard’s JavaScript repository would never publish the malicious versions available on npm.

In an ideal world, customers are most secure when they use Chainguard Libraries and apply the recommendations above. Per the “Swiss cheese model of security,” all of these features are layers of additive security measures, and companies would be best off using a combination of them.

If you’d like to learn more about Chainguard Libraries for JavaScript, reach out to our team.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/K6wdCYS
via IFTTT

Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability

Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr.

"Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors," Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. "Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel."

The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests.

BeyondTrust noted last week that successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.

It has been patched in the following versions -

Remote Support - Patch BT26-02-RS, 25.3.2 and later
Privileged Remote Access - Patch BT26-02-PRA, 25.1.1 and later

The use of CVE-2026-1731 demonstrates how quickly threat actors can weaponize new vulnerabilities, significantly shrinking the window for defenders to patch critical systems.

CISA Adds 4 Flaws to KEV Catalog

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows -

CVE-2026-20700 (CVSS score: 7.8) - An improper restriction of operations within the bounds of a memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS that could allow an attacker with memory write capability to execute arbitrary code.
CVE-2025-15556 (CVSS score: 7.7) - A download of code without an integrity check vulnerability in Notepad++ that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer and lead to arbitrary code execution with the privileges of the user.
CVE-2025-40536 (CVSS score: 8.1) - A security control bypass vulnerability in SolarWinds Web Help Desk that could allow an unauthenticated attacker to gain access to certain restricted functionality.
CVE-2024-43468 (CVSS score: 9.8) - An SQL injection vulnerability in Microsoft Configuration Manager that could allow an unauthenticated attacker to execute commands on the server and/or underlying database by sending specially crafted requests.

It's worth noting that CVE-2024-43468 was patched by Microsoft in October 2024 as part of its Patch Tuesday updates. It's currently unclear how this vulnerability is being exploited in real-world attacks. Nor is there any information about the identity of the threat actors exploiting the flaw and the scale of such efforts.

The addition of CVE-2024-43468 to the KEV catalog follows a recent report from Microsoft about a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets.

However, the Windows maker said it's not evident if the attacks exploited CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399, since attacks occurred in December 2025 and on machines vulnerable to both the old and new sets of vulnerabilities.

As for CVE-2026-20700, Apple acknowledged that the shortcoming may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26, raising the possibility that it was leveraged to deliver commercial spyware. It was fixed by the tech giant earlier this week.

Lastly, the exploitation of CVE-2025-15556 has been attributed by Rapid7 to a China-linked state-sponsored threat actor called Lotus Blossom (aka Billbug, Bronze Elgin, G0030, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip). It's known to be active since at least 2009.

The targeted attacks have been found to deliver a previously undocumented backdoor called Chrysalis. While the supply chain attack was fully plugged on December 2, 2025, the compromise of the Notepad++ update pipeline is estimated to have spanned nearly five months between June and October 2025.

The DomainTools Investigations (DTI) team described the incident as precise and a "quiet, methodical intrusion" that points to a covert intelligence-gathering mission designed to keep operational noise as low as possible. It also characterized the threat actor as having a penchant for long dwell times and multi-year campaigns.

An important aspect of the campaign is that the Notepad++ source code was left intact, instead relying on trojanized installers to deliver the malicious payloads. This, in turn, allowed the attackers to bypass source-code reviews and integrity checks, effectively enabling them to stay undetected for extended periods, DTI added.

"From their foothold inside the update infrastructure, the attackers did not indiscriminately push malicious code to the global Notepad++ user base," it said. "Instead, they exercised restraint, selectively diverting update traffic for a narrow set of targets, organizations, and individuals whose positions, access, or technical roles made them strategically valuable."

"By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access. The campaign reflects continuity in purpose, a sustained focus on regional strategic intelligence, executed with more sophisticated, more subtle, and harder-to-detect methods than in prior iterations."

In light of active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies have until February 15, 2026, to address CVE-2025-40536, and till March 5, 2026, to fix the remaining three.

from The Hacker News https://ift.tt/sIuf6xO
via IFTTT

Thursday, February 12, 2026

Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support

Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks.

"The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. "This actor's target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information."

The tech giant's threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise.

UNC2970 is the moniker assigned to a North Korean hacking group that overlaps with a cluster that's tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. It's best known for orchestrating a long-running campaign codenamed Operation Dream Job to target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings.

GTIG said UNC2970 has "consistently" focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profiling including searches for "information on major cybersecurity and defense companies and mapping specific technical job roles and salary information."

UNC2970 is far from the only threat actor to have misused Gemini to augment their capabilities and move from initial reconnaissance to active targeting at a faster clip. Some of the other hacking crews that have integrated the tool into their workflows are as follows -

UNC6418 (Unattributed), to conduct targeted intelligence gathering, specifically seeking out sensitive account credentials and email addresses.
Temp.HEX or Mustang Panda (China), to compile a dossier on specific individuals, including targets in Pakistan, and to gather operational and structural data on separatist organizations in various countries.
APT31 or Judgement Panda (China), to automate the analysis of vulnerabilities and generate targeted testing plans by claiming to be a security researcher.
APT41 (China), to extract explanations from open-source tool README.md pages, as well as troubleshoot and debug exploit code.
UNC795 (China), to troubleshoot their code, conduct research, and develop web shells and scanners for PHP web servers.
APT42 (Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (CVE-2025-8088).

Google also said it detected a malware called HONESTCUE that leverages Gemini's API to outsource functionality generation for the next-stage, along with an AI-generated phishing kit codenamed COINBAIT that's built using Lovable AI and masquerades as a cryptocurrency exchange for credential harvesting. Some aspects of COINBAIT-related activity have been attributed to a financially motivated threat cluster dubbed UNC5356.

"HONESTCUE is a downloader and launcher framework that sends a prompt via Google Gemini's API and receives C# source code as the response," it said. "However, rather than leveraging an LLM to update itself, HONESTCUE calls the Gemini API to generate code that operates the 'stage two' functionality, which downloads and executes another piece of malware."

The fileless secondary stage of HONESTCUE then takes the generated C# source code received from the Gemini API and uses the legitimate .NET CSharpCodeProvider framework to compile and execute the payload directly in memory, thereby leaving no artifacts on disk.

Google has also called attention to a recent wave of ClickFix campaigns that leverage the public sharing feature of generative AI services to host realistic-looking instructions to fix a common computer issue and ultimately deliver information-stealing malware. The activity was flagged in December 2025 by Huntress.

Lastly, the company said it identified and disrupted model extraction attacks that are aimed at systematically querying a proprietary machine learning model to extract information and build a substitute model that mirrors the target's behavior. In a large-scale attack of this kind, Gemini was targeted by over 100,000 prompts that posed a series of questions aimed at replicating the model's reasoning ability across a broad range of tasks in non-English languages.

Last month, Praetorian devised a PoC extraction attack where a replica model achieved an accuracy rate of 80.1% simply by sending a series of 1,000 queries to the victim's API and recording the outputs and training it for 20 epochs.

"Many organizations assume that keeping model weights private is sufficient protection," security researcher Farida Shafik said. "But this creates a false sense of security. In reality, behavior is the model. Every query-response pair is a training example for a replica. The model’s behavior is exposed through every API response."

from The Hacker News https://ift.tt/9ykJ0Zg
via IFTTT

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.

The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. It's assessed to be active since May 2025.

"Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit," ReversingLabs researcher Karlo Zanki said in a report. "The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges."

Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released. The names of the packages are listed below -

npm -

graphalgo
graphorithm
graphstruct
graphlibcore
netstruct
graphnetworkx
terminalcolor256
graphkitx
graphchain
graphflux
graphorbit
graphnet
graphhub
terminal-kleur
graphrix
bignumx
bignumberx
bignumex
bigmathex
bigmathlib
bigmathutils
graphlink
bigmathix
graphflowx

PyPI -

graphalgo
graphex
graphlibx
graphdict
graphflux
graphnode
graphsync
bigpyx
bignum
bigmathex
bigmathix
bigmathutils

As with many job-focused campaigns conducted by North Korean threat actors, the attack chain begins with establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, and then setting up the necessary digital real estate to create an illusion of legitimacy.

This includes registering a domain and creating a related GitHub organization to host several repositories for use in coding assessments. The repositories have been found to contain projects based on Python and JavaScript.

"Examination of these repositories didn't reveal any obvious malicious functionality," Zanki said. "That is because the malicious functionality was not introduced directly via the job interview repositories, but indirectly – through dependencies hosted on the npm and PyPI open-source package repositories."

The idea behind setting up these repositories is to trick candidates who apply to its job listings on Reddit and Facebook Groups into running the projects on their machines, effectively installing the malicious dependency and triggering the infection. In some cases, victims are directly contacted by seemingly legitimate recruiters on LinkedIn.

The packages ultimately act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server. It supports various commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.

Interestingly, the command-and-control (C2) communication is protected by a token-based mechanism to ensure that only requests with a valid token are accepted. The approach was previously observed in 2023 campaigns linked to a North Korean hacking group called Jade Sleet, which is also known as TraderTraitor or UNC4899.

It essentially works like this: the packages send system data as part of a registration step to the C2 server, which responds with a token. This token is then sent back to the C2 server in subsequent requests to establish that they are originating from an already registered infected system.

"The token-based approach is a similarity [...] in both cases and has not been used by other actors in malware hosted on public package repositories as far as we know," Zanki told The Hacker News at that time.

The findings show that North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages in hopes of stealing sensitive data and conducting financial theft, a fact evidenced by the RAT's checks to determine if the MetaMask browser extension is installed in the machine.

"Evidence suggests that this is a highly sophisticated campaign," ReversingLabs said. "Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor."

More Malicious npm Packages Found

The disclosure comes as JFrog uncovered a sophisticated, malicious npm package called "duer-js" published by a user named "luizaearlyx." While the library claims to be a utility to "make the console window more visible," it harbors a Windows information stealer called Bada Stealer.

It's capable of gathering Discord tokens, passwords, cookies, and autofill data from Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser, cryptocurrency wallet details, and system information. The data is then exfiltrated to a Discord webhook, as well as the Gofile file storage service as a backup.

"In addition to stealing information from the host it infected, the malicious package downloads a secondary payload," security researcher Guy Korolevski said. "This payload is designed to run on the Discord Desktop app startup, with self-updating capabilities, stealing directly from it, including payment methods used by the user."

It also coincides with the discovery of another malware campaign that weaponizes npm to extort cryptocurrency payments from developers during package installation using the "npm install" command. The campaign, first recorded on February 4, 2026, has been dubbed XPACK ATTACK by OpenSourceMalware.

duer-js malicious package flow, hijacking Discord’s Electron environment

The names of the packages, all uploaded by a user named "dev.chandra_bose," are listed below -

xpack-per-user
xpack-per-device
xpack-sui
xpack-subscription
xpack-arc-gateway
xpack-video-submission
test-npm-style
xpack-subscription-test
testing-package-xdsfdsfsc

"Unlike traditional malware that steals credentials or executes reverse shells, this attack innovatively abuses the HTTP 402 'Payment Required' status code to create a seemingly legitimate payment wall," security researcher Paul McCarty said. "The attack blocks installation until victims pay 0.1 USDC/ETH to the attacker's wallet, while collecting GitHub usernames and device fingerprints."

"If they refuse to pay, the installation simply fails after wasting 5+ minutes of their development time, and they may not even realize they've encountered malware versus what appeared to be a legitimate paywall for package access."

from The Hacker News https://ift.tt/DAQp4i7
via IFTTT

Pages