New Tooling
- Data Tool To Triage Exploited Vulnerabilities Can Make KEV More Useful
"All software vulnerabilities are not the same. Faced with a quickly growing number of vulnerabilities — more than 48,100 in 2025, up 21% from the previous year — IT and security teams are searching for ways to prioritize which issues need patching and which can be put off for another day. While a variety of approaches exist, including the Exploit Prediction Scoring System (EPSS) and the Likely Exploited Vulnerabilities (LEV) equation, many companies rely on the Known Exploited Vulnerabilities (KEV) Catalog published by the US Cyber and Infrastructure Security Agency (CISA) for a short list of high-impact issues that need immediate attention."
https://www.darkreading.com/threat-intelligence/data-tool-triage-exploited-vulnerabilities-make-kev-catalog-more-useful
https://github.com/runZeroInc/kev-collider-data/ - New Tool Blocks Imposter Attacks Disguised As Safe Commands
"A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution. Available on GitHub and also as an npm package, the tool works by hooking into the user’s shell (zsh, bash, fish, PowerShell) and inspecting every command the user pastes for execution."
https://www.bleepingcomputer.com/news/security/new-tool-blocks-imposter-attacks-disguised-as-safe-commands/
http://github.com/sheeki03/tirith
Vulnerabilities
- Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk Of Code And Credential Leaks
"Git has been the most widely used version control system among developers worldwide to coordinate coding projects ever since its founding by Linus Torvalds. However, its public nature also makes it a treasure trove for misuse. Publicly accessible .git folders keep surfacing across the internet and can turn even minor software deployment mistakes into potentially catastrophic security incidents with just a few clicks. A 2026 internet-wide data study conducted by the Mysterium VPN research team found that 4,964,815 IP addresses – essentially, 5 million web servers – had their Git repository metadata accessible."
https://www.mysteriumvpn.com/blog/news/git-metadata-leak
https://securityaffairs.com/187674/security/nearly-5-million-web-servers-found-exposing-git-metadata-study-reveals-widespread-risk-of-code-and-credential-leaks.html' - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. - CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/02/05/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks/
https://securityaffairs.com/187675/security/u-s-cisa-adds-smartertools-smartermail-and-react-native-community-cli-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://www.securityweek.com/critical-smartermail-vulnerability-exploited-in-ransomware-attacks/
https://www.helpnetsecurity.com/2026/02/06/ransomware-smartermail-cve-2026-24423/
Malware
- Malicious dYdX Packages Published To Npm And PyPI After Maintainer Compromise
"Socket's Threat Research Team discovered a supply chain attack targeting the dYdX protocol package across npm and PyPI ecosystems. The dYdX protocol is a decentralized exchange for cryptocurrency derivatives trading. The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management. Applications using these packages handle sensitive cryptocurrency operations."
https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi
https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html - How 0apt Is Using Random Noise To Fake a Ransomware Empire
"When the group calling itself 0apt surfaced on the dark web earlier this month, the numbers were a gut punch. Usually, a new ransomware operation builds its name slowly, one victim at a time. 0apt took a shortcut by posting a list of 190 companies all at once: a hit list that covered almost every major industry. But as we started checking the group's claims, we found something strange. While the group initially populated its site with a string of low-tier, nameless "garbage" companies, it has recently pivoted to a much more dangerous game. The list now features some of the world’s most recognizable corporate titans, from medical technology leaders to defense contractors."
https://databreach.com/news/44-how-0apt-is-using-random-noise-to-fake-a-ransomware-empire
https://socradar.io/blog/dark-web-profile-0apt-ransomware/ - Germany Warns Of Signal Account Hijacking Targeting Senior Figures
"Germany's domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI)."
https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/
https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html
https://www.helpnetsecurity.com/2026/02/06/state-linked-phishing-europe-journalists-signal/ - Helpful Skills Or Hidden Payloads? Bitdefender Labs Dives Deep Into The OpenClaw Malicious Skill Trap
"With hundreds of malicious OpenClaw skills blending in among legitimate ones, manually reviewing every script or command isn’t realistic — especially when skills are designed to look helpful and familiar. That’s why Bitdefender offers a free AI Skills Checker, designed to help people quickly assess whether an AI skill might be risky before they install or run it."
https://www.bitdefender.com/en-us/blog/labs/helpful-skills-or-hidden-payloads-bitdefender-labs-dives-deep-into-the-openclaw-malicious-skill-trap
https://hackread.com/openclaw-add-ons-crypto-theft-macos-malware/ - Norwegian Intelligence Discloses Country Hit By Salt Typhoon Campaign
"Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations. The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services."
https://therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks - Brew Hijack: Serving Malware Over Homebrew’s Core Tap
"Most of the time, when you install software, you don’t think twice about it. The files get downloaded over HTTPS. The checksums are verified. Everything’s secure - or at least, that’s the assumption. And thank god for that. If every download could be intercepted, or every binary replaced without warning, the internet would be a minefield. But what if both protections were missing? What if the download was served over plain HTTP, and the installer wasn’t even validated after the fact? Come on - it's 2026! That can’t still happen in a widely used package manager. r..right?"
https://www.koi.ai/blog/brew-hijack-serving-malware - New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
"In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser‑based social engineering combined with living‑off‑the‑land binaries and Python‑based payload delivery."
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ - Tenant From Hell: Prometei's Unauthorized Stay In Your Windows Server
"In January 2026, eSentire's Threat Response Unit (TRU) detected a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer in the Construction industry. Prometei is a botnet suspected to be of Russian origin and has been active since 2016. It features extensive capabilities, including remote control functionality, credential harvesting, crypto-mining (Monero), lateral movement, Command and Control (C2) over both the clearweb and TOR network, and self-preservation measures that harden compromised systems against other threat actors, to maintain exclusive access."
https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server
https://hackread.com/uk-construction-firm-prometei-botnet-windows-server/
Breaches/Hacks/Leaks
- Flickr Discloses Potential Data Breach Exposing Users' Names, Emails
"Photo-sharing platform Flickr is notifying users of a potential data breach after a vulnerability at a third-party email service provider exposed their real names, email addresses, IP addresses, and account activity. Founded in 2004, Flickr is one of the world's largest photography communities and sharing sites, hosting over 28 billion photos and videos. The company says it has 35 million monthly users and 800 million monthly page views."
https://www.bleepingcomputer.com/news/security/flickr-discloses-potential-data-breach-exposing-users-names-emails/
https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/
https://hackread.com/flickr-data-breach-external-partner-security-flaw/
https://www.theregister.com/2026/02/06/flickr_emails_users_about_data_breach/
https://securityaffairs.com/187753/data-breach/flickr-moves-to-contain-data-exposure-warns-users-of-phishing.html - Payments Platform BridgePay Confirms Ransomware Attack Behind Outage
"A major U.S. payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services. The incident began on Friday and quickly escalated into a nationwide disruption across BridgePay's platform."
https://www.bleepingcomputer.com/news/security/payments-platform-bridgepay-confirms-ransomware-attack-behind-outage/ - A Technical And Ethical Post-Mortem Of The Feb 2026 Harvard University ShinyHunters Data Breach
"On February 4, 2026, the cybersecurity landscape of higher education was fundamentally altered. A breach attributed to the cybercriminal syndicate ShinyHunters – operating as part of the “Scattered LAPSUS$ Hunters” collective – exposed approximately 115,000 sensitive records from Harvard University’s Alumni Affairs and Development (AAD) department. This incident is not merely a leak of names; it is a collapse of institutional data sovereignty. It exposes the private lives, financial liquidity, and intimate institutional strategies governing the world’s most influential academic donor base. The following analysis decomposes the technical origins of the breach and the problematic nature of the exposed “human infrastructure.”"
https://www.infostealers.com/article/a-technical-and-ethical-post-mortem-of-the-feb-2026-harvard-university-shinyhunters-data-breach/
General News
- Mobile Privacy Audits Are Getting Harder
"Mobile apps routinely collect and transmit personal data in ways that are difficult for users, developers, and regulators to verify. Permissions can reveal what an app can access, and privacy policies can claim what an app should do, yet neither reliably shows what data is actually collected and where it is sent during real use."
https://www.helpnetsecurity.com/2026/02/06/mopri-mobile-app-privacy-analysis/ - Living Off The AI: The Next Evolution Of Attacker Tradecraft
"For years, defenders have battled “living off the land” attacks—where adversaries progress using the tools already present on compromised systems (PowerShell, WMI, and the like). Then came “living off the cloud,” as threat actors hid in plain sight behind ubiquitous cloud services for malware delivery and data exfiltration. We’re now entering the next phase: living off the AI. Organizations are rapidly adopting AI assistants, agents, and the emerging Model Context Protocol (MCP) ecosystem to stay competitive. Attackers have noticed. Let’s look at how different MCPs and AI agents can be targeted and how, in practice, enterprise AI becomes part of the attacker’s playbook. (MCP is an open source framework for LLMs and AI agents to securely connect with external systems.)"
https://www.securityweek.com/living-off-the-ai-the-next-evolution-of-attacker-tradecraft/ - Why Automation Alone Misses AI-Generated Phishing
"Phishing has evolved far beyond the crude, mass-produced scams most security teams were trained to recognize. Phishing has evolved far beyond the crude, mass-produced scams most security teams were trained to recognize. What was once defined by obvious deception is now driven by high-quality, adaptive, and highly realistic attacks that are increasingly generated with AI and delivered at an unprecedented scale."
https://cofense.com/blog/why-automation-alone-misses-ai-generated-phishing - Introducing Encrypt It Already
"Today, we’re launching Encrypt It Already, our push to get companies to offer stronger privacy protections to our data and communications by implementing end-to-end encryption. If that name sounds a little familiar, it’s because this is a spiritual successor to our 2019 campaign, Fix It Already, a campaign where we pushed companies to fix longstanding issues."
https://www.eff.org/deeplinks/2026/01/introducing-encrypt-it-already
https://www.darkreading.com/cloud-security/encrypt-it-already-pushes-big-tech-e2e-encryption - Shai-Hulud: The Hidden Cost Of Supply Chain Attacks
"A slew of malware attacks against open source software components have compromised thousands of software packages and repositories, but the practical damage these attacks have caused organizations is harder to quantify. The longer term and indirect costs of these attacks may prove most significant for organizations. Open source components and software have long been a well-established source of threat activity. The widespread use combined with the broad variance in how well-supported different projects are — in part thanks to the community maintenance inherent to many of them — means severe vulnerabilities (and threat campaigns) can sometimes slip through the cracks. The devastating Log4Shell vulnerability from 2021 comes to mind, as does the more recent React2Shell from late last year."
https://www.darkreading.com/application-security/shai-hulud-hidden-cost-supply-chain-attacks - OpenClaw's Gregarious Insecurities Make Safe Usage Difficult
"OpenClaw, the open source agentic AI assistant available from GitHub, continues to attract a growing following. Like many tech-savvy workers, Dane Sherrets, a staff innovation architect at HackerOne, decided to try out the software. He installed it on a virtual private server, gave the collection of programs and agents its own Slack channel, and limited its access to any personal data. Even with limited access, OpenClaw impressed: When Sherrets reserved a virtual phone number for the AI assistant and gave it an API key with the instructions to develop a capability to make phone calls, it did."
https://www.darkreading.com/application-security/openclaw-insecurities-safe-usage-difficult - Novel Technique To Detect Cloud Threat Actor Operations
"Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments."
https://unit42.paloaltonetworks.com/tracking-threat-groups-through-cloud-logging/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
ตรวจสอบและแก้ไขด่วน! พบช่องโหว่ระดับวิกฤตบนแพลตฟอร์ม n8n อาจถูกใช้เพื่อรันคำสั่งบนระบบ หากผู้โจมตีสามารถเข้าถึงบัญชีผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไข Workflow
รายละเอียดช่องโหว่
ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที
แนวทางการตรวจสอบและการป้องกัน
อ้างอิง
(CTU) researchers investigated the potential scale of malicious use of these devices and identified multiple internet-exposed systems associated with cybercriminal activity, including ransomware operations and commodity malware delivery. Further investigation identified multiple additional hostnames derived from ISPsystem-provisioned virtual machine templates, some of which were also used in malicious activity."
