Weekly Cybersecurity Recap - 16 February 2026

Introduction

The latest cybersecurity developments reflect a rapidly evolving threat landscape shaped by AI-enabled exploits, escalating ransomware campaigns, and mounting supply-chain risk. Attackers are blending social engineering, infrastructure abuse, and open-source compromise while defenders race to modernize protections and strengthen resilience.

From nation-state activity targeting defense infrastructure to malicious browser extensions with tens of millions of downloads, this week’s events highlight how digital risk continues to expand across ecosystems, platforms, and sectors.

Malware, Exploits and Technical Threats

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft disclosed a new iteration of the ClickFix social engineering campaign in which victims are tricked into executing DNS lookups via the Windows Run dialog. The attackers abuse the legitimate "nslookup" command to retrieve second-stage malware payloads.

By leveraging trusted system tools, the campaign blends malicious activity into normal administrative behavior, making detection more difficult for security teams.

AI-Generated Malware Exploits React2Shell for Tiny Profit

Researchers detected AI-generated malware exploiting CVE-2025-55182, known as React2Shell, a vulnerability in Next.js server components that enables remote command execution. The campaign successfully compromised 91 hosts.

The incident highlights how generative AI tools are lowering the barrier for exploit development, enabling individuals with limited coding expertise to weaponize known vulnerabilities.

Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks

BYOVD attacks continue to rise as ransomware groups exploit vulnerable Windows drivers to disable endpoint protection tools. Attackers deploy legitimately signed but vulnerable drivers to gain kernel-level access and terminate security processes.

The technique presents a complex challenge for Microsoft, as blocking vulnerable drivers risks disrupting legitimate systems while leaving defensive gaps if unaddressed.

83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

GreyNoise observed that 83% of exploitation attempts targeting Ivanti EPMM originated from a single IP address hosted by bulletproof provider PROSPERO. Between February 1 and 9, researchers recorded 417 exploitation sessions.

The concentration of activity underscores how attackers leverage resilient hosting infrastructure to sustain coordinated exploitation campaigns.

Supply Chain and Ecosystem Security

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

Researchers linked malicious npm and PyPI packages to a recruitment-themed campaign attributed to the North Korea-linked Lazarus Group. The operation, dubbed “graphalgo,” has reportedly been active since May 2025.

By embedding malicious code in open-source ecosystems, attackers continue to exploit developer trust and software supply chains to infiltrate enterprise environments.

Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data

Security analysts uncovered more than 300 Chrome extensions transmitting browsing histories and search data, with a combined 37 million downloads. Some extensions exposed data over unsecured networks, while others monetized or maliciously collected user information.

The scale of the discovery reinforces persistent risks within browser ecosystems, particularly where extension oversight remains limited.

Ransomware, Extortion and Sector Targeting

Ransomware attacks increase against IT and food sectors

Ransomware incidents in the IT sector surged to nearly 750 cases in 2025, more than doubling the prior year’s total. Analysts attribute the rise to attackers pivoting toward supply-chain weaknesses and leveraging faster social engineering and zero-day exploitation tactics.

The food sector has also experienced increased targeting, reflecting broader industry-wide exposure.

Extortion attacks on the rise as hackers prioritize supply-chain weaknesses

Extortion-related cyberattacks rose by approximately 63% in 2025, reaching 6,800 incidents, according to Intel 471. Consulting firms and manufacturing companies were among the most frequently listed victims on dark-web leak sites.

The trend reflects attackers’ focus on supply-chain dependencies to maximize leverage and impact.

Hacktivists, State Actors, Cybercriminals Target Global Defense Industry, Google Warns

Google Threat Intelligence Group reported escalating attacks against the global defense industrial base. The activity includes operations from China, Russia, Iran, and North Korea-linked actors, as well as ransomware groups targeting manufacturing supply chains.

The findings point to a sustained and multifaceted campaign targeting contractors, suppliers, and defense personnel.

AI Security and Industry Strategy

Check Point Buys 3 Startups to Bolster AI Security

Check Point acquired three early-stage startups to expand capabilities in exposure management, AI security, and workspace protection. The move reflects growing enterprise demand for AI-native security solutions.

Proofpoint Purchases Startup Acuvity to Bolster AI Security

Proofpoint announced its acquisition of Acuvity to better understand AI prompt intent and detect adversarial or data-leaking behaviors. The company said the technology enhances visibility across browsers, endpoints, and AI agents.

As organizations integrate AI into workflows, vendors are racing to address emerging risks tied to model misuse and oversharing.