📦⚠️ Is your container adoption outpacing your security maturity? You’re not alone.

ActiveState’s 2026 State of Vulnerability Management & Remediation Report found 82% of DevSecOps leaders experienced a container-related breach last year and 87% expect one in 2026.

Learn how to close the “remediation gap” and the role AI will play in securing your stack by 2026.

📥 Download the report → https://thn.news/container-sec-guide

🚨 ThreatsDay Bulletin is live.

This week’s signals point to a quieter but faster threat landscape:

• Codespaces RCE & dev workflow abuse
• AI-assisted cloud intrusions
• BYOVD driver exploitation
• AsyncRAT C2 exposure
• Sandbox escape flaws
• RMM persistence campaigns
• Crypto drainer ecosystems
• Botnet & DDoS scaling ops
• Supply-chain injection paths
• APT & crimeware infra overlap

Attack paths are blending into trusted environments — cloud, identity, drivers, and developer tooling.

All updates in one place → https://thehackernews.com/2026/02/threatsday-bulletin-codespaces-rce.html

AI is foundational for security teams, but operational relief still feels out of reach.

Tines just launched Voice of Security 2026, based on insights from 1,800+ security leaders and practitioners.

The data shows why workloads remain high and what it takes to unlock real AI impact 👇 https://thn.news/security-pro-meta-fb

🌐⚠️ AISURU/Kimwolf launched a record 31.4 Tbps HTTP DDoS attack — mitigated by Cloudflare.

Same botnet drove holiday flood campaigns as Q4 hyper-volumetric attacks surged. Runs on 2M+ infected Android devices via proxy networks.

🔗 Read → https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html

🔥 Anthropic’s Claude Opus 4.6 AI found 500+ previously unknown high-severity flaws in open-source code.

Impacted: Ghostscript, OpenSC, CGIF. Bugs ranged from buffer overflows to memory corruption — all validated and patched.

🔗 Details → https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity.html

🛑 Malicious updates were published to official dYdX trading packages on npm and PyPI, delivering a wallet stealer and remote access malware.

Published via compromised maintainer accounts, the malware hid inside transaction-signing and wallet code.

🔗Read → https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html

🛡️ Turn intel into action with a 6-stage Threat-Informed Defense pipeline. Map adversary TTPs, simulate attacks, validate controls, and prioritize fixes that reduce real risk.

🔗 Download Guide (Framework steps + tooling) → https://www.linkedin.com/pulse/turn-intel-action-guide-threatinformed-defense-thehackernews-hru3c/

State-linked hackers breached 70+ government & critical infrastructure networks across 37 countries, Unit 42 reports.

Targets include law enforcement, finance ministries, and border control. Initial access via phishing loaders, with payloads staged on GitHub.

🔗 Intrusion chain, malware design, targeting scope → https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html

🛑 CISA orders federal agencies to remove unsupported edge devices within 12–18 months.

Unpatched firewalls, routers, IoT, and perimeter gear are now flagged as prime entry points—actively exploited by state-backed actors for network access.

🔗 Directive scope, deadlines, device list → https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html

Cisco Talos exposed DKnife — a China-linked AitM framework active since 2019 on compromised routers and edge devices.

It monitors traffic, steals credentials, and hijacks app/software updates to deploy ShadowPad and DarkNimbus on PCs and phones.

🔗 Modules and infection chain → https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html

German authorities warn of a state-linked phishing campaign abusing Signal account features to hijack chats.

Actors pose as support, steal PINs or trick targets into device linking—enabling message interception and impersonation across political, military, and media networks.

🔗 Read → https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html

🔥 OpenClaw now scans every ClawHub skill using 🛡️ VirusTotal threat intel.

Uploads are hashed, analyzed via Code Insight, then auto-approved, flagged, or blocked. Daily rescans 🔍 check if clean skills turn malicious later.

⚠️ Hundreds of risky skills had slipped through earlier.

🔗 Read → https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html

⚡ BeyondTrust patched pre-auth RCE (CVE-2026-1731) in Remote Support and PRA.

Attackers could run OS commands via crafted requests.~11K exposed instances found. Patches released.

🔗 Versions affected, fixes → https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html

🛑 Cloud worm malware campaign is systematically taking over cloud infrastructure.

TeamPCP exploits exposed Docker, Kubernetes, Redis, and React2Shell to mass-deploy proxies, scanners, crypto miners & ransomware across compromised clusters.

🔗 Read → https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

🛠️ Bloody Wolf tied to a spear-phishing campaign deploying NetSupport RAT across Central Asia and Russia.

~60 victims across government, finance, manufacturing. Malicious PDFs drop loaders that persist via scripts + scheduled tasks.

🔗 Details → https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html

🧪⚡ SOC teams aren’t failing on tools — they’re overloaded by triage. Constant validation loops are fueling burnout and SLA drift.

CISOs are moving to sandbox-first workflows, exposing live behavior early and reducing escalations, MTTR, and senior drag.

🔗 How evidence replaces guesswork → https://thehackernews.com/2026/02/how-top-cisos-solve-burnout-and-speed.html

⚠️ AI tools, supply chains, and trusted platforms are now attack paths.

Malicious AI skills, Signal phishing, Docker AI RCE, update hijacks — plus a record 31.4 Tbps DDoS. All in one week.

🔎 Read the full recap here: https://thehackernews.com/2026/02/weekly-recap-ai-skill-malware-31tbps.html

🚨 Microsoft traced a multi-stage intrusion to exposed SolarWinds Web Help Desk servers.

Attackers used unauthenticated RCE, moved laterally, and abused legit RMM tools for persistence — plus credential dumping and DCSync.

🔗 Tradecraft, CVEs, and lateral movement chain → https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html

⚠️ Singapore’s cyber agency says China-linked UNC3886 targeted all four national telecom operators.

Attackers used a firewall zero-day and rootkits to access parts of critical systems. Espionage activity was contained. No service disruption or customer data theft found.

🔗 Read → https://thehackernews.com/2026/02/china-linked-unc3886-targets-singapore.html

🚨🛡️ Fortinet Fixes Critical FortiClientEMS RCE (CVE-2026-21643, CVSS 9.1).

SQL injection flaw enables unauthenticated remote command execution via crafted requests. Affects EMS 7.4.4 (patch available).

Separate FortiCloud SSO bug is actively exploited for admin persistence and firewall config theft.

🔗 See affected versions and patch guidance → https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html

🚨 Ivanti EPMM Zero-Day Exploits Breach Dutch Regulators, Linked to Wider 🇪🇺 EU Government Intrusions.

Attackers exploited CVSS 9.8 unauthenticated RCE flaws to access employee work contact data.
Related activity also impacted the European Commission and Finland’s Valtori systems.

🔗 Details → https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html