A new enterprise study shows only 16% of orgs run Continuous Threat Exposure Management (CTEM).

Those that do see 50% better attack surface visibility and stronger tooling adoption, creating a widening security gap as environments scale.

🔗 Peer benchmarks and risk data breakdown → https://thehackernews.com/2026/02/the-ctem-divide-why-84-of-security.html

👨🏻‍💻 Picus Security analyzed 1.1M malware samples to reveal a new era of Silent Residency.

Encryption payloads down 38%. 80% of top techniques now focus on evasion. Malware uses trigonometry to bypass sandboxes.

The Digital Parasite has arrived.

Read the full Red Report 2026: https://thn.news/red-report-2026

⚠️ Fake recruiter coding tests pushed poisoned npm & PyPI dependencies to developers.

Hidden packages deployed RAT access, while separate implants stole browser & crypto wallet data. One library exceeded 10,000 downloads before weaponization.

🔗 Read → https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html

Researchers found the first malicious Microsoft Outlook add-in used in real attacks.

Hackers hijacked an abandoned calendar plug-in, claimed its expired domain, and served a fake Microsoft login—stealing 4,000+ credentials. The add-in still had mailbox read/write permissions.

🔗 Learn how... → https://thehackernews.com/2026/02/first-malicious-outlook-add-in-found.html

⚡ Google tracked multiple state groups using Gemini for vuln research, exploit debugging, and persona building across cyber operations.

One malware strain even generated second-stage code via the API, executed filelessly in memory.

🔗 Threat actor tactics, malware, and AI abuse cases → https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html

Threat actors are actively exploiting CVE-2026-1731 (9.9) in BeyondTrust Remote Support & PRA.

Attackers extract portal data, then open WebSocket channels to trigger unauthenticated RCE.

🔗 Read → https://thehackernews.com/2026/02/researchers-observe-in-wild.html

Patches are out, but exploitation started fast.

npm killed long-lived tokens after the Sha1-Hulud attack, shifting to short-lived sessions and MFA by default.

Security improved — but MFA phishing and optional publish protections still leave gaps. Console access can still mean package compromise.

🔗 Where the new model still fails → https://thehackernews.com/2026/02/npms-update-to-harden-their-supply.html

⚠️ Security firms uncovered coordinated abuse of Chrome extensions across business, social, and AI tools.

From Meta ad accounts to Gmail inboxes, attackers used add-ons to scrape data, inject payloads, and persist inside sessions.

🔗 Read → https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html

🛑 Researchers track UAT-9921 using the VoidLink modular malware framework against tech and finance targets.

The Linux-focused toolkit enables stealth persistence, scanning, and lateral movement via post-compromise C2 implants.

🔗 Look inside the framework’s stealth and RBAC design → https://thehackernews.com/2026/02/uat-9921-deploys-voidlink-malware-to.html

The SANS State of ICS/OT Security 2025 Report reveals an industry advancing at two speeds. Detection is faster, but recovery still lags—with one in five incidents taking over a month to restore operations.

Get the intel 👉 https://thn.news/sans-ot-report

🌐🛡️ Google says defense contractors face sustained cyber targeting from China, Iran, North Korea, and Russia.

Campaigns span battlefield tech theft, hiring infiltration, and supply-chain breaches. Actors now focus on individuals and edge devices to bypass EDR visibility.

🔗 Threat clusters, malware families, intrusion paths → https://thehackernews.com/2026/02/google-links-china-iran-russia-north.html

A newly tracked actor tied to Russian intelligence is deploying CANFAIL against Ukraine.

Targets span defense, energy, and government, with spillover into drone and nuclear research. GTIG says LLM use now supports recon, phishing, and C2 setup despite limited resources.

🔗 Read → https://thehackernews.com/2026/02/google-ties-suspected-russian-actor-to.html

⚠️ Microsoft detailed a new ClickFix variant abusing DNS lookups via nslookup to stage malware.

Victims run commands that fetch payloads from attacker-controlled resolvers, bypassing web defenses and blending into normal traffic.

Leads to RAT deployment and persistence.

🔗 Read here → https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

🚨 Google patched Chrome zero-day CVE-2026-2441, a CVSS 8.8 bug already exploited in attacks.

The CSS use-after-free flaw allows sandboxed remote code execution via malicious pages.

🔗 Read → https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html

First active Chrome zero-day fixed this year. Update now.

Security teams have more telemetry than ever. They’re also falling further behind.

In a new exposure management analysis, Yochai Corem argues the gap isn’t visibility — it’s action. Attackers now scale faster than human response cycles, exploiting known exposures while remediation lags.

🔗 From dashboards to validated fixes → https://thehackernews.com/expert-insights/2026/02/the-uncomfortable-truth-about-more.html