Today’s roundup
Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected
Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088
U.S. CISA adds Microsoft Office, GNU InetUtils, SmarterTools SmarterMail, and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun
Critical sandbox escape flaw found in popular vm2 NodeJS library
Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor
Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan
ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services
Researchers Uncover 454,000+ Malicious Open Source Packages
WhatsApp rolls out Strict Account settings to strengthen protection for high-risk users
Summary
Fortinet has issued emergency updates for FortiOS to address CVE-2026-24858, a critical and actively exploited authentication bypass in FortiCloud SSO, FortiManager, and FortiAnalyzer. The flaw, with a CVSS score of 9.4, was initially mitigated by blocking vulnerable firmware.
Google warns of active exploitation of WinRAR vulnerability CVE-2025-8088. This high-severity path traversal flaw is being leveraged by nation-state actors and financially motivated groups for initial access and payload delivery in widespread attacks.
The U.S. CISA added five actively exploited flaws to its KEV catalog, mandating federal agencies to patch by February 16, 2026. These include an Office security bypass (CVE-2026-21509), two SmarterMail flaws (CVE-2026-23760, CVE-2025-52691), a GNU InetUtils telnet daemon vulnerability, and a Linux Kernel integer overflow.
Security firm Koi revealed "PackageGate," six zero-day vulnerabilities in JavaScript package managers NPM, PNPM, VLT, and Bun. These bypass supply chain protections, enabling malicious code execution, with NPM reportedly declining to fix its identified issues.
A critical sandbox escape vulnerability, CVE-2026-22709, was found in the popular vm2 Node.js library. This flaw permits attackers to escape the sandbox and execute arbitrary code on the host system, posing a significant RCE risk.
The Chinese espionage group Mustang Panda is deploying an updated CoolClient backdoor variant. This version now features capabilities to steal browser login data and monitor the clipboard, enhancing their infostealing operations.
Fake Python spellchecker packages, "spellcheckerpy" and "spellcheckpy," on PyPI were found delivering a remote access trojan (RAT). Despite removal, over 1,000 downloads occurred, highlighting persistent open-source supply chain risks.
New "ClickFix-style" attacks are expanding, utilizing fake CAPTCHAs, signed Microsoft App-V scripts, and trusted web services. This campaign distributes the Amatera information stealer by evading common detection and execution path monitoring.
Sonatype reports the discovery of over 454,000 malicious open-source packages in 2025, indicating an industrialization of threats targeting software supply chains. This surge poses a substantial risk for developers and organizations.
WhatsApp rolled out new Strict Account Settings to protect high-risk users from sophisticated spyware. This feature, applying restrictive privacy settings, blocks unknown attachments and silences calls. Meta also integrated Rust into media sharing for enhanced memory safety.
Want to dig deeper?
Vulnerabilities
Cyber Groups