CyberNews: 04/02/2026 Edition

Published by Dunateo on 2026-02-04

Today’s roundup

  • U.S. CISA adds SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab flaws to its Known Exploited Vulnerabilities catalog
  • Hackers abused React Native CLI flaw to deploy Rust malware before public disclosure
  • Microsoft: Info-Stealing malware expands from Windows to macOS
  • Two Critical Flaws in n8n AI Workflow Automation Platform Allow Complete Takeover
  • Google Looker Bugs Allow Cross-Tenant RCE, Data Exfil
  • Step Finance says compromised execs' devices led to $40M crypto theft
  • Coinbase confirms insider breach linked to leaked support tool screenshots
  • Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions
  • 8-Minute Access: AI Accelerates Breach of AWS Environment
  • Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

    • Summary

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, adding a critical SolarWinds Web Help Desk deserialization vulnerability (CVE-2025-40551) with a CVSS score of 9.8, which allows unauthenticated remote code execution. Federal agencies are mandated to patch this flaw by February 6, 2026. CISA also included two Sangoma FreePBX flaws (CVE-2019-19006, CVE-2025-64328) and a GitLab SSRF vulnerability (CVE-2021-39935), with federal agencies required to remediate these by February 24, 2026. The SolarWinds flaw was discovered by Horizon3.ai.

    Threat actors were observed actively exploiting a critical React Native CLI Metro server flaw (CVE-2025-11953), dubbed Metro4Shell, to deploy Rust malware weeks before its public disclosure. The vulnerability, with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary commands, particularly on Windows systems, due to the dev server binding to external interfaces by default. Exploitation involved multi-stage PowerShell loaders, disabling Microsoft Defender, and custom UPX-packed Rust payloads, with VulnCheck reporting consistent activity since December 21, 2025.

    Microsoft has issued a warning regarding the rapid expansion of information-stealing attacks beyond Windows, now significantly targeting Apple macOS environments. These campaigns leverage cross-platform languages like Python and abuse trusted platforms for distribution. Tactics include social engineering via fake ads and malicious DMG installers, deploying macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Attackers utilize fileless execution and native macOS utilities to harvest credentials, session data, and secrets from various sources.

    Two critical vulnerabilities have been discovered in the n8n AI Workflow Automation Platform by Pillar Security, which could lead to severe security incidents including supply chain compromise, credential harvesting, and complete system takeover attacks. The identified flaws underscore significant risks for organizations utilizing this automation platform.

    Researchers have uncovered multiple bugs in Google Looker, a business intelligence platform, that could enable cross-tenant remote code execution (RCE) and data exfiltration. The vulnerabilities reportedly allowed attackers to compromise one vulnerable Looker user and potentially gain unauthorized access to environments belonging to other Google Cloud Platform (GCP) tenants.

    Step Finance, a DeFi project, reported a loss of $40 million in digital assets following a cyberattack that compromised devices belonging to the company's executive team. The incident highlights the critical security risks associated with executive devices and their access to high-value assets within cryptocurrency platforms.

    Coinbase has confirmed an insider data breach where a contractor improperly accessed the data of approximately thirty customers. The incident, which occurred in December, involved unauthorized access to sensitive information via leaked support tool screenshots and has been acknowledged as a new security event.

    In a move to bolster software supply chain security, the Eclipse Foundation, maintainers of the Open VSX Registry, announced it will enforce mandatory security checks for Microsoft Visual Studio Code (VS Code) extensions before publication. This policy shift aims to proactively prevent malicious extensions from being introduced into the open-source repository.

    An AI-assisted cyberattack successfully breached an AWS cloud environment in just eight minutes, rapidly escalating to administrative privileges. The attack reportedly originated from exposed credentials found in public S3 buckets, demonstrating how AI can significantly accelerate the speed and efficacy of cloud environment compromises.

    Docker has addressed a critical security vulnerability, codenamed DockerDash by Noma Labs, affecting Ask Gordon, its AI assistant integrated into Docker Desktop and the Docker Command-Line Interface (CLI). The flaw allowed for remote code execution and sensitive data exfiltration through the manipulation of unverified image metadata.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-40551 Critical
    CVE-2019-19006 Critical
    CVE-2025-64328 High
    CVE-2021-39935 Medium
    CVE-2025-11953 Critical