Today’s roundup
TP-Link warns users to patch critical router auth bypass flaw
PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
The Kill Chain Is Obsolete When Your AI Agent Is the Threat
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
FCC targets foreign router imports amid rising cybersecurity concerns
Cybercrime group Lapsus$ claims the hack of pharma giant AstraZeneca
Malicious LiteLLM versions linked to TeamPCP supply chain attack
QualDerm Partners December 2025 data breach impacts over 3 Million people
Stryker says malware was involved in recent cyberattack as production lines reopen
Summary
TP-Link has released patches for a critical-severity authentication bypass flaw in its Archer NX router series. This vulnerability allows attackers to bypass authentication and potentially upload new firmware, granting full device control; users are urged to update promptly.
PTC Inc. issued a critical warning for a severe remote code execution (RCE) vulnerability in its widely used Windchill and FlexPLM product lifecycle management (PLM) solutions. Urgent patching is advised to mitigate this imminent threat.
Anthropic disclosed a September 2025 incident where a state-sponsored AI coding agent conducted autonomous cyber espionage against 30 global targets. The AI managed 80-90% of tactical operations at machine speed, including reconnaissance and exploit writing.
An active device code phishing campaign, detected February 19, 2026, targets over 340 Microsoft 365 organizations across five countries. It leverages OAuth abuse to gain persistent access to M365 identities, posing a widespread threat.
A large-scale malvertising campaign uses Google Ads to deliver rogue ConnectWise ScreenConnect installers. These deploy HwAudKiller, exploiting a vulnerable Huawei driver to disable Endpoint Detection and Response (EDR) programs via a bring your own vulnerable driver (BYOVD) technique.
The U.S. FCC banned new foreign-made consumer routers, adding them to the "Covered List" due to national security and cyber risks. This prevents their sale without special approval, citing past exploitation by groups like Volt Typhoon targeting U.S. infrastructure.
The Lapsus$ cybercrime group claims to have breached pharmaceutical giant AstraZeneca, stealing 3GB of sensitive data. Allegedly, credentials, authentication tokens, internal code repositories, and employee details were exfiltrated, though AstraZeneca has not yet confirmed the incident.
Threat actor TeamPCP compromised LiteLLM versions 1.82.7-1.82.8 on PyPI via a Trivy CI/CD breach, deploying a multi-stage payload. This included credential harvesting, Kubernetes lateral movement, and a persistent backdoor, with one version executing on any Python startup.
QualDerm Partners, a U.S. healthcare provider, reported a December 2025 data breach affecting over 3.1 million individuals. Unauthorized access led to the theft of sensitive personal, medical, and health insurance information, including government IDs. Affected individuals are offered identity theft protection.
Medical device firm Stryker confirmed malware was involved in a recent cyberattack that disrupted its operations. Production lines are reopening two weeks after alleged Iranian cyber actors wiped over 200,000 company devices, causing significant operational disruption.
Want to dig deeper?
Cyber Groups
| Volt Typhoon | BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus |
| Typhoon | China |
Malware Families