02/11/2026-02/18/2026 Malicious npm and PyPI Packages Linked to Lazarus APT, Ivanti EPMM Exploit And More.

1. CISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update

CISA has added four actively exploited flaws to its KEV catalog. The vulnerabilities include CVE-2026-2441, a use-after-free bug in Google Chrome that can enable heap corruption via a crafted webpage; CVE-2024-7694, an arbitrary file upload flaw in TeamT5 ThreatSonar Anti-Ransomware; CVE-2020-7796, an SSRF issue in Zimbra Collaboration Suite; and CVE-2008-0015, a buffer overflow in Microsoft Windows Video ActiveX Control that allows remote code execution.

Google recently confirmed in-the-wild exploitation of CVE-2026-2441. Meanwhile, threat researchers previously observed large-scale abuse of the Zimbra flaw, and Microsoft warned the 2008 bug has been used to spread malware such as the Dogkild worm.

Federal agencies must apply patches by March 10, 2026, to mitigate risks.

2. Patch Immediately: BeyondTrust Remote Code Execution Flaw Exploited in the Wild

BeyondTrust has released urgent updates to fix a critical remote code execution vulnerability (CVE-2026-1731, CVSS 9.9) affecting its Remote Support (RS) and Privileged Remote Access (PRA) products, with evidence of active exploitation. The flaw allows unauthenticated attackers to execute arbitrary system commands through specially crafted requests, potentially leading to full compromise, data theft, or service disruption.

The issue was discovered by Hacktron AI using AI-driven variant analysis and disclosed in January 2026. Internet scans from Shodan indicate about 11,000 exposed instances, many of them on-premise deployments that remain vulnerable until patched.

BeyondTrust automatically updated SaaS environments, but on-premise customers must apply patches or upgrade manually. Administrators are urged to verify systems quickly, as the vulnerability is easy to exploit and attractive to attackers seeking ransomware or lateral movement within enterprise networks.

3. Malicious npm and PyPI Packages Linked to Lazarus APT Fake Recruiter Campaign

Researchers from ReversingLabs have uncovered malicious npm and PyPI packages tied to a fake recruitment campaign attributed to the North Korea-linked Lazarus Group. The operation, dubbed “graphalgo,” has been active since May 2025 and targets JavaScript and Python developers with fraudulent cryptocurrency-related job offers. Attackers pose as recruiters on LinkedIn, Facebook, and Reddit, directing victims to GitHub “interview tasks” that secretly depend on malicious packages. Some packages, such as bigmathutils, built trust and gained thousands of downloads before being updated to deliver malware.

The campaign uses a multi-stage approach: creating fake companies and websites, distributing poisoned open-source dependencies, and installing remote-access trojans capable of executing commands, accessing files, and searching for cryptocurrency wallets.

Researchers say the activity shows the hallmarks of Lazarus operations, including staged payloads, delayed malicious updates, encrypted communications, and a modular design that allows attackers to rotate front-end infrastructure while maintaining the same backend systems.

4. 83 % of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

Most exploitation attempts against a critical flaw in Ivanti Endpoint Manager Mobile (EPMM) have been traced to a single IP address hosted on infrastructure run by PROSPERO. According to GreyNoise, 417 exploitation sessions were recorded between February 1 and 9, 2026, with 83% originating from one source. The activity targets CVE-2026-1281 (CVSS 9.8) and CVE-2026-1340, vulnerabilities that enable unauthenticated remote code execution. Ivanti confirmed limited real-world compromises, and several European organizations—including the Dutch Data Protection Authority and the European Commission—reported targeting attempts. Researchers also observed the same host exploiting unrelated flaws in Oracle WebLogic, GNU InetUtils, and GLPI, suggesting automated scanning. About 85% of probes used DNS callbacks to verify vulnerable systems without deploying malware, consistent with initial-access operations. Security experts advise patching immediately, auditing internet-facing MDM systems, reviewing DNS logs, and blocking PROSPERO’s network ranges to reduce risk.

5. Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

A critical zero-day vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited since mid-2024 by a suspected China-linked threat cluster, UNC6201, according to researchers from Google Mandiant and Google Threat Intelligence Group. The flaw involves hard-coded credentials that allow unauthenticated attackers to gain root-level access, deploy web shells, and install backdoors such as BRICKSTORM and its newer variant GRIMBOLT. Attacks have primarily targeted North American organizations and appliances that often lack endpoint detection tools, enabling long-term persistence. Investigators observed techniques such as temporary “Ghost NICs” to move laterally and erase evidence. UNC6201 shares tactics with another China-linked cluster, UNC5221, though they are considered distinct. Separately, Dragos reported activity by Volt Typhoon compromising cellular gateways in energy sectors, then pivoting into operational technology networks, highlighting growing risks to industrial systems.