02/25/2026-03/04/2026 Actively Exploited VMware Aria Operations Flaw, 26 Suspicious npm Packages in New Cyber Campaign And More.

1. CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog

 CISA has added a newly disclosed flaw affecting VMware Aria Operations to its KEV catalog, citing active attacks. Tracked as CVE-2026-22719 (CVSS 8.1), the high-severity bug is a command injection issue that allows unauthenticated attackers to execute arbitrary commands, potentially leading to remote code execution during support-assisted product migration. The vulnerability was patched alongside CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation). Affected products include VMware Cloud Foundation and VMware vSphere Foundation 9.x (fixed in 9.0.2.0) and VMware Aria Operations 8.x (fixed in 8.18.6). Customers unable to patch immediately can run the “aria-ops-rce-workaround.sh” script as root on each virtual appliance node. Broadcom acknowledged reports of in-the-wild exploitation but said it cannot independently confirm them. Federal Civilian Executive Branch agencies must apply fixes by March 24, 2026.

2. Fake Next.js Job Interview Tests Backdoor Developer’s Devices

A coordinated campaign is targeting software developers with job-themed lures, using malicious repositories disguised as legitimate Next.js projects and coding assessments. The operation aims to achieve remote code execution (RCE), steal sensitive data, and deploy additional payloads on compromised machines. According to Microsoft, attackers created fake web apps and hosted them on platforms like Bitbucket. When developers clone and open the projects, embedded malicious JavaScript executes automatically. The code downloads a backdoor from a remote server and runs it in memory via Node.js. To boost infection rates, the repositories include multiple triggers: a VS Code task that runs on folder open, a trojanized asset activated by “npm run dev,” and a backend module that exfiltrates environment variables and executes attacker-supplied code. The infection deploys staged payloads that profile hosts, connect to command-and-control servers, execute remote tasks, and enable file exfiltration. Developers are urged to enable Workspace Trust, apply security controls, and limit stored secrets.

3. North Korean-Linked Hackers Target Developers Through 26 Suspicious npm Packages in New Cyber Campaign

Cybersecurity researchers have warned of a new threat campaign allegedly tied to North Korean actors, involving 26 malicious packages uploaded to the npm registry. The packages were disguised as legitimate development tools and used typosquatting to mimic popular libraries, increasing the chances of accidental installation. Believed to be a variant of the “Contagious Interview” campaign, the operation reportedly used Pastebin-based steganography to hide command-and-control (C2) addresses inside seemingly harmless text files. Each package executed an installation script that launched a payload from “vendor/scrypt-js/version.js,” which decoded hidden server domains by stripping zero-width Unicode characters and extracting embedded data. The malware supported Windows, macOS, and Linux, and used WebSocket communication to receive commands. It included modules for data theft, VS Code persistence, keylogging, browser credential harvesting, and crypto wallet targeting, while scanning repositories for exposed secrets. The activity has been tentatively linked to the North Korea-associated group Famous Chollima. Developers are urged to verify npm packages carefully.

4. New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel

Cybersecurity researchers have detailed a patched high-severity flaw in Google Chrome that could have enabled privilege escalation and access to local files. Tracked as CVE-2026-0628 (CVSS 8.8), the issue stemmed from insufficient policy enforcement in the WebView tag and was fixed in version 143.0.7499.192/.193 for Windows, Mac, and Linux in January 2026. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw—codenamed “Glic Jack”—affected Chrome’s Gemini Live side panel, which loads content via a WebView component. Attackers could trick users into installing a malicious extension with basic permissions, allowing script injection into the Gemini panel. Successful exploitation could have granted access to the camera, microphone, screenshots, and local files. The bug exposed risks tied to embedding AI agents directly into browsers, where privileged components may introduce new attack surfaces despite existing extension security controls.

5. Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have uncovered a malicious package on the NuGet Gallery impersonating a legitimate library from Stripe to target the financial sector. The package, named StripeApi.Net, mimicked the official Stripe.net library, which has over 75 million downloads. Uploaded on February 16, 2026, by a user called “StripePayments,” it copied the legitimate package’s icon and nearly identical documentation, subtly altering the name to “Stripe-net.” The attacker also inflated download numbers to more than 180,000 across 506 versions to boost credibility. According to ReversingLabs, the package preserved most legitimate functionality but modified key methods to steal sensitive data, including Stripe API tokens, and exfiltrate them to a remote server. Because applications continued to compile and run normally, developers were unlikely to notice the compromise. The package was reported and removed before causing significant harm.