Microsoft just dropped patches for SIX actively exploited zero-day vulnerabilities — and that's just the beginning. In this week's Hacking News, we break down the February 2026 Patch Tuesday emergency, North Korea's Lazarus Group poisoning npm and PyPI through fake job recruiters, nation-state hackers weaponizing Google's Gemini AI (including malware that writes its own payloads), a massive Dutch telecom breach affecting 6.2 million people, and a U.S. government contractor breach that ballooned from 4 million to potentially tens of millions affected. This is Exploit Brokers by Forgebound Research — cybersecurity news, threat intelligence, and insights. Whether you're a security analyst, developer, or just someone who wants to stay informed, this episode has something for you. 🔔 Subscribe and hit the bell so you never miss an episode. ⭐ Listening on Spotify or Apple Podcasts? A follow and 5-star rating helps others find the show. --- ⏱️ TIMESTAMPS 0:00 — Cold Open: Did You Run Windows Update? 0:51 — Forge OS Intro 0:55 — Welcome & CTA 1:20 — Microsoft Patch Tuesday: 6 Actively Exploited Zero-Days 6:08 — Lazarus Group "GraphAlgo": Fake Recruiters Poison npm & PyPI 10:02 — Nation-States Weaponize Google Gemini AI (HONESTCUE Malware) 15:05 — Odido Breach: 6.2 Million Dutch Records Stolen 18:38 — Conduent Breach Expands from 4M to Tens of Millions 21:55 — Recap & 5 Key Takeaways 23:54 — Outro --- 📰 STORIES COVERED Story 1 — Microsoft February 2026 Patch Tuesday • 58 vulnerabilities patched, 6 actively exploited zero-days • CVE-2026-21510: Windows SmartScreen bypass (CVSS 8.8) — "widespread active exploitation" • CVE-2026-21513: MSHTML security bypass • CVE-2026-21514: Microsoft Word OLE bypass • CVE-2026-21533: Remote Desktop Services privilege escalation to SYSTEM • CVE-2026-21519: Desktop Window Manager type confusion → SYSTEM • CVE-2026-21525: RasMan denial of service (VPN crash) • Google, CrowdStrike, Acros Security & Microsoft collaborated on discovery Story 2 — Lazarus Group "GraphAlgo" Campaign • 192 malicious npm/PyPI packages targeting JavaScript & Python developers • Fake crypto companies (e.g., "Veltrix Capital") used for recruitment lures • Package "bigmathutils" had 10,000+ downloads before payload injection at v1.1.0 • Full-featured RAT with token-based C2 authentication • Attribution: Medium-to-high confidence (Lazarus/DPRK) — GMT+9 commit timestamps Story 3 — Nation-State Actors Weaponize Google Gemini • Google GTIG report (Feb 12, 2026) confirms NK, Iran, China, Russia using Gemini • UNC2970 (Lazarus overlap) using AI for OSINT and target profiling • Iran's APT42 crafting native-sounding phishing with AI • HONESTCUE malware: Uses Gemini API to generate & execute C# payloads in memory (fileless + polymorphic) • COINBAIT phishing kit built using Lovable AI coding platform Story 4 — Odido (Netherlands) Data Breach • 6.2 million customers affected (~1/3 of the Netherlands' population) • Stolen: Names, addresses, emails, phone numbers, DOBs, IBANs, passport/license numbers • Formerly T-Mobile Netherlands; subsidiary Ben also affected • Part of broader telecom targeting pattern (Salt Typhoon, SK Telecom, Free SAS) Story 5 — Conduent Breach Expansion • Jan 2025 ransomware attack originally reported as 4M affected • Now: 15.4M in Texas alone, 10.5M in Oregon, plus DE, MA, NH and more • Total potentially tens of millions across the U.S. • Safeway ransomware gang claimed 8TB stolen • SSNs, medical data, health insurance information compromised --- 📋 KEY TAKEAWAYS 1. Patch like it's urgent — 6 actively exploited zero-days can't wait 2. Your package manager is an attack surface — sandbox job assessment code 3. AI is a force multiplier for attackers — bad grammar is no longer a reliable phishing indicator 4. Telecom data is a goldmine — verify everything through official channels 5. Breach disclosures can be icebergs — monitor your identity proactively --- 🔗 SOURCES Microsoft Patch Tuesday: • BleepingComputer — https://www.bleepingcomputer.com • Krebs on Security — https://krebsonsecurity.com • SecurityWeek — https://www.securityweek.com • Malwarebytes — https://www.malwarebytes.com • Rapid7 — https://www.rapid7.com • Help Net Security — https://www.helpnetsecurity.com • TechCrunch — https://techcrunch.com Lazarus GraphAlgo: • ReversingLabs — https://www.reversinglabs.com • The Hacker News — https://thehackernews.com • BleepingComputer — https://www.bleepingcomputer.com • SC Media — https://www.scworld.com • Security Affairs — https://securityaffairs.com Gemini AI Weaponization: • Google GTIG Blog — https://blog.google/technology/safety-security/ • The Hacker News — https://thehackernews.com • Infosecurity Magazine — https://www.infosecurity-magazine.com • AI News — https://www.artificialintelligence-news.com Odido Breach: • BleepingComputer — https://www.bleepingcomputer.com • The Register — https://www.theregister.com • TechCrunch — https://techcrunch.com • SecurityWeek — https://www.securityweek.com • The Record — https://therecord.media • NL Times — https://nltimes.nl Conduent Breach: • TechCrunch — https://techcrunch.com --- 🏷️ HASHTAGS #cybersecurity #hackingnews #zeroday #microsoft #patching #lazarusgroup #npm #supplychainattack #gemini #AI #malware #databreach #ransomware #infosec #threathunting #exploitbrokers #forgeboundresearch #northkorea #nationstate #cyberthreat #patchtuesday #developers #phishing #telecom #OSINT ---

A newly uncovered state-backed espionage group has compromised 70 organizations across 37 countries in a single year — and they were scanning infrastructure in 155 more. In this episode of Hacking News, we break down Palo Alto Unit 42's Shadow Campaigns investigation, a CVSS 9.9 pre-authentication RCE in BeyondTrust's remote access tools, a state-sponsored Signal phishing campaign targeting European politicians and military officials without using a single line of malware, CISA's aggressive new directive ordering federal agencies to rip out end-of-life edge devices, and an Everest ransomware claim against Iron Mountain that turned out to be far less than advertised.

Whether you're a cybersecurity professional, IT admin, or just someone who wants to stay informed about the threats facing our digital world — this episode has critical takeaways you can act on today.

🔒 Key Topics Covered: • TGR-STA-1030 "Shadow Campaigns" — state-backed espionage across 37 countries • BeyondTrust CVE-2026-1731 — CVSS 9.9 pre-auth RCE in remote access tools • Signal Phishing Campaign — German BfV/BSI advisory on account hijacking • CISA BOD 26-02 — Binding directive to eliminate end-of-support edge devices • Iron Mountain / Everest Ransomware — 1.4TB breach claims vs. reality

⏱️ Timestamps: 0:00 — Cold Open: One group, 37 countries breached 1:10 — Forge OS Intro 1:14 — Welcome & CTA 1:38 — Shadow Campaigns: State-Backed Espionage at Unprecedented Scale 7:04 — BeyondTrust CVE-2026-1731: CVSS 9.9 Pre-Auth RCE 11:07 — Signal Phishing: Hijacking Accounts Without Malware 14:10 — CISA BOD 26-02: Rip Out Your End-of-Life Edge Devices 16:55 — Iron Mountain vs. Everest Ransomware: Claims vs. Reality 19:38 — Recap & Key Takeaways 21:40 — Outro

📌 Resources & Sources: • Unit 42 Shadow Campaigns Report: https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/ • BeyondTrust Security Advisory BT26-02: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 • German BfV/BSI Signal Phishing Advisory: https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html • CISA BOD 26-02 Directive: https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices • Iron Mountain / Everest Coverage: https://cybernews.com/security/iron-mountain-data-breach-claims/

🎧 Listen on Spotify & Apple Podcasts — search "Exploit Brokers by Forgebound Research" and hit follow!

💬 Found this valuable? Share it with a coworker or friend who touches a computer.

— Exploit Brokers by Forgebound Research Host: Cipherceval "Learn more about the threats we face and gain a bit more knowledge than yesterday."

Microsoft just dropped an emergency patch for an Office zero-day being exploited in the wild. A WordPress plugin has a CVSS 10.0 vulnerability — that's the golden goose of hacking. 900,000 Chrome users had their ChatGPT conversations stolen by malicious extensions with Google's Featured badge. And two cybersecurity professionals pleaded guilty to moonlighting as ransomware affiliates.

Welcome to 2026. It's gonna be a fun year.

In this episode:

• CVE-2026-21509: Microsoft Office zero-day (security feature bypass)
• CVE-2026-23550: WordPress Modular DS critical vulnerability
• Prompt Poaching: Chrome extensions stealing AI conversations
• Brightspeed breach: Crimson Collective claims 1M+ records
• Insider threat: Security pros turned BlackCat/ALPHV affiliates

Key takeaway: Update your stuff. A patch does you no good if it isn't installed.

Subscribe for weekly cybersecurity news, vulnerability breakdowns, and threat intelligence.

https://forgeboundresearch.com/podcasts/

Exploit Brokers is back—under a new banner.

In this episode, I explain why the show went quiet, what Forgebound Research means, and how the podcast is evolving. We're shifting to a hybrid model: some episodes will be news commentary with technical insight, others will be lab-driven deep dives where I actually pull apart the malware or the vulnerable code.

Beyond the podcast, I'm launching The Forgebound Lab on YouTube—security research, hardware teardowns, creative engineering, maker builds, and learning in public.

Same host. Same mission. New chapter.

Welcome to Forgebound Research.

—Cipherceval

🔗 YouTube: https://www.youtube.com/@ForgeboundResearch 🐦 Podcast Twitter: https://x.com/exploitbrokers

🐦 Forgebound Twitter: https://x.com/ForgeboundLabs

# Title * HN59 - Microsoft AI Discovers 20 Zero-Day Vulnerabilities in Bootloaders! ## Description 🔍 Microsoft's AI Uncovers 20 Zero-Day Threats | CoffeeLoader Malware Gets Smarter In this episode of Exploit Brokers, Cipherceval dives into how Microsoft Security Copilot, powered by AI, discovered over 20 previously unknown vulnerabilities in popular bootloaders like GRUB2, U-Boot, and Barebox. These flaws could allow attackers to bypass Secure Boot and install stealthy bootkits. We also explore the terrifying evolution of CoffeeLoader malware — now equipped with GPU-based cloaking, Windows fibers, and sleep obfuscation — making it one of the most advanced malware loaders in circulation today. Whether you're into cybersecurity, AI advancements, or just curious about the future of hacking and defense, this episode breaks it all down. 📌 Like, Subscribe & Hit the Bell to stay ahead of the threats! #CyberSecurity #AI #MicrosoftCopilot #CoffeeLoader #Malware #Rootkit #ZeroDay #ExploitBrokers #InfoSec #Hacking #EDREvasion 💬 What's your take on AI in security? Tool or threat? Drop your thoughts below! 🎙️ Hosted by Cipherceval | Exploit Brokers Podcast 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn59 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers ⏱️ Timeline: 00:00 – Intro 00:44 – Microsoft AI Finds 20+ Critical Bootloader Vulnerabilities 10:02 – CoffeeLoader Malware's Advanced Evasion Techniques 17:50 – Final Thoughts: AI in Cybersecurity & What Comes Next 🔗 References & Sources * Microsoft Uses AI for Security: https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/ * CoffeeLoader: https://www.darkreading.com/threat-intelligence/coffeeloader-malware-evasion-tricks

Welcome to Exploit Brokers with your host Cipherceval! In this deep dive, we uncover a sophisticated cyber assault where hackers exploited Microsoft SharePoint to launch the Havoc C2 via a stealthy click fix attack. Learn how a single click can trigger malicious PowerShell commands, turning everyday corporate tools into gateways for cybercrime. In this episode, we explore: • How click fix attacks trick users into executing harmful commands • The role of social engineering in modern cyber warfare • The rising threat of ransomware targeting Middle Eastern banks and financial institutions • The importance of patching, penetration testing, and proactive cybersecurity measures Whether you're a cybersecurity expert or just curious about digital threats, this breakdown provides essential insights into how cybercriminals are reshaping the rules of digital warfare. Stay informed and protect yourself from these evolving dangers. Don't forget to like, subscribe, and hit the bell icon for more updates on cybersecurity trends! #CyberSecurity #HavocC2 #ClickFix #SharePointHack #Ransomware #DigitalWarfare #CyberAttack #Malware #SocialEngineering #ExploitBrokers 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn58 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers Timeline: 0:00 Intro 0:19 Opener 0:45 Subscribe 1:06 Sharepoint Malware 12:03 Ransomware Targets Middle East banks 23:36 Conclusion and Outro 🔗 References & Sources * ClickFix Attack: https://www.bleepingcomputer.com/news/security/new-clickfix-attack-deploys-havoc-c2-via-microsoft-sharepoint/ * UAE : https://www.darkreading.com/cyber-risk/targeted-ransomware-middle-east-banks-security

In this episode of Exploit Brokers, we dive into the dark world of cybercrime, exploring two alarming topics: a malicious Android loan app masquerading as a financial tool and Xerox printer vulnerabilities that could be leaking your credentials. Learn how loan sharks have moved from traditional methods to sophisticated digital predation, exploiting unsuspecting users via apps like SpyLoan. We break down how these apps bypass Google Play's protections, steal sensitive data, and push predatory lending practices, especially targeting vulnerable users. Additionally, we uncover how attackers are using patched vulnerabilities in Xerox Versalink C7025 printers to manipulate configurations, capture user credentials, and potentially gain lateral access to entire Windows environments. Whether you're a tech enthusiast or a cybersecurity professional, this episode offers valuable insights into how digital crime is evolving and what you can do to protect yourself. Don't forget to like, subscribe, and hit the notification bell for more in-depth analyses on cybersecurity threats and exploits. #CyberSecurity #AndroidMalware #LoanSharks #XeroxPrinterHack #DataBreach #DigitalCrime #SpyLoan #CyberThreats #ExploitBrokers #TechNews 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn57 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers 🔗 References & Sources * Xerox: https://www.darkreading.com/iot/xerox-printer-vulnerabilities-credential-capture * Malicious App: https://www.bleepingcomputer.com/news/security/spylend-android-malware-downloaded-100-000-times-from-google-play/

In today's episode of Exploit Brokers, we dive deep into two major security threats making waves across the digital world. A critical Remote Code Execution (RCE) vulnerability in Microsoft Outlook is putting millions of users at risk, with hackers exploiting it through spear phishing emails and malicious links. Not only that, but we're also uncovering the stealthy tactics of the notorious North Korean hacking group, Kimsuky. They're evolving their methods with custom RDP wrappers and proxy tools to evade detection while gaining unauthorized access to systems. Stay informed about the latest threats, learn how to keep your systems secure, and protect yourself from the growing wave of cyberattacks that are more dangerous than ever. #OutlookRCE #Cybersecurity #Hacking #ExploitBrokers #CyberThreats #Phishing #RDPWrapper #Kimsuky #RemoteCodeExecution #MicrosoftSecurity #TechNews #Malware #DataBreach #EmailSecurity #Hackers #InfoSec #SecurityUpdates #cyberdefense 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn56 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers 🔗 References & Sources * Kimsuky hackers: https://www.bleepingcomputer.com/news/security/kimsuky-hackers-use-new-custom-rdp-wrapper-for-remote-access/ * RCE in Outlook: https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-microsoft-outlook-now-exploited-in-attacks/

Welcome back to Exploit Brokers! In today's video, we dive deep into a critical 7‑Zip vulnerability that's being exploited by Russian cybercriminals to bypass Windows' security protections. If you've used 7‑Zip at all, you need to know how this flaw can let hackers sneak past the Mark-of-the-Web (MOTW) and deploy dangerous malware like Smoke Loader. We'll also explore a parallel threat in the Go ecosystem—malicious packages exploiting caching mechanisms to gain persistent remote access to your system. From double-zipped archives to supply chain attacks, we break down the tactics, the risks, and most importantly, what you can do to protect yourself and your organization. In this video you'll learn: How the 7‑Zip vulnerability works and why updating to the latest version is crucial. The role of Windows' MOTW and how hackers are bypassing this key security feature. Details on the deployment of Smoke Loader malware and its implications. How malicious Go packages and supply chain attacks can compromise your systems. Practical tips to safeguard your data and networks against these emerging threats. Stay informed, stay secure—hit that like button, subscribe, and ring the bell for more cybersecurity insights! Drop your questions or thoughts in the comments below—we love hearing from you! #Cybersecurity #7Zip #WindowsSecurity #Malware #SmokeLoader #GoLang #SupplyChainAttack #Cybercrime #InfoSec #Hacking #RussianHackers #APT #NationStateHackers #exploits #ZeroDays 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn55 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers 🔗 References & Sources * Malicious Cached Go Modules: https://thehackernews.com/2025/02/malicious-go-package-exploits-module.html * Russian hackers Exploit 7-zip: https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html

Lazarus Group's Secret Admin Layer EXPOSED – Major Cybersecurity Discovery! 🔥💻 Security researchers have uncovered a hidden admin layer used by North Korea's Lazarus Group to manage their Command and Control (C2) servers. This sophisticated network of VPNs and proxies allows them to execute cyberattacks worldwide—mainly targeting cryptocurrency developers and software supply chains. In today's episode, we break down: ✅ How Lazarus Group operates and funds North Korea's cybercrime efforts ✅ The Operation 99 attack targeting Web3 developers ✅ The supply chain risks that could impact thousands ✅ How Android 16's new security features are stepping up protection ✅ Why 2G connectivity and sideloading bans are crucial for mobile security With nation-state hackers, malware campaigns, and evolving cyber threats, it's more important than ever to stay informed. Don't forget to like, subscribe, and hit the bell to keep up with the latest in cybersecurity! 💬 What do you think? Are these security updates enough, or do we need even stricter measures? Let me know in the comments! #Cybersecurity #LazarusGroup #Hacking #NorthKorea #Android16 #CyberThreats #Infosec #Malware #TechNews #CryptoSecurity #SupplyChainAttack #EthicalHacking #PrivacyMatters #TechExplained 👍 Enjoyed the episode? Give it a like and share your thoughts in the comments below! 🔔 Don't forget to subscribe and hit the notification bell to stay updated on all things cybersecurity and tech. Listen to our podcast on: Apple Podcasts Spotify And wherever you get your podcasts! Show Notes: https://exploitbrokers.com/podcasts/hn54 📢 Connect with us: Newsletter: https://follow.exploitbrokers.com Twitter: @ExploitBrokers Medium: https://medium.com/@exploitbrokers TikTok: https://www.tiktok.com/@exploitbrokers 🔗 References & Sources * Lazarus C2 Infrastructure: https://www.darkreading.com/cyberattacks-data-breaches/researchers-uncover-lazarus-admin-layer-c2-servers * Operation 99: https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/ * Advanced Protection Mode: https://www.androidauthority.com/android-16-advanced-protection-mode-3518368/