A (0:00)

Cybersecurity Today we'd like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.

B (0:17)

Major Enterprise Remote access software vulnerability actively exploited DNS lookups turned into malware delivery channels AI generated content pushing Mac info stealers F recruiters targeting developers with coding tests that deliver malware and NPM titan security. But supply chain risks remain. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. We begin with an urgent alert for organizations running Beyond Trust Remote access infrastructure. A critical Vulnerability tracked as CVE2026 1731 is now being actively exploited in the wild. It carries a near perfect CCBSS score of 9.9 out of 10. The flaw affects Beyond Trust remote support versions 25 and earlier and privileged remote access versions 24 and earlier. This is a pre authentication remote code execution vulnerability, meaning attackers do not need valid credentials or user interaction to exploit it. It's as bad as it gets. Beyond Trust says specially crafted client requests can allow an unauthenticated attacker to execute operating system commands in the context of the site user. That opens the door to full system compromise, including unauthorized access, data exfiltration, and service disruption. SAS hosted instances of Beyond Trust were automatically patched earlier in February. However, on premise deployments require manual updates. Researchers estimate 11,000 exposed instances are visible, including approximately 8,500 on prem systems. Threat intelligence firm Watchtower reports attackers are exploiting the Get Portal Info endpoint to extract an identifier known as XNS Company, then using it to establish a websocket session and execute commands remotely. If you are running self hosted Beyond Trust appliances, immediately patching is critical and given confirmed exploitation, unpatched systems should be treated as potentially compromised. Microsoft is detailing a new evolution of the QLIK Fix social engineering technique, one that uses DNS itself as a malware staging channel. At the center of this variation is NSLookup, a legitimate network diagnostic tool available on both Windows and macOS. On Windows, it can be launched through the run dialog or Command prompt. On macOS, it runs through the terminal. In these campaigns, victims are redirected to fake captcha or troubleshooting pages and instructed to run what appears to be a harmless command. Instead, the command performs a DNS lookup against an attacker controlled DNS server, not the system's default resolver. The DNS response is then parsed and then returned name value becomes the second stage payload. Microsoft describes this as using DNS as a lightweight staging and signaling channel. Because DNS traffic is constant in enterprise environments, it blends more easily into normal operations than traditional web based malware delivery. From there, the attack can download a zip archive, extract a malicious python script, perform reconnaissance, and deploy Modelo rat, a python based remote access Trojan. Persistence is achieved by creating startup shortcuts so the malware launches on reboot. This activity coincides with increased lumastealer distribution through similar click fix style campaigns. The key point here the attack does not exploit a software flaw. It relies on users being tricked into executing attacker controlled commands themselves by convincing them they need to prove they're human. Threat actors are now blending AI platforms and search advertising to target macOS users. Researchers report that attackers are abusing publicly shared CLAUDE LLM artifacts AI generated content hosted on Anthropic's CLAUDE platform to distribute malicious terminal commands. These artifacts can appear in search results for queries like online DNS resolver or homebrew install. In some cases, they are promoted through malicious search ads. Users are instructed to copy and paste commands into the macOS terminal. The commands are often obfuscated, but they retrieve a malware loader from attacker controlled infrastructure. The payload delivered in observed campaigns includes an infosteeler known as Mac Sync. Once executed, this malware uses AppleScript and system utilities to harvest sensitive data from keychain browser storage and cryptocurrency wallets. The collected data is then archived and exfiltrated to command and control servers. Researchers identified multiple activecampaign variants and at least one malicious artifact accumulated tens of thousands of views. The broader pattern here is clear. Attackers are combining AI generated content, search engine manipulation, and social engineering to deliver malware without exploiting software vulnerabilities. Developers are now being targeted with a clever new malware campaign. Security researchers have uncovered campaigns where threat actors pose as recruiters and distribute malware through fake job interview coding assignments. Targets are approached on platforms like LinkedIn and Reddit with offers for blockchain or tech roles. Applicants are given coding challenge that require running or debugging provided projects. Hidden within those provided projects are malicious dependencies hosted on legitimate repositories such as npm and PyPi. Researchers link the campaign known as Grafalgo to nearly 200 different malicious packages. Some packages closely mimic legitimate library names. Once installed, the malware can provide remote access, enumerate processes, exfiltrate files, and download additional payloads. This tactic targets developers because development environments often provide access to sensitive infrastructure, source code and credentials, verification of recruiter identity and isolating untrusted projects are critical safeguards. Our final story today looks at NPM's authentication overhaul following the Shai Hulud supply chain worm incident. Historically, NPM relied on long lived classic tokens if compromised attackers could publish malicious versions of trusted packages. NPM has now revoked classic tokens and shifted to short lived session based credentials typically valid for about 2 hours. Publishing workflows increasingly default to multi factor authentication. NPM is also promoting OIDC trusted publishing, allowing CI systems to obtain short lived per run credentials instead of storing long term secrets. These are meaningful security improvements. However, some concerns remain. First, MFA phishing attacks against maintainers have succeeded in the past. Even short lived access may be enough to publish a malicious update. Second, MFA unpublish is not mandatory. Still, developers can still create long lived tokens that bypass MFA protections. If attackers gain access to such tokens, the original supply chain risk re emerges. Analysts cited in Recent articles about NPM's improvements also note that in the vast majority of compromised NPM pack packages reviewed, the malware was introduced in the publishing artifact, not in the upstream source code, suggesting that building from verified source could significantly reduce exposure. NPM has strengthened its defaults, but until short lived identity bound credentials and mandatory MFA become universal, supply chain compromise remains a material threat and these open source projects attempting target and that's Cybersecurity today for Monday, February 16th. I've been your host, David Shipley. Thank you for listening. And thank you for making Cybersecurity Today one of the top 10 news shows in Canada, the United States and the United Kingdom. If you found this episode valuable, please take a moment to like, subscribe or leave a review. We'd love to reach even more people and we continue to need your help. Jim Love will be back on Wednesday.