bleepingcomputer.com

Microsoft's February Patch Tuesday fixes 58 flaws including six zero-days already under attack, with CISA ordering immediate federal remediation.

Researchers say Git-sourced dependencies can re-enable code execution paths even when npm is run with --ignore-scripts, undermining a widely recommended mitigation after 2025’s Shai-Hulud worm.

A CVSS 9.9 command-injection bug in BeyondTrust Remote Support and Privileged Remote Access lets unauthenticated attackers execute OS commands, echoing the zero-days that gave Chinese state hackers access to the U.S. Treasury in 2024.

Binding Operational Directive 26-02 gives agencies 18 months to inventory and replace end-of-life firewalls, routers, and switches that advanced threat actors are actively exploiting.

Threat actor exploited infostealer-harvested passwords to breach enterprise file-sharing platforms at major companies lacking MFA protection.