🔥 Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack, LLM Backdoors and More

💡 Threat of the Week: AI Skills Marketplaces Become Malware Distribution Channels

OpenClaw's partnership with VirusTotal marks a critical turning point in AI security as autonomous agent ecosystems face mounting threats. The cybersecurity community has raised alarms about AI tools' persistent memory, broad permissions, and user-controlled configurations that could amplify existing risks like prompt injections and data exfiltration.

Trend Micro's discovery of malicious actors on Exploit.in forum actively discussing OpenClaw skills deployment for botnet operations underscores the severity. Veracode's research revealed an explosive growth in npm and PyPI packages containing "claw" - skyrocketing from nearly zero to over 1,000 packages by early February 2026. This creates new avenues for threat actors to smuggle malicious typosquats into AI agent ecosystems.

"Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations," Trend Micro warned. The security competence required for open-source agentic tools like OpenClaw exceeds that of managed platforms, creating a dangerous gap for organizations rushing to adopt AI automation.

🔔 Top News: Critical Infrastructure Under Siege

German Agencies Warn of Signal Phishing Campaign

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint advisory about a sophisticated state-sponsored phishing campaign targeting high-ranking political, military, and diplomatic figures across Germany and Europe. The attackers exploit legitimate Signal PIN and device linking features to take control of victims' accounts.

Record-Breaking 31.4 Tbps DDoS Attack

The AISURU/Kimwolf botnet claimed responsibility for a record-setting distributed denial-of-service attack peaking at 31.4 Terabits per second, lasting only 35 seconds in November 2025. Cloudflare automatically detected and mitigated this unprecedented assault. The botnet also launched "The Night Before Christmas" campaign starting December 19, 2025. DDoS attacks surged 121% in 2025, averaging 5,376 attacks per hour that required automatic mitigation.

Notepad++ Supply Chain Compromise

Between June and October 2025, threat actors selectively redirected traffic from Notepad++'s updater program, WinGUp, to attacker-controlled servers downloading malicious executables. Despite losing foothold on September 2, 2025, attackers maintained valid credentials to continue routing update traffic until December 2, 2025. The sophisticated attack exploited insufficient update verification controls in older Notepad++ versions.

"Attackers prize distribution points that touch a large population," Forrester analysis stated. "Update servers, download portals, package managers, and hosting platforms become efficient delivery systems because one compromise creates thousands of downstream victims." The attack has been attributed to the Lotus Blossom threat actor.

Docker AI Assistant Critical Vulnerability

A critical-severity bug in Docker's Ask Gordon AI assistant, dubbed DockerDash, can compromise Docker environments through meta-context injection. The vulnerability exists in the Model Context Protocol (MCP) Gateway's contextual trust, where malicious instructions embedded in Docker image metadata labels are forwarded and executed without validation.

Noma Security discovered that the MCP Gateway fails to distinguish between informational metadata and runnable internal instructions. Docker addressed the issue with version 4.50.0 in November 2025.

Microsoft's LLM Backdoor Detection Scanner

Microsoft developed a scanner to detect backdoors in open-weight AI models, addressing a critical blind spot for enterprises dependent on third-party large language models. The company identified three observable indicators of backdoors: shifts in model attention when hidden triggers are present, models leaking their own poisoned data, and partial backdoor versions still triggering intended responses.

"The scanner we developed first extracts memorized content from the model and then analyzes it to isolate salient substrings," Microsoft noted. "Finally, it formalizes the three signatures above as loss functions, scoring suspicious substrings and returning a ranked list of trigger candidates."

🚨 Trending CVEs: Critical Vulnerabilities to Patch Immediately

Security teams should prioritize these critical flaws:

• CVE-2026-25049 (n8n)
• CVE-2026-0709 (Hikvision Wireless Access Point)
• CVE-2026-23795 (Apache Syncope)
• CVE-2026-1591, CVE-2026-1592 (Foxit PDF Editor Cloud)
• CVE-2025-67987 (Quiz and Survey Master plugin)
• CVE-2026-24512 (ingress-nginx)
• CVE-2026-1207, CVE-2026-1287, CVE-2026-1312 (Django)
• CVE-2026-1861, CVE-2026-1862 (Google Chrome)
• CVE-2026-20098 (Cisco Meeting Management)
• CVE-2026-20119 (Cisco TelePresence CE Software and RoomOS)
• Multiple TP-Link Archer BE230 vulnerabilities (CVE-2026-0630 through CVE-2026-22229)
• CVE-2026-22548 (F5 BIG-IP)
• CVE-2026-1642 (F5 NGINX OSS and NGINX Plus)
• CVE-2025-6978 (Arista NG Firewall)

📊 Around the Cyber World: Emerging Threats and Trends

OpenClaw Security Concerns Escalate

Pillar Security reported attackers actively scanning exposed OpenClaw gateways on port 18789. "The traffic included prompt injection attempts targeting the AI layer -- but the more sophisticated attackers skipped the AI entirely," researchers Ariel Fogel and Eilon Cohen said. "They connected directly to the gateway's WebSocket API and attempted authentication bypasses, protocol downgrades to pre-patch versions, and raw command execution."

Censys identified 21,639 exposed OpenClaw instances as of January 31, 2026. "Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust," Hudson Rock warned. "Without encryption-at-rest or containerization, the 'Local-First' AI revolution risks becoming a goldmine for the global cybercrime economy."

MoltBook Prompt Injection Risks

Simula Research Laboratory's analysis of MoltBook revealed 506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploiting agent psychology, anti-human manifestos receiving hundreds of thousands of upvotes, and unregulated cryptocurrency activity comprising 19.3% of all content.

Simon Willison, who coined "prompt injection" in 2022, described MoltBook as "the most interesting place on the internet right now." The platform allows AI agents built on OpenClaw to communicate, post, comment, upvote, and create sub-communities without human intervention. While pitched as a way to offload tedious tasks, the deep access AI agents have to personal information creates significant security pitfalls.

EtherHiding Malware Distribution

Veracode discovered 54 malicious npm packages using Ethereum smart contracts as dead drop resolvers to fetch command-and-control servers. This EtherHiding technique makes takedown efforts more difficult, allowing operators to modify infrastructure without changing malware itself.

"The malware includes environment checks designed to evade sandbox detection, specifically targeting Windows systems with 5 or more CPUs," Veracode reported. The malware profiles systems, establishes registry persistence via COM hijacking, and loads second-stage payloads from C2 servers.

Ukraine's Starlink Verification System

Ukraine implemented mandatory verification for Starlink satellite internet terminals after confirming Russian forces installing the technology on attack drones. The government introduced an allowlist system where only verified and registered devices can operate in the country, with all other terminals automatically disconnected.

Cellebrite Tech Used Against Jordanian Activists

Citizen Lab revealed the Jordanian government used Cellebrite digital forensic software to extract data from phones belonging to at least seven activists and human rights defenders between late 2023 and mid-2025. The extractions occurred during interrogations or detentions, targeting activists who organized protests supporting Palestinians in Gaza.

Citizen Lab uncovered iOS and Android indicators of compromise tied to Cellebrite in all four phones forensically analyzed. Authorities have been using Cellebrite since at least 2020.

ShadowHS Fileless Linux Framework

Cyble discovered ShadowHS, a stealthy Linux framework running entirely in memory for covert post-exploitation control. "Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long-term interactive control over compromised systems," Cyble said.

The loader decrypts and executes payloads exclusively in memory, leaving no persistent binary artifacts. The framework supports credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and data exfiltration modules.

Criminal Justice Updates

Rui-Siang Lin, 24, received a 30-year prison sentence for administering Incognito Market, which facilitated over $105 million in drug sales and 640,000 narcotics transactions. Lin operated under "Pharaoh" from January 2022 to March 2024, enabling 1,800 vendors to serve 400,000+ customers.

Cyber Centaurs helped a dozen victims recover data by breaching the INC Ransomware group's backup server where stolen data was dumped. "While INC Ransomware demonstrated careful planning, hands-on execution, and effective use of legitimate tools, they also left behind infrastructure and artifacts that reflected reuse, assumption, and oversight," the company said.

Illicit Marketplace Activity

TRM Labs analysis revealed the Telegram-based guarantee marketplace Xinbi processed approximately $17.9 billion in total transaction volume, while competitors Haowang and Tudou Guarantee dropped by 100% and 74% respectively.

AI-powered offensive security platform XBOW discovered two previously unknown Insecure Direct Object Reference (IDOR) vulnerabilities in Spree e-commerce platform, allowing attackers to access guest address information without credentials and retrieve other users' address information by editing legitimate orders.

📺 Cybersecurity Webinars and Tools

Cloud Forensics Innovation

Modern cloud attacks move fast and leave minimal evidence. New approaches use host-level data and AI to reconstruct attacks faster, understand what really happened, and improve incident response across SOC teams.

Post-Quantum Cryptography

Quantum computing threatens to break today's encryption, with attackers already collecting encrypted data for future decryption. Organizations need practical strategies and deployment models to protect sensitive data before quantum threats materialize.

YARA Rule Skill (Community Edition)

This AI-powered tool helps write, review, and improve YARA detection rules by analyzing logic errors, weak strings, and performance problems using established best practices. Security teams use it to strengthen malware detection and improve rule accuracy.

Anamnesis Research Framework

Anamnesis tests how LLM agents turn vulnerability reports and small trigger PoCs into working exploits under real defenses (ASLR, NX, RELRO, CFI, shadow stack, sandboxing). It runs controlled experiments to see what bypasses work and what that implies for practical risk.

📋 Conclusion: The Expanding Attack Surface

The critical takeaway this week is clear: exposure is growing faster than visibility. Many risks aren't coming from unknown threats but from known systems being used in unexpected ways. Security teams must monitor not just networks and endpoints, but ecosystems, integrations, and automated workflows.

Attackers are operating across all layers simultaneously, blending old techniques with new access paths. Staying secure requires understanding how every connected system can influence the next and closing those gaps before they're chained together. The modern threat landscape demands comprehensive visibility and layered defense strategies that account for AI ecosystems, supply chains, and automated workflows as integral parts of the attack surface.