Microsoft dropped patches for six actively exploited zero-day vulnerabilities in a single Patch Tuesday — the attackers had keys before the locksmith could change the locks. HN62 covers that plus Lazarus Group poisoning npm packages via fake job postings, nation-state actors weaponizing Google AI, a 6-million-person telecom breach in the Netherlands, and a government contract breach escalating to tens of millions of Americans potentially affected.
Stories Covered
Microsoft Patch Tuesday: 6 Zero-Days Under Active Exploitation
February 2026 Patch Tuesday addressed 58 vulnerabilities across Windows, Office, Azure, and developer tools — but the headline is six zero-days already being exploited before Microsoft had fixes available. Highlights include CVE-2026-21510, a Windows Shell SmartScreen bypass (CVSS 8.8) confirmed under widespread active exploitation by Google Threat Intelligence, and CVE-2026-21513 targeting the legacy MSHTML rendering engine. If you have not restarted after this update, pause and do that now.
Lazarus Group Poisons npm via Fake Job Recruiters
North Korean state hackers (Lazarus Group) posed as job recruiters to get developers to run malicious npm packages as part of the interview process. Once installed, the packages established persistence and exfiltrated credentials and source code. Supply chain attacks through developer tooling have become a Lazarus signature move.
Nation-State Actors Using Google AI Against Targets
Government-backed threat actors were caught using Google AI tools — specifically Gemini — to accelerate reconnaissance, draft phishing content, and debug malicious code. This marks a clear shift: AI-assisted offense is no longer theoretical, it is operational tradecraft for advanced persistent threats.
Dutch Telecom Breach and U.S. Government Data Exposure
A breach at a major Dutch telecom provider exposed data on over six million subscribers. Separately, a U.S. government contract breach that initially appeared contained has expanded in scope to potentially affect tens of millions of Americans, with investigators still assessing the full damage.
Leave a Reply