Cyware Daily Threat Intelligence, February 12, 2026

A malicious NPM package named duer-js has turned the developer ecosystem into a hunting ground for Discord users and Windows systems. By hiding a "Bada Stealer" payload within a labyrinth of obfuscated code, the package silently harvests everything from credit card details to Discord tokens.

The discovery of AgreeToSteal marks a predatory new milestone: the first known instance of a malicious Microsoft Outlook add-in being weaponized for mass credential theft. By hijacking an abandoned domain once linked to a legitimate utility, an attacker resurrected a "dead" tool to serve as a high-fidelity phishing gateway.

The most recent Patch Tuesday has become a massive coordinated defense effort, with over 60 vendors racing to close critical gaps across the global software landscape. While Microsoft neutralized six actively exploited zero-days, SAP and Intel faced their own battles against flaws that could lead to full database takeovers or compromised "confidential computing" environments.

Top Malware Reported in the Last 24 Hours

Malicious NPM package spreads Bada Stealer

A malicious NPM package named "duer-js" has been discovered, distributing the "Bada Stealer" malware that primarily targets Windows systems and Discord users. Published by the user "luizaearlyx," this package contains heavily obfuscated code designed to evade analysis, featuring a long JavaScript blob wrapped in an eval() call. Once executed, the malware aggressively collects sensitive data from major Chromium-based browsers, including passwords, cookies, and credit card information, and extracts user data from Discord, such as tokens and profile details. The stolen data is sent to a hard-coded Discord webhook and uploaded to a legitimate file-sharing service, complicating detection efforts. Additionally, the initial payload downloads a second obfuscated script that injects malicious code into Discord, allowing real-time capture of sensitive information during user interactions, including login credentials and payment details.

OysterLoader: Evasive multi-stage malware threat

OysterLoader, also known as Broomstick and CleanUp, is a sophisticated multi-stage malware loader developed in C++ that primarily targets victims through fake websites mimicking legitimate software. First reported in June 2024, it is associated with the Rhysida ransomware group and is used to distribute various malware, including the infostealer Vidar. The infection process involves four stages: starting with a packer that obfuscates the payload, followed by custom shellcode for decompression, a downloader for additional malicious payloads, and finally executing the core malware. Notably, OysterLoader employs advanced evasion techniques, including excessive legitimate API calls to confuse analysis and dynamic API resolution to hide dependencies. Its C2 communication is intricate, utilizing custom encoding and multiple server layers to maintain persistence and evade detection.

First malicious Outlook add-in discovered

Cybersecurity researchers have identified the first known malicious Microsoft Outlook add-in, dubbed "AgreeToSteal," which has been used to steal over 4,000 Microsoft credentials. This attack involved an unknown hacker claiming an abandoned domain associated with a legitimate add-in, allowing them to serve a fake Microsoft login page. Users were unknowingly directed to this phishing site, where their credentials were captured and exfiltrated via the Telegram Bot API. The add-in, designed to help users manage calendars and share availability, had last been updated in December 2022. 

Top Vulnerabilities Reported in the Last 24 Hours

Apple patches critical zero-day vulnerability

Apple has released critical updates for iOS and macOS to address a zero-day vulnerability, tracked as CVE-2026-20700, which affects the dyld system component responsible for loading dynamic libraries. This memory corruption flaw has been exploited in sophisticated attacks targeting specific individuals, and its exploitation is linked to two previously patched vulnerabilities in WebKit. Apple noted that the updates, included in iOS 26.3 and other system releases, resolve nearly 40 vulnerabilities in iOS and iPadOS, and over 50 in macOS Tahoe. The security patches also address issues that could lead to information exposure, denial-of-service, and arbitrary code execution. 

Windows 11 Notepad flaw allows RCE

A critical vulnerability in Windows 11 Notepad, tracked as CVE-2026-20841, allowed attackers to execute local or remote programs by tricking users into clicking specially crafted Markdown links without any security warnings. This flaw enabled attackers to exploit the application by creating Markdown files that contained malicious links. When users opened these files in Notepad and clicked the links, the application would execute unverified protocols, running the malicious code in the user's security context. Microsoft addressed this issue in the February 2026 Patch Tuesday updates, implementing warnings for non-standard URI links. Despite the fix, concerns remain about the potential for social engineering, as users could still be misled into bypassing the warnings.

Over 60 vendors release critical security patches

On Patch Tuesday, over 60 software vendors, including Microsoft, Adobe, and SAP, released critical security updates to address various vulnerabilities in their products. Microsoft issued patches for 59 flaws, among which were six actively exploited zero-day vulnerabilities that could allow attackers to bypass security measures and escalate privileges. Adobe updated several applications, although it reported no known exploitation of the vulnerabilities. SAP addressed two critical vulnerabilities, including a code injection flaw that could lead to full database compromise and a missing authorization check that could allow unauthorized actions by low-privileged users. Additionally, Intel and Google discovered multiple vulnerabilities in Intel's Trust Domain Extensions, highlighting the complexities introduced by new features in confidential computing. Other vendors, such as Apple, Cisco, and NVIDIA, also released updates to rectify security issues across their platforms.