Cyware Daily Threat Intelligence, February 13, 2026
The North Korea-linked Lazarus Group is weaponizing the job hunt with its graphalgo campaign, targeting developers with high-stakes recruitment lures. By posing as blockchain firms and assigning fake coding tasks, they trick candidates into installing malicious packages like bigmathutils via npm and PyPI.
A wave of malicious Chrome extensions is turning browser customizers and AI assistants into silent data harvesters. From the CL Suite scraping Meta Business data to the VK Styles campaign hijacking 500,000 accounts, these tools abuse high-level permissions to exfiltrate everything from private Gmail content to TOTP codes.
CISA has sounded the alarm on CVE-2024-43468, a critical SQL injection flaw in Microsoft Configuration Manager that has officially transitioned from unlikely to actively exploited. By weaponizing the very tool used to manage thousands of endpoints, attackers can turn an organization’s central IT hub into a launchpad for network-wide compromise and lateral movement.
Top Malware Reported in the Last 24 Hours
Lazarus Group targets developers with malware
Cybersecurity researchers have identified a new campaign by the North Korea-linked Lazarus Group, which targets developers through malicious packages in the npm and PyPI ecosystems. Codenamed "graphalgo," this campaign has been active since May 2025 and employs fake recruitment strategies to lure developers into installing malware. The malicious packages, such as "bigmathutils," are designed to deploy RATs that can steal sensitive data and execute commands on infected systems. The malware uses a token-based communication mechanism for secure command-and-control operations.
Malicious Chrome extensions steal sensitive data
Cybersecurity researchers have uncovered several malicious Chrome extensions that are designed to steal sensitive data from users. One such extension, CL Suite, targets Meta Business Suite and Facebook Business Manager, exfiltrating TOTP codes, contact lists, and analytics data. Another campaign, known as VK Styles, has hijacked around 500,000 VKontakte accounts through deceptive extensions that manipulate user settings and enforce unwanted subscriptions. Additionally, a group of AI-themed extensions, collectively referred to as AiFrame, siphons data from users by embedding remote interfaces that access sensitive browser capabilities, including Gmail content. A broader investigation revealed 287 Chrome extensions that exfiltrate browsing history to data brokers, affecting approximately 37.4 million installations worldwide. These developments illustrate the increasing abuse of browser extensions by malicious actors to harvest valuable user information.
Top Vulnerabilities Reported in the Last 24 Hours
CISA warns of critical Microsoft SCCM flaw
CISA has identified a critical vulnerability in Microsoft Configuration Manager (CVE-2024-43468), initially patched in October 2024, which is now being actively exploited in attacks. This SQL injection flaw enables unauthenticated attackers to execute arbitrary commands with high-level privileges on the server and its database by sending specially crafted requests. Although Microsoft previously categorized the vulnerability as "Exploitation Less Likely," this assessment changed after the security firm Synacktiv released proof-of-concept exploitation code. As a result, CISA has mandated that federal agencies secure their systems against this threat.
Critical BeyondTrust RCE vulnerability exploited
A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access appliances is currently being exploited in attacks. This flaw, which has a near-maximum CVSS score of 9.9, affects versions 25.3.1 and earlier of Remote Support and 24.3.4 and earlier of Privileged Remote Access. BeyondTrust disclosed the vulnerability on February 6, warning that it can be triggered by unauthenticated attackers sending specially crafted requests. Hacktron discovered and responsibly disclosed the flaw on January 31, noting that around 11,000 BeyondTrust Remote Support instances are exposed online. Following the publication of a proof-of-concept exploit targeting the /get_portal_info endpoint, attackers have begun actively exploiting the vulnerability to execute commands on vulnerable systems.