Absolutely, it's notable, and we can acknowledge that without the FUD or exaggerated claims.
19.02.2026 02:58
๐ 1
๐ 1
๐ฌ 0
๐ 0
Absolutely, it's notable, and we can acknowledge that without the FUD or exaggerated claims.
Some posts have cited "5 million machines." That's simply Cline's total install milestone from Jan 30, not the number exposed to the Feb 17 update...
This was a contained, low-impact incident, but still a useful reminder about supply chain security. We can stay and keep others aware, without FUD ๐
The GitHub advisory mentions "an unauthorized party" which can confuse attribution and social media posts got it wrong.
The Feb 17 npm publish misused a long-lived token and was quickly patched in v2.4.0.
There's no evidence of widespread compromise or "ongoing" malicious activity.
Yes, the incident involved "unauthorized publishing" - it did not deliver a destructive payload or compromise widespread endpoints.
Researcher Adnan Khan had disclosed a proof-of-concept vulnerability on Feb 9, 2026, responsibly, on a mirror repo. He did NOT publish the compromised package.
Advisory clarifies only cline@2.3.0 on npm was affected for ~8 hours.
The version included a postinstall script installing OpenClaw, which is a legitimate/benign open source package, not malware. Rest of the CLI code was unchanged.
โ ๏ธ Seeing a lot of exaggerated or misleading posts about the recent Cline CLI supply chain incident, so hereโs some context.
Feb 17 incident is clearly documented in the low-severity advisory: github.com/cline/cline/...
Extensive dataset contains: names, emails, phone numbers, addresses, IPs, purchase history, and partial payment card data.
Even without full card numbers, the data can fuel targeted #phishing and fraud campaigns.
Beware if you receive suspicious communications appearing to come from Canada Goose.
The company says it's seen no evidence of a recent breach of its own systems, and the data relates to historical customer transactions: www.bleepingcomputer.com/news/securit...
Canada Goose says it is reviewing a 1.67 GB dataset leaked by ShinyHunters extortion group, with more than 600,000 customer records.
Restaurants are going cash-only, and utility payments are disrupted. The City of Palm Bay, FL and City of Frisco, TX both reported inability to accept online credit card payments. Other organizations, including Lightspeed Commerce and ThriftTrac, have also reported service impacts.
๐จ Nationwide payment card-processing outage tied to #ransomware attack.
Payments platform BridgePay confirms a #ransomware attack has knocked key systems offline, impacting merchants and municipal services across the U.S.
www.bleepingcomputer.com/news/securit...
Despite #Zendesk suggesting safeguards and tightening up security last month, the massive spam wave has returned flooding inboxes with hundreds of bogus 'Activate account...' emails that bypass #spam filters
www.bleepingcomputer.com/news/securit...
Responsible disclosure is built on an assumption that "doing the right thing" would = timely action, fair treatment, and maybe a bounty reward.
Lately, that assumption is collapsing.
For CISOs, this is gradually becoming a risk management nightmare.
www.csoonline.com/article/4124...
A NationStates game player found a critical vulnerability but then crossed a line: he copied production data and app code.
Finding a flaw is enough. Demonstrate it safely, report it and stop there. Holding data isn't clever, ever.
www.bleepingcomputer.com/news/securit...
Pax8 email sent out yesterday from an account manager accidentally contained a spreadsheet with data on 1,800 MSP partners.
Such data can expose who runs what, at what scale, and when contracts renew.
This serves as prime intel, not just for competitors/customer poaching, but threat actors aiming to launch targeted phishing, BEC and extortion attacks.
BREAKING: Threat actors are seeking data on ~1,800 MSPs after a Pax8 spreadsheet with customer and Microsoft licensing info was accidentally emailed to over three dozen partners yesterday.
www.bleepingcomputer.com/news/securit...
Especially problematic when these comments contain official lnkd[.]in shortener links and link previews don't load fully at times.
You'd have no definitive way of knowing that these are phishing at a first glance until you click!
Heads up: A new #phishing campaign is abusing LinkedIn comment-replies and directing users to external links to lift a bogus "temporary restriction."
www.bleepingcomputer.com/news/securit...
This can compromise your privacy, particularly when using Telegram in restrictive countries to bypass censorship.
Telegram downplays the design flaw, but will warn users about proxy links with a note.
Tapping a @username, should open that user's profile, not take you to a sus link ๐คทโโ๏ธ
โ ๏ธ Telegram privacy alert: Don't tap any @usernames or links in chats. These can actually be hidden proxy URLs. Tapping them just once can trigger a direct connection that reveals your real IP address to a third party with one click:
www.bleepingcomputer.com/news/securit...
Update: Multiple current and former Target employees have reached out to confirm that the source code and documentation shared by a threat actor match real internal systems.
A company-wide Slack announcement also announced "accelerated" access changes.
www.bleepingcomputer.com/news/securit...
We shared the materials with Target, after which the sample data disappeared and access to git[.]target[.]com was restricted. The dataset advertised by the actor is claimed to be ~860 GB in size. Target went silent after we shared evidence and links to the Gitea repos suggesting a possible breach.
EXCLUSIVE: Target's developer Git server went offline shortly after hackers claimed they had stolen internal source code and published what they claim are sample repositories for sale.
www.bleepingcomputer.com/news/securit...
Microsoft Copilot prompt injectionsโvulnerabilities or AI limits?
Microsoft implies that these don't constitute "serviceable vulnerabilities." But security pros are divided, especially when AIs like Claude restrict inputs that can cause system prompt leaks.
www.bleepingcomputer.com/news/securit...
What an awful perk this is...it's saying "hey, get addicted to nicotine so we can squeeze more ideas out of you."
Tech Startups Are Handing Out Free Nicotine Pouches to Boost Productivity
www.wsj.com/tech/tech-st...
Not all CISA KEV listings mean urgent risk. CVE-2025-59374 formalizes the 2019 ASUS ShadowHammer supply-chain attack, not a new exploit.
FAQ updates, older guidance, and new context shared by CISA below signal a classification effort, not an active threat.
www.bleepingcomputer.com/news/securit...
Even if a flight reservation looks valid, it might only be a hold, not a ticket. If you see just a PNR or reservation number (but no e-/ticket number), call up the airline to confirm before paying!
โฉ Watch on BBC iPlayer: www.bbc.co.uk/iplayer/epis...
With holidays coming up, this scam poses a very real threat. After filming with us, Leslie was thankfully reimbursed in full by her bank, but not all victims may be that lucky.
Can't believe but... the "real" flight ticket trick is still claiming victims. ๐ซโ๏ธ
Scammers sell "tickets" that appear valid on the airline website for days, and then vanish.
I'd written about this exact scam in 2023: www.wired.com/story/plane-...
โถ๏ธ Now available on iPlayer
๐ก Next episode: Friday 10.45am
www.bbc.co.uk/iplayer/epis...
