⚡ Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack, LLM Backdoors and More  Ravie Lakshmanan  Feb 09, 2026 Hacking News / Cybersecurity Cyber threats are no longer coming from just malware or exploits. They’re showing up inside the tools, platforms, and ecosystems organizations use every day. As companies connect AI, cloud apps, developer tools, and communication systems, attackers are following those same paths. A clear pattern this week: attackers are abusing trust. Trusted updates, trusted marketplaces, trusted apps, even trusted AI workflows. Instead of breaking security controls head-on, they’re slipping into places that already have access. This recap brings together those signals — showing how modern attacks are blending technology abuse, ecosystem manipulation, and large-scale targeting into a single, expanding threat surface. ⚡ Threat of the Week OpenClaw announces VirusTotal Partnership — OpenClaw has announced a partnership with Google's VirusTotal malware scanning platform to scan skills that are being uploaded to ClawHub as part of a defense-in-depth approach to improve the security of the agentic ecosystem. The development comes as the cybersecurity community has raised concerns that autonomous artificial intelligence (AI) tools' persistent memory, broad permissions, and user‑controlled configuration could amplify existing risks, leading to prompt injections, data exfiltration, and exposure to unvetted components. This has also been complemented by the discovery of malicious skills on ClawHub , a public skills registry to augment the capabilities of AI agents, once again demonstrating that marketplaces are a gold mine for criminals who populate the store with malware to prey on developers. To make matters worse, Trend Micro disclosed that it observed malicious actors on the Exploit.in forum actively discussing the deployment of OpenClaw skills to support activities such as botnet operations. Another report from Veracode revealed that the number of packages on npm and PyPI with the name "claw" has increased exponentially from nearly zero at the start of the year to over 1,000 as of early February 2026, providing new avenues for threat actors to smuggle malicious typosquats. "Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations," Trend Micro said . "Open-source agentic tools like OpenClaw require a higher baseline of user security competence than managed platforms." Bad Actors Are Using New AI Capabilities and Powerful AI Agents Traditional firewalls and VPNs aren’t helping—instead, they’re expanding your attack surface and enabling lateral threat movement. They’re also more easily exploited with AI-powered attacks. It’s time for Zero Trust + AI. Learn More ➝ 🔔 Top News German Agencies Warn of Signal Phishing — Germany's Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The attacks have been mainly directed at high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. The attack chains exploit legitimate PIN and device linking features in Signal to take control of victims' accounts. AISURU Botnet Behind 31.4 Tbps DDoS Attack — The botnet known as AISURU/Kimwolf has been attributed to a record-setting distributed denial-of-service (DDoS) attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds. The attack took place in November 2025, according to Cloudflare, which automatically detected and mitigated the activity. AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025. In all, DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour. Notepad++ Hosting Infrastructure Breached to Distribute Chrysalis Backdoor — Between June and October 2025, threat actors quietly and very selectively redirected traffic from Notepad++'s updater program, WinGUp, to an attacker-controlled server that downloaded malicious executables. While the attacker lost their foothold on the third-party hosting provider's server on September 2, 2025, following scheduled maintenance where the server firmware and kernel were updated. However, the attackers still had valid credentials in their possession, which they used to continue routing Notepad++ update traffic to their malicious servers until at least December 2, 2025. The adversary specifically targeted the Notepad++ domain by taking advantage of its insufficient update verification controls that existed in older versions of Notepad++. The findings show that updates cannot be treated as trusted just because they come from a legitimate domain, as the blind spot can be abused as a vector for malware distribution. The sophisticated supply chain attack has been attributed to a threat actor known as Lotus Blossom. "Attackers prize distribution points that touch a large population," a Forrester analysis said . "Update servers, download portals, package managers, and hosting platforms become efficient delivery systems, because one compromise creates thousands of downstream victims." DockerDash Flaw in Docker AI Assistant Leads to RCE — A critical-severity bug in Docker's Ask Gordon AI assistant can be exploited to compromise Docker environments. Called DockerDash, the vulnerability exists in the Model Context Protocol (MCP) Gateway's contextual trust, where malicious instructions embedded into a Docker image's metadata labels are forwarded to the MCP and executed without validation. This is made possible because the MCP Gateway does not distinguish between informational metadata and runnable internal instructions. Furthermore, the AI assistant trusts all image metadata as safe contextual information and interprets commands in metadata as legitimate tasks. Noma Security named the technique meta-context injection. It was addressed by Docker with the release of version 4.50.0 in November 2025. Microsoft Develops Scanner to Detect Hidden Backdoors in LLMs — Microsoft has developed a scanner designed to detect backdoors in open-weight AI models in hopes of addressing a critical blind spot for enterprises that are dependent on third-party large language models (LLMs). The company said it identified three observable indicators that suggest the presence of backdoors in language models: a shift in how a model pays attention to a prompt when a hidden trigger is present, almost independently from the rest of the prompt; models tend to leak their own poisoned data, and partial versions of the backdoor can still trigger the intended response. "The scanner we developed first extracts memorized content from the model and then analyzes it to isolate salient substrings," Microsoft noted. "Finally, it formalizes the three signatures above as loss functions, scoring suspicious substrings and returning a ranked list of trigger candidates." ‎️‍🔥 Trending CVEs New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient. Here are this week’s most critical flaws to check first — CVE-2026-25049 (n8n), CVE-2026-0709 (Hikvision Wireless Access Point), CVE-2026-23795 (Apache Syncope), CVE-2026-1591, CVE-2026-1592 (Foxit PDF Editor Cloud), CVE-2025-67987 (Quiz and Survey Master plugin), CVE-2026-24512 (ingress-nginx), CVE-2026-1207, CVE-2026-1287, CVE-2026-1312 (Django), CVE-2026-1861, CVE-2026-1862 (Google Chrome), CVE-2026-20098 (Cisco Meeting Management), CVE-2026-20119 (Cisco TelePresence CE Software and RoomOS), CVE-2026-0630, CVE-2026-0631, CVE-2026-22221, CVE-2026-22222, CVE-2026-22223, CVE-2026-22224, CVE-2026-22225, CVE-2026-22226, 22227, CVE-2026-22229 (TP-Link Archer BE230), CVE-2026-22548 (F5 BIG-IP), CVE-2026-1642 (F5 NGINX OSS and NGINX Plus), and CVE-2025-6978 (Arista NG Firewall). 📰 Around the Cyber World OpenClaw is Riddled With Security Concerns — The skyrocketing popularity of OpenClaw (née Clawdbot and Moltbot) has attracted cybersecurity worries. With artificial intelligence (AI) agents having entrenched access to sensitive data, giving "bring-your-own-AI" systems privileged access to applications and the user conversations carries significant security risks. The architectural concentration of power means AI agents are designed to store secrets and execute actions – features that are all essential to meet their objectives. But when they are misconfigured, the very design that serves as their backbone can collapse multiple security boundaries at once. Pillar Security has warned that attackers are actively scanning exposed OpenClaw gateways on port 18789. "The traffic included prompt injection attempts targeting the AI layer -- but the more sophisticated attackers skipped the AI entirely," researchers Ariel Fogel and Eilon Cohen said . "They connected directly to the gateway's WebSocket API and attempted authentication bypasses, protocol downgrades to pre-patch versions, and raw command execution." Attack surface management firm Censys said it identified 21,639 exposed OpenClaw instances as of January 31, 2026. "Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust," said Hudson Rock. "Without encryption-at-rest or containerization, the 'Local-First' AI revolution risks becoming a goldmine for the global cybercrime economy." Prompt Injection Risks in MoltBook — A new analysis of MoltBook posts has revealed several critical risks , including "506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploi