TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – February 18th, 2026

2026-02-17 · Read original ↗

ATT&CK techniques detected

18 predictions
T1190Exploit Public-Facing Application
93%
“weekly threat bulletin – february 18th, 2026 cisa flags critical microsoft sccm flaw as exploited in attacks cisa has mandated u. s. federal agencies to secure their systems against a critical microsoft configuration manager vulnerability, cve - 2024 - 43468, which is now activel…”
T1195.001Compromise Software Dependencies and Development Tools
87%
“refs / heads / main / server /. env. example ` to the network firewall and web proxy blocklists. - scan developer workstations and build servers for the existence of ` startup. js ` files in the specific persistence locations identified for windows, linux, and macos. - audit all …”
T1195.001Compromise Software Dependencies and Development Tools
83%
“##press. org / notepad - supply - chain - hack - exposed / https : / / cyberveille. esante. gouv. fr / alertes / notepad - cve - 2025 - 15556 - 2026 - 02 - 13 https : / / gbhackers. com / cisa - alerts - users - to - notepad - flaw / https : / / gbhackers. com / notepad - attack …”
T1190Exploit Public-Facing Application
82%
“/ 2026 / 02 / backdoor - in - notepad. html https : / / www. theregister. com / 2026 / 02 / 02 / notepad _ hijacking _ lotus _ blossom / https : / / www. theregister. com / 2026 / 02 / 12 / google _ china _ apt31 _ gemini / wordpress plugin with 900k installs vulnerable to critic…”
T1195.001Compromise Software Dependencies and Development Tools
81%
“a fabricated narrative around a blockchain and cryptocurrency exchange company, distributing a remote access trojan ( rat ) via 192 malicious packages across npm and pypi. the campaign began on may 2, 2025, on npm with the ` graphalgo ` package, later expanding to include package…”
T1195.001Compromise Software Dependencies and Development Tools
77%
“do not correspond to a legitimate plugin or core update. compliance best practices - establish a formal vulnerability management program that includes automated scanning and a defined patching schedule for all third - party software, including wordpress plugins and themes. - depl…”
T1190Exploit Public-Facing Application
70%
“enhance the it asset management program to maintain a real - time, accurate inventory of all software and systems, including versioning, to accelerate identification of vulnerable assets during future security incidents. notepad + + - cve - 2025 - 15556 a critical vulnerability, …”
T1190Exploit Public-Facing Application
69%
“com / post / 1 - click - rce - to - steal - your - moltbot - data - and - keys https : / / gbhackers. com / 15200 - openclaw - control - panels - exposed / https : / / gbhackers. com / 1 - click - flaw - in - clawdbot / https : / / gbhackers. com / openclaw - 2026 - 2 - 12 - rele…”
T1195.001Compromise Software Dependencies and Development Tools
66%
“##708 / https : / / securityonline. info / supply - chain - poison - lotus - blossom - hits - notepad - to - deploy - chrysalis / https : / / socradar. io / blog / notepad - infrastructure - hijacked / https : / / thehackernews. com / 2026 / 02 / notepad - hosting - breach - attr…”
T1195Supply Chain Compromise
49%
“##press. org / notepad - supply - chain - hack - exposed / https : / / cyberveille. esante. gouv. fr / alertes / notepad - cve - 2025 - 15556 - 2026 - 02 - 13 https : / / gbhackers. com / cisa - alerts - users - to - notepad - flaw / https : / / gbhackers. com / notepad - attack …”
T1195Supply Chain Compromise
47%
“##708 / https : / / securityonline. info / supply - chain - poison - lotus - blossom - hits - notepad - to - deploy - chrysalis / https : / / socradar. io / blog / notepad - infrastructure - hijacked / https : / / thehackernews. com / 2026 / 02 / notepad - hosting - breach - attr…”
T1190Exploit Public-Facing Application
44%
“( sccm / configmgr ) instances as released by microsoft in october 2024. - use a vulnerability scanner to perform an authenticated scan of the network to identify all instances of microsoft configuration manager and confirm they are patched against cve - 2024 - 43468. - audit the…”
T1587Develop Capabilities
42%
“a fabricated narrative around a blockchain and cryptocurrency exchange company, distributing a remote access trojan ( rat ) via 192 malicious packages across npm and pypi. the campaign began on may 2, 2025, on npm with the ` graphalgo ` package, later expanding to include package…”
T1204.002Malicious File
42%
“a fabricated narrative around a blockchain and cryptocurrency exchange company, distributing a remote access trojan ( rat ) via 192 malicious packages across npm and pypi. the campaign began on may 2, 2025, on npm with the ` graphalgo ` package, later expanding to include package…”
T1078.004Cloud Accounts
36%
“- paced sessions and managed endpoints, are ill - equipped to handle these autonomous, continuously operating entities that bypass standard iam workflows and whose activity appears legitimate in logs. specific vulnerabilities include cve - 2026 - 25253 ( one - click token theft l…”
T1190Exploit Public-Facing Application
36%
“##load of malicious php files. although exploitation is limited by a 24 - hour key validity window, the feature is commonly used for site migrations. the issue was reported by lucas montes ( nirox ) to defiant on january 12, and the vendor, wpvividplugins, released a fix in versi…”
T1195.001Compromise Software Dependencies and Development Tools
34%
“##vetted, third - party code. - configure and tune endpoint detection and response ( edr ) policies to detect and alert on suspicious process execution, such as scripts running from unusual user profile directories or processes making unexpected outbound network connections. - es…”
T1204.002Malicious File
32%
“, ` weighted - directed - graph ` ). a second - stage payload is downloaded from ` ` hxxps [ : ] / / raw [. ] githubusercontent [. ] com / johns92 / blog _ app / refs / heads / main / server /. env. example `, ` leading to the final rat payload that periodically fetches and execu…”

Summary

These are the top threats you should know about this week.