Critical BeyondTrust RCE Exploited in Wild, Plus Supply Chain Attacks Hit Developer Tools

BeyondTrust Critical Flaw Under Active Exploitation

Threat actors have weaponized a critical vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to The Hacker News. The flaw, tracked as CVE-2026-1731 with a CVSS score of 9.9, enables attackers to execute operating system commands within the application context.

The vulnerability is being exploited to deploy VShell web shells, establish backdoors, and conduct data exfiltration operations. Given BeyondTrust's deployment in enterprise environments for privileged access management, this represents a significant attack surface for lateral movement and credential harvesting.

Cline CLI Supply Chain Compromise

The AI-powered coding assistant Cline CLI fell victim to a supply chain attack on February 17, 2026, when an unauthorized party used a compromised npm publish token to release a malicious update. The compromised version 2.3.0 stealthily installed OpenClaw, a self-hosted autonomous AI agent that has gained popularity among developers.

The attack occurred at 3:26 AM PT, highlighting the vulnerability of developer toolchains to supply chain compromises through compromised publishing credentials. Organizations using Cline CLI should immediately audit their systems and update to clean versions.

ClickFix Campaign Deploys MIMICRAT RAT

Cybersecurity researchers have identified a sophisticated ClickFix campaign leveraging compromised legitimate websites to deliver MIMICRAT (also known as AstarionRAT), a previously undocumented remote access trojan. The campaign demonstrates operational sophistication by using compromised sites across multiple industries and geographies as delivery infrastructure.

The multi-stage attack chain represents an evolution in social engineering tactics, where legitimate site compromise adds credibility to the initial infection vector before deploying the RAT payload.

Identity Cyber Scores Reshape Insurance Landscape

With one-third of cyber attacks now involving compromised employee accounts, cyber insurance providers are increasingly emphasizing identity posture assessments. Insurers are evaluating password hygiene, privileged access management, and multi-factor authentication coverage as core risk factors.

This shift reflects the reality that identity compromise has become a primary attack vector, forcing organizations to demonstrate mature identity security programs to maintain favorable insurance terms.

Ukrainian Sentenced in North Korean IT Worker Scheme

Oleksandr "Alexander" Didenko, a 29-year-old Ukrainian national, received a five-year prison sentence for facilitating North Korea's fraudulent IT worker program. Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft for stealing U.S. citizen identities and selling them to North Korean IT workers seeking employment in American companies.

The case highlights the ongoing challenge of North Korean revenue generation through remote work infiltration, requiring enhanced identity verification processes for remote hiring.

FBI Reports Surge in ATM Jackpotting Incidents

The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025 alone, resulting in over $20 million in losses last year. The technique involves physically or logically compromising ATMs to force cash dispensing without valid transactions.

The Department of Justice previously reported collective losses of $40.73 million from ATM jackpotting operations, indicating this remains a persistent threat requiring enhanced ATM security measures.

Former Google Engineers Indicted for Trade Secret Theft

Two former Google engineers and a spouse face indictment for allegedly stealing trade secrets from Google and other tech companies and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, her husband Mohammadjavad Khosravi, and sister Soroor Ghandali are accused of systematic intellectual property theft.

The case underscores insider threat risks at technology companies handling sensitive intellectual property, particularly regarding nation-state intelligence collection efforts.

Microsoft CVE Updates

Microsoft published informational updates for three CVEs, updating CWE classifications without changing the underlying vulnerability details:

• CVE-2025-32711: M365 Copilot Information Disclosure Vulnerability
• CVE-2025-55319: Agentic AI and Visual Studio Code Remote Code Execution Vulnerability
• CVE-2025-65046: Microsoft Edge (Chromium-based) Spoofing Vulnerability

These updates represent administrative changes to vulnerability documentation rather than new security findings.

Sources

• BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration
• Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems
• ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
• Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026
• Ukrainian National Sentenced to 5 Years in North Korea IT Worker Fraud Case
• FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025
• Former Google Engineers Indicted Over Trade Secret Transfers to Iran
• CVE-2025-32711 M365 Copilot Information Disclosure Vulnerability
• CVE-2025-55319 Agentic AI and Visual Studio Code Remote Code Execution Vulnerability
• CVE-2025-65046 Microsoft Edge (Chromium-based) Spoofing Vulnerability