Logo
API_STATUS: OPTIMAL SYSTEM_LOAD: 12%> LATEST_CVE: CVE-2026-0012 [CRITICAL]> PATCH_UPLOAD: KB5034123 [SUCCESS]> INTEL_STREAM: REFRESHED_IN_2MS
Zero-DayChromeInsider ThreatMobile SecurityPassword ManagersWeekly Roundup

Zero-Day Week: Chrome Exploit, Spy Kit Sales to Russia, and the $35M Insider Betrayal

2026-02-16 AUTHORED_BY: OBFUSCATED
Zero-Day Week: Chrome Exploit, Spy Kit Sales to Russia, and the $35M Insider Betrayal

Zero-Day Week: Chrome Exploit, Spy Kit Sales to Russia, and the $35M Insider Betrayal

This was a week defined by zero-days β€” not just in the traditional sense of unpatched vulnerabilities, but in the erosion of trust at every layer of the stack. From a Chrome exploit already being weaponized in the wild, to a defense contractor executive selling exploit kits to Russian intelligence, to a commercial mobile spyware toolkit that makes nation-state capabilities available to anyone with a Telegram account, the message is clear: your attack surface doesn't care about your org chart.

Here's what happened, what it means, and what to do about it.

πŸ”΄ Chrome Zero-Day: CVE-2026-2441 Under Active Exploitation

What happened: Google on February 13th emergency-patched a high-severity use-after-free vulnerability in Chrome's CSS component. Tracked as CVE-2026-2441 (CVSS 8.8), the flaw allows remote code execution within Chrome's sandbox when a user visits a specially crafted page. Google confirmed the vulnerability is under active exploitation in the wild β€” making this the first Chrome zero-day of 2026.

Security researcher Shaheen Fazim reported the flaw on February 11th; Google turned around a patch in just two days.

Patched versions:

  • Windows / macOS: 145.0.7632.75/76
  • Linux: 144.0.7559.75

Why it matters: Use-after-free bugs in rendering engines are a bread-and-butter attack vector for advanced threat groups. The CSS component specifically handles layout parsing, meaning exploitation can be triggered by any page embedding malicious styling β€” no user interaction beyond visiting the page is required.

Action: Verify Chrome auto-update has deployed across your fleet. For managed environments, push the update via Group Policy or your MDM. If you're running Chromium-based browsers (Edge, Brave), monitor those vendors for their corresponding patches.

πŸ”΄ Insider Sells 8 Zero-Day Exploit Kits to Russian Broker

What happened: The U.S. Department of Justice published a sentencing memorandum revealing that Peter Williams, former General Manager of Trenchant (a cyber subsidiary of defense contractor L3Harris), pleaded guilty to selling at least eight zero-day exploit components to a Russian broker widely identified as Operation Zero β€” a firm known to supply Russian government clients.

Williams, an Australian national, stole the exploits between 2022 and June 2025. These tools were developed exclusively for U.S. government and allied intelligence use. He received approximately $1.3 million in cryptocurrency, which he spent on luxury goods. The theft caused an estimated $35 million in losses to L3Harris and Trenchant.

Sentencing is scheduled for February 24th. Prosecutors are seeking 9 years in federal prison, $35 million in restitution, and deportation to Australia.

Why it matters: This case puts a number on the insider threat. Zero-day exploits intended for defensive intelligence work were sold to an adversary broker, effectively arming Russian offensive cyber operations with tools built on U.S. taxpayer dollars. It also exposes the fragility of the "trusted insider" model in classified cyber programs β€” one disgruntled employee with access can cause nine-figure damage and strategic intelligence loss.

Action: For organizations with access to sensitive exploit research or classified tooling, this is a stark reminder to enforce strict compartmentalization, behavioral analytics on privileged users, and data loss prevention controls on R&D networks. If you're in the cleared contractor space, expect updated counterintelligence requirements following this case.

🟑 ZeroDayRAT: Nation-State Mobile Spyware for Sale on Telegram

What happened: Security researchers have identified ZeroDayRAT, a commercial mobile spyware platform openly sold via Telegram that provides full device takeover capabilities for Android 5 through 16 and iOS up to 26 (including iPhone 17 Pro). The toolkit emerged in early February 2026 and requires zero technical expertise to operate.

Capabilities include:

  • Live camera streaming (front and rear)
  • Real-time screen recording and microphone access
  • GPS tracking with historical location data
  • Full keylogging with live screen preview
  • SMS interception including OTP bypass (defeating SMS-based 2FA)
  • Notification capture from WhatsApp, Telegram, Instagram
  • Crypto wallet scanning and clipboard hijacking for transaction redirection
  • Banking overlay attacks targeting Apple Pay, PayPal, and banking apps

Distribution is via smishing, phishing emails, fake app stores, and malicious links shared on messaging platforms.

Why it matters: The researchers describe ZeroDayRAT as a "complete mobile compromise toolkit" that rivals tools previously requiring nation-state investment. The commoditization of this level of mobile surveillance β€” available to anyone for a price on Telegram β€” collapses the barrier between targeted espionage and mass-market stalkerware. For enterprises, this means BYOD policies and MDM hygiene just became board-level concerns.

Action: Review your mobile threat defense posture. Ensure MDM solutions can detect sideloaded APKs and unauthorized profiles. Push user awareness training focused on smishing and fake app installs. If you're not already enforcing app-based TOTP or hardware keys for 2FA, SMS-based OTP is now effectively compromised as a second factor.

🟑 Password Managers Under the Microscope: 27 Attack Scenarios

What happened: Researchers from ETH Zurich and UniversitΓ  della Svizzera italiana published a study this week demonstrating 27 successful attack scenarios against major cloud-based password managers including Bitwarden, LastPass, Dashlane, and 1Password. The attacks ranged from integrity violations to complete organizational vault compromise.

Results by provider:

  • Bitwarden β€” 12 attacks demonstrated, 7 leading to password disclosure
  • LastPass β€” 7 attacks demonstrated, 3 leading to password disclosure
  • Dashlane β€” 6 attacks demonstrated, 1 leading to password disclosure
  • 1Password β€” Multiple attacks via item-level encryption flaws

The critical finding: the researchers challenged "zero-knowledge encryption" claims by demonstrating that a malicious server operator could access stored passwords. Many attacks required only routine user actions β€” logging in, opening a vault, or viewing a credential.

Why it matters: Password managers are widely recommended as a security best practice, and they still are. But this research highlights that "zero-knowledge" marketing doesn't always survive contact with real-world cryptographic implementation. The attack model assumes server compromise, which is not theoretical β€” LastPass was breached in 2022 with encrypted vault data exfiltrated.

Action: Continue using password managers β€” they're still far better than password reuse. But enable MFA on the password manager itself (preferably hardware keys), avoid SMS-based 2FA, and consider self-hosted options (Vaultwarden) for high-security environments. Monitor vendor responses and patch timelines for the specific vulnerabilities disclosed.

🟑 Open Source Registries: "Dirt Poor" and Running on Fumes

What happened: At FOSDEM 2026, Michael Winser, co-founder of Alpha-Omega (a Linux Foundation security project), warned that open source package registries are severely underfunded. His assessment: a registry the size of Crates.io requires millions in talent and infrastructure just to operate β€” costs projected to double by 2030. Meanwhile, AI-generated code is flooding registries with hundreds of thousands of malicious packages, and the registries lack the resources to screen them effectively.

Alpha-Omega, launched in 2022 with $5M from Google and Microsoft, performs significant security work for registries. But the broader ecosystem remains fragile: 60% of open source maintainers receive no compensation according to Tidelift's 2024 survey, and the cost of identifying malicious packages is rising exponentially.

Why it matters: Every enterprise runs on open source. npm, PyPI, Crates.io, Maven Central β€” these registries are single points of failure for global software supply chains. If they can't fund basic security screening, the next SolarWinds-scale event could originate from a typosquatted npm package uploaded by an AI-assisted attacker.

Action: Inventory your open source dependencies. Use tools like Snyk, Socket, or npm audit to flag suspicious packages. Consider contributing to OpenSSF or Alpha-Omega if your organization depends heavily on open source infrastructure. At minimum, pin dependency versions and review changelogs before updating.

This Week's Takeaway

The theme of the week isn't any single vulnerability β€” it's the erosion of trust assumptions. We trusted that our browser's CSS parser was safe. We trusted that cleared contractors wouldn't sell exploit kits. We trusted that "zero-knowledge" actually meant zero knowledge. We trusted that open source registries could police themselves.

Every one of those assumptions was challenged this week. The organizations that weather these storms are the ones that build verification into every layer β€” from endpoint patching cadence to insider threat monitoring to supply chain integrity checks.

Patch Chrome. Review your mobile threat posture. And maybe check who has access to your crown jewels.

For real-time patch risk scores and community sentiment analysis, check the Patches Dashboard.

END_OF_TRANSMISSION