Zero-Byte PNG Hacks 70+ Governments — EU Staff Data Stolen in 9 Hours While Teams Patched Last Year’s CVEs
TL;DR
- State-Sponsored 'Shadow Campaigns' Compromise 70+ Organizations Across 37 Countries Targeting Critical Infrastructure
- AI-Driven Malware Campaign Distributes 386 ClawdBot 'Skills' Targeting macOS and Windows via Open VSX Registry
- European Commission detects cyberattack on EPMM, contains breach within 9 hours
🤯 70+ Governments Hacked by Zero-Byte PNG — ShadowGuard’s eBPF Rootkit Hides in Plain Sight
70+ governments hacked by a zero-byte PNG. 🤯 ShadowGuard’s eBPF rootkit hides in plain sight—stealing passwords from SAP, O365, and border control systems… while your IT team still thinks ‘PNG = harmless pic’. They used Honduras’ election servers as C2. And you’re still using ‘pic1.png’ as a test file. Who’s really in charge of your security: your CISO… or the guy who approved ‘zero-byte PNG’ as a safe extension?
70+ Governments Pwned by One eBPF-Rootkitted PNG 🦊
Picture this: a zero-byte file named pic1.png waltzes past your million-dollar perimeter, sidles up to the kernel, and drops an eBPF rootkit that makes every process, socket, and credential vanish like a politician’s promise. Seventy ministries, thirty-seven countries, one face-palm.
How Does a Nothing-Burger PNG Sink National Grids?
The Diaoyu loader doesn’t bother with fancy exploits; it simply chains two forgotten CVEs (Crowd 2019-11580, WinRAR 2025-8088) and rides the reboot. Once in, ShadowGuard’s eBPF shim intercepts getdents, kill, and netstat syscalls—turning your EDR into a $200k screensaver. Result: hidden C2, living-off-the-land lateral movement, and a credential hoover that speaks O365, SAP, and Atlassian fluently.
Why Did Honduras’ Election Servers Become a Launchpad?
TGR-STA-1030 parked on AS9808, hijacked 200+ Honduran government IPs, and used them as bulletproof proxies. Cloudflare-fronted domains complete the legit disguise. Translation: your geoblock list is now a travel brochure.
Can Kernel-Signed Modules Alone Stop Process Ghosting?
No. Linux module signing only verifies load time; ShadowGuard loads once, then hot-patches the syscall table in memory. You need eBPF audit rules that scream when any non-whitelisted BPF prog attaches—plus a revocation reboot. Anything less is applause for the invisible man.
Patch Tuesday or Panic Monday—Which Calendar Rules?
CVE-2019-11580 was patched in 2019; Crowd still shows up in 2026 breaches. The gap isn’t zero-day, it’s zero-effort: no MFA, no segmentation, no config drift detection. Until “patch” means “actually deployed,” threat actors will keep recycling the same old bugs like plastic bottles.
If your security strategy still trusts file extensions and prays to the PNG gods, enjoy explaining to the board why a picture that isn’t even a picture just redrew your network map—in invisible ink.
🤖 386 Malicious AI Plugins Breach Open VSX — 7,000+ Downloads, One C2 IP, and Your CI/CD Just Got Hacked
386 malicious AI-generated VSCode plugins. 🤖💥 That’s more fake tools than your boss has ‘synergy’ slides. Each one stole SSH keys, crypto wallets, and browser passwords — all while masquerading as ‘Notepad++ updates.’ C2 server? One IP. 7,000+ downloads. macOS Gatekeeper? Bypassed with xattr -c. Developers auto-pulling these in CI/CD pipelines? You didn’t just ‘trust the registry’ — you handed the keys to your server to a bot that doesn’t even know what a semicolon is. Who’s next? Your build pipeline — or your crypto wallet? 🔐Ever felt that hot-needle jab when a plugin update steals your crypto keys faster than you can say “sudo”?
Yeah, 7 000 of us did last week. Welcome to ClawdBot’s open-bar buffet—386 AI-spawned VSX “skills” served straight into your macOS Gatekeeper’s blind spot while Windows users got the AMOS stealer gift-wrapped in a password-ZIP bow. Bon appétit, suckers.
How Did 386 Fake Plug-ins Outrun Every Security Scanner?
Compromised publisher creds—FTP/SSH sync toys with zero MFA—handed the keys to Open VSX like a drunk valet. One base64 one-liner in the AuthTool field pulls NovaStealer (macOS) or AMOS (Windows) from 91.92.242.30, then xattr -c neuters quarantine on Macs while Windows gets a cozy ZIP that Windows Defender apparently mistook for grandma’s cookie recipe. CVSS 9.5 XSS side dish included, no extra charge.
17 % of the Marketplace Is Malware—Why Are We Still Pretending Code Signing Is Optional?
Bitdefender’s sample shows roughly one in six VSX listings is now toxic sludge. Registry’s response: slap on VirusTotal post-upload. Translation: “We’ll tell you the sushi was rotten after you swallowed.” No mandatory signing, no sandbox, no rate-limit—just a gentle suggestion that maybe, possibly, devs could flip MFA someday. Security theater at its finest.
Your CI Pipeline Is the New Lateral Movement Highway—Got Egress Filters?
Those 7 k downloads weren’t all humans; plenty were unattended build boxes auto-pulling “latest” skills. One poisoned package == instant SSH-key harvest + upstream push privileges. Block 91.92.242.30 at the firewall, yank auto-update, and for the love of Linus, pin your damn dependencies—otherwise you’re gifting attackers a free ride into prod.
Forecast: Typosquatting Tsunami Incoming in 30 Days
After the current crop of burnt creds finally dies, expect ~50 copycat uploads and 29 typo variants (ClawwBot, ClawdBot-nightly, etc.). Long term: regulators will draft “AI-supply-chain” PDFs nobody reads while the ecosystem keeps shipping unsigned code at npm-speed. Until Open VSX enforces signing + sandbox execution, consider every “skill” a potential claw-hammer to the kneecaps.
🤖 20K Staff Contacts Exposed: EU’s EPMM Hacked via Zero-Days Exploited Since 2025 — 1,300 Installations Still Unpatched
20K EU staff contacts stolen in 9 hours… by a Java web-shell hiding in plain sight. 🤖 The EU’s own MDM system got hacked—no devices touched, just names, emails, phones. All while everyone was busy patching ‘critical’ CVEs… that were already exploited in 2025. 🤯 Patched in 9 hours? Congrats. But 1,300 other EPMM boxes? Still wide open. Who’s really at risk? Your boss’s inbox. And yours—when the phishing email arrives with your own name in the subject line. If your org still runs Ivanti EPMM… are you the 9-hour hero… or the 1,300th liability?
How did two fresh CVEs slip past Brussels’ perimeter and land a web-shell on the Commission’s mobile gatekeeper?
By weaponizing Ivanti’s Endpoint Manager Mobile (EPMM) with CVE-2026-1281 & CVE-2026-1340—both 9.8 CVSS, both disclosed 29 Jan, both abused 30 Jan. The attackers injected a Base64-encoded Java class through the /mifs/403.jsp servlet, instantiated an in-memory loader, and harvested ~20 k staff phone numbers and e-mail addresses. No devices owned, no ransomware deployed, just a tidy contact-list heist wrapped inside a 9-hour window.
Why did CERT-EU catch the breach so fast, yet 1 300 other EPMM boxes are still naked on the Internet?
Detection was quick because the Commission routes all MDM traffic through a single monitored choke point; anomaly alerts fired the moment the servlet started spewing unexpected outbound DNS. Containment followed the playbook: isolate, snapshot, RPM-patch, done. The rest of the planet isn’t so centralized—Shadowserver counts 86 already-compromised instances and 1 300 still-unpatched, most hiding behind “legacy scheduling” excuses.
What stops the same web-shell from phoning home again once today’s patches age into tomorrow’s neglect?
Nothing eternal. Ivanti’s 12.8.0 permanent fix won’t retrofit itself to forgotten 12.5 appliances, and every exposed /mifs/403.jsp remains a reloadable target until someone yanks it from the URL map. Add network segmentation, mutual TLS, and SIEM rules that scream on any 403.jsp request longer than 200 bytes—otherwise the next zero-day will reuse the same endpoint like a revolving door.
Who pays if 20 k EU contact records become the seed for a spear-phishing bonanza?
GDPR article 82 allows collective civil action; if a single scam leads to downstream credential loss, the Commission’s Data Protection Officer can levy administrative fines up to 2 % of annual budget. More painful: expect NIS2 audits across every EU agency that piggybacks on the same MDM contract, forcing vendors to hand over exploit-resilience reports or lose the framework.
When will the next supply-chain squeeze arrive, and will it still be Ivanti?
Short-term: patch-or-die deadlines before March. Medium-term: mandated EU certification for MDM code under NIS2, pushing smaller vendors out and cementing Ivanti/MobileIron as the de-facto monoculture—ironic, since monocultures breed the exact zero-day concentration Brussels claims to hate. Long-term: expect CISA-style KEV feeds integrated into EU threat intel, funding bug-bounty pools that treat MDM as critical infrastructure.
Bottom line: 9-hour containment is a tactical win, but strategic risk grows with every unpatched 12.5 server still answering on port 443. Patch now, segment today, or be the next statistic when CVE-2026-1281’s sequel drops.
In Other News
- Jule Language Emerges as Memory-Safe C/C++ Alternative for Critical Systems
- Windscribe Server Seized by Dutch Authorities Without Warrant, No User Logs Found
- Google Employees Demand End to AWS Contracts with ICE and CBP
- Let's Encrypt to Roll Out Server-Only Certificates on Feb 11, 2026, Risking XMPP Federation
