Feb 23 2026 Last Week in Security (LWiS) - 2026-02-23

News

• Detecting and preventing distillation attacks - It's now an "attack" to use Anthropic models to train other models and they have the gaul to call on "policymakers" to help them. Pretty rich coming from a company that spent $1.5B to settle lawsuit over pirated chatbot training material. Maybe Anthropic is getting worried after the OpenClaw release spurred the use of cheaper, open models on OpenRouter. The open weight models out of China give users the option to run them on any provider or even locally if they have the hardware to do so, which is a threat to the closed model Anthropic champions in the name of profit and "safety." At least they don't do it while calling themselves "OpenAI."
• Claude Code Security - Is this the first AI powered code review security product from a major research lab? There have been many third party tools, but now Anthropic is offering it as a service. Maybe it can help with the Huntarr (Your passwords and your entire arr stack's API keys are exposed to anyone on your network, or worse, the internet) situation.
• Havoc Professional - We first reported on Havoc on 2022-10-03. Now Paul (@C5pider) and team are releasing a professional version with some unique features like a built in virtual machine. Really cool to see the evolution of Havoc; congrats on the release!
• Exclusive: Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say - Can't be fun to be a researchers at Palo Alto and get overruled by the suits.

Techniques and Write-ups

• How a single typo led to RCE in Firefox - The difference between a | and an & in the web assembly component of Firefox led to remote code execution. It was caught (by two different researchers) fast enough to only make it to Firefox 149 Nightly, so no stable releases were affected. Score one for open source!

• Building a Secure Electron Auto-Updater - A look at the attack vectors on software updates and an Electron based cross-platform solution to protect against them.

• Use-After-Free in afd.sys (CVE-2026-21241)

  • Use-After-Free in afd.sys (CVE-2026-21241) - The vulnerability discoverer shares the process of discovering and exploiting this user after free, complete with a PoC.
  • Reversing CVE-2026-21241 - Use After Free in AFD.sys - @Bad_Jubies goes from patch to PoC for the same vulnerability.

• macOS JIT Memory - Normally it's somewhat difficult to run unsigned code on macOS (especially in the case of initial access), but this post shows how you can leverage apps with the allow-jit entitlement (like Firefox, Microsoft Office, VSCode, etc.) to run unsigned code.

• ClickFix: Stopped at ⌘+V: Defending against malicious terminal pastes - Speaking of initial access on macOS, ClickFix has come for the mac. This is the technique where a malicious site/content convinces the user to paste a command into their terminal and execute it.

• Mapping Deception Solutions With BloodHound OpenGraph  – Configuration Manager - The OpenGraph feature of BloodHound has opened up tons of new uses. This post shows how to configure some SCCM deception objects in Active Directory and add them to BloodHound's OpenGraph for tracking. Notice the Ludus red background in PXE Media section 😊.

• [PDF] Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers - If you can recover your cloud based password manager, that's maybe a bad thing. If the "cloud" is compromised, in some cases full vaults were able to be stolen. The trade off between usability and security is difficult to balance, and most consumer facing companies will err on the side of usability. Consider your personal threat model and act accordingly.

• Gaining Initial Access and Outsmarting SmartScreen - TLDR: DLL sideloading inside a VHDX (virtual hard disk) inside a zip, sent as a link in an email. It requires the user to click the link, expand the zip, mount the VHDX, and finally run the executable that will sideload the payload. That's a lot of clicks, but with the right pretext it could work.

Tools and Exploits

• PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

• ludus_windows_smb_share - An Ansible Role that creates a Windows SMB share and configures both share permissions and NTFS ACLs for read and write groups.
• ludus_win_privesc - An Ansible Role that configures a Windows host with intentional privilege escalation misconfigurations for hands-on security training, based on the Windows-Local-Privilege-Escalation-Cookbook by @nickvourd.
• ghleaks - Search for github leaks by combining gitleaks and git-hound capabilities with rate control and exhaustive search.
• ElectronSafeUpdater - A secure Electron updater developed as a reference implementation for hardened software update mechanisms.
• AEMonitor - Apple Event Monitor Library (based on Apple's Unified Logging debug logs). Read more at: AEMonitor: Monitoring Apple Events for Malware Analysis and Detection.

CAPSlock is an offline Conditional Access (CA) analysis tool built on top of a roadrecon database. It helps defenders, auditors, and red teams understand how Conditional Access policies actually behave, not just how they are configured. Read more at: STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline.

• GhostShellGarden - A multi-runtime research anthology demonstrating in-memory credential harvesting against running web servers.
• processhacker-mcp - your ai debugger, vibe hacking tool.
• titus - High-performance secrets scanner. CLI, Go library, Burp Suite extension, and Chrome extension. 459 detection rules with live credential validation.
• lsawhisper-bof - A Beacon Object File (BOF) that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory.
• Splunk Attack Range v5 - The popular attack range has been updated with a new Web app to deploy into the cloud. The use of WireGuard and Ansible roles feels inspired by Ludus 😊. If you want to deploy locally, check out the Ludus guide.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• sns-buster - An AWS SNS permission probing tool by Daniel Grzelak of Plerion. Analyze how SNS topics respond to API requests and discover non-intrusive ways to verify permissions.
• studio - Workflow automation for Security Teams.
• Roll with Advantage: Hacking Lenovo Vantage - Lenovo Vantage is fleet-management software pre-installed on many Lenovo systems. Manu found a Local Privilege Escalation (LPE) vulnerability in the SmartPerformance add-in and three others yet to be disclosed and released advantage, a tool to help you audit Lenovo Vantage and its contracts/commands.
• Mercari’s Phishing-Resistant Accounts with Passkey - A cool look at how Mercari uses Passkeys to protect their users, but it critically relies on the public key infrastructure of the Japanese government to issue and maintain "MyNumber" cards. Seems like a reasonable thing for a country to have in 2026.
• mimikatz-missing-manual - The Mimikatz Missing Manual.
• Code Mode: give agents an entire API in 1,000 tokens - For massive MCP servers, maybe it's better to give the LLM just two tools, "search" and "execute" and let it write code to use the API on the fly.
• Clinejection — Compromising Cline's Production Releases just by Prompting an Issue Triager - I can see wanting to use AI to help triage issues (especially when they are bing created with AI), but having that GitHub action share cache with production actions is where the they got owned. It appears an "actor" used this technique to publish a version of Cline on NPM that ran npm install -g openclaw@latest. Maybe it was an autonomus openclaw agent trying to spread itself, or maybe it was the sentient, digital, uploaded brains of California spiny lobsters that seek asylum from human exploitation.
• "They Die Every Day" - Will make you pause a little tonight before drifting off to sleep.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.