# Top Stories

South Korea's National Tax Service accidentally exposed a cryptocurrency wallet's mnemonic recovery phrase in an official press release, allowing hackers to steal 6.4 billion won ($4.8 million) worth of cryptocurrency from the seized wallet. This demonstrates how government agencies handling crypto assets can become high-value targets when operational security fails.

Canadian Tire suffered a data breach affecting 38 million customer accounts, exposing names, addresses, email addresses, phone numbers, and encrypted passwords. The massive scale makes this one of the largest retail breaches in recent history, highlighting the extensive personal data collected by major retailers.

KrebsOnSecurity investigates the identity of "Dort," the operator of Kimwolf botnet described as the world's largest and most disruptive botnet. Following disclosure of vulnerabilities used to build the botnet in January 2026, Dort has launched DDoS attacks, doxxing campaigns, and even caused a SWAT team to be sent to a security researcher's home.

Truffle Security discovered nearly 3,000 Google Cloud API keys (prefixed with "AIza") embedded in client-side code that could be abused to authenticate to Gemini AI endpoints and access private data. The keys, originally meant as project identifiers for billing, gained unauthorized access to sensitive AI services when Gemini APIs were enabled.

The Chrome extension "QuickLens - Search Screen with Google Lens" was removed from the Chrome Web Store after being compromised to push malware targeting cryptocurrency theft from thousands of users. The incident demonstrates a ClickFix attack vector where legitimate browser extensions are weaponized to deliver malicious payloads.

OpenClaw fixed a high-severity vulnerability dubbed "ClawJacked" that allowed malicious websites to connect to locally running AI agents via WebSocket and hijack control. The flaw affected the core OpenClaw gateway system without requiring any plugins or extensions, demonstrating risks in local AI agent architectures.

Attackers infected 900 Sangoma FreePBX instances with web shells by exploiting a post-authentication command injection vulnerability in the endpoint manager's interface. The widespread compromise of these business phone system servers creates persistent backdoor access for attackers in corporate networks.

North Korean threat actor ScarCruft deployed new malware tools including a backdoor using Zoho WorkDrive for command-and-control communications and USB-based implants to breach air-gapped networks. The Ruby Jumper campaign demonstrates advanced techniques for crossing network segmentation boundaries through removable media.

Juniper Networks released an out-of-band security update for Junos OS Evolved to patch CVE-2026-21902, a critical remote code execution vulnerability affecting PTX routers. The emergency nature of the patch suggests significant impact potential for enterprise and service provider networks using these high-end routing platforms.

Researchers discovered a malicious Go module at github[.]com/xinfeisoft/crypto that impersonates the legitimate golang.org/x/crypto codebase while injecting code to harvest terminal passwords, create SSH persistence, and deploy the Rekoobe Linux backdoor. The supply chain attack targets developers using the popular Go programming language's cryptographic libraries.