This Month in Cybersecurity - February 2026 edition

February brought a wave of major headlines, from state-sponsored cyber espionage and massive data breaches to the alarming rise of AI-powered malware and strict new platform regulations. Here is a roundup of the key cybersecurity developments reshaping the industry this month:

Notepad++ hit by suspected Chinese state-sponsored hackers

Notepad++ recently suffered a highly targeted supply-chain attack, likely orchestrated by Chinese state-sponsored actors, which lasted from June to early December 2025. Instead of altering the software’s source code, the attackers compromised Notepad++'s shared hosting server to intercept traffic and deliver tainted updates to a small, carefully selected group of victims by exploiting weak update verification controls in older versions of the app. The intrusion was fully stopped by December 2nd following a password rotation, prompting the Notepad++ team to migrate to a new hosting provider and significantly harden its update process, including strict certificate and signature verification, to prevent future interceptions.

European Commission discloses breach that exposed staff data

The European Commission recently disclosed a cyberattack targeting its mobile device management platform, which exposed staff names and phone numbers, though the devices themselves were not compromised. Contained within nine hours, the breach is suspected to be tied to critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. This incident is part of a broader wave of recent attacks exploiting the same Ivanti flaws to steal employee data from other European government institutions, including agencies in the Netherlands and Finland.

TikTok’s addictive design in breach of the Digital Services Act

TikTok’s addictive design features, including infinite scroll, autoplay, and its highly personalised recommender system may violate the Digital Services Act (DSA). As a very large online platform, TikTok is required to assess and mitigate systemic risks, particularly to minors,vits risk assessments and protective measures, such as screen time and parental controls are insufficient and easy to bypass. The EU argues these design choices can push users into “autopilot mode,” potentially leading to compulsive use, and has suggested TikTok may need to fundamentally redesign parts of its platform. If the findings are confirmed, TikTok could face fines of up to 6% of its global annual revenue, marking a significant step in EU efforts to regulate addictive social media design.

Odido data breach exposes personal info of 6.2 million customers

Dutch telecom provider Odido suffered a major cyberattack, compromising the personal data of roughly 6.2 million customers. Attackers breached a customer contact system, reportedly via social engineering; exposing names, contact details, IBANs, and official ID numbers, though passwords and billing records remained secure. Odido has since blocked unauthorized access, engaged external experts, and notified data protection authorities. The perpetrators remain unknown, and the stolen information has not yet surfaced publicly.

Threat Actors Attacking OpenClaw Configurations to Steal Login Credentials

Security researchers have uncovered a new infostealer campaign targeting personal AI assistants by harvesting OpenClaw configuration files, marking a shift from traditional browser credential theft to full AI agent identity compromise. Instead of using a dedicated module, the malware relied on broad file-sweeping routines that captured sensitive directories, exfiltrating authentication tokens, cryptographic key pairs, gateway credentials, and memory files containing personal activity data. With access to files like device.json and openclaw.json, attackers can impersonate users within the AI ecosystem, bypass security checks, and potentially access encrypted logs and connected cloud services. The incident highlights how AI assistants are becoming a new attack surface, prompting calls for stronger protections such as encryption of configuration files, token rotation, monitoring of unusual file access, and network segmentation.

Risk without borders: the malicious use of AI and the EU AI Act’s global reach

While the EU AI Act establishes strong compliance rules for legitimate businesses, it fundamentally lacks the teeth to stop bad actors from intentionally using AI for malicious purposes, such as state-sponsored cyberattacks or disinformation. Because the Act delegates the handling of these severe security threats to individual national governments rather than addressing them cohesively at the EU level, it risks undermining its own goal of becoming the global gold standard for AI regulation. Ultimately, as other global powers prioritize computing dominance over safety, the EU’s focus on corporate compliance over actual defense against malicious AI leaves Europe potentially vulnerable in the ongoing AI arms race.

Hacker accessed data from 1.2 million bank accounts, French Economy Ministry says

A hacker recently used stolen official credentials to access a French national database, exposing personal details - such as names, addresses, and bank account numbers, for 1.2 million accounts. Although this sensitive information was compromised, the French Economy Ministry confirmed that the hacker could not view account balances or execute financial transactions. In response to the breach, authorities have immediately blocked the unauthorized access, filed a criminal complaint, alerted the national data watchdog (CNIL), and will notify the affected individuals in the coming days.

PromptSpy is the first known Android malware to use generative AI at runtime

In February 2026, ESET researchers uncovered “PromptSpy,” the first known Android malware to actively integrate generative AI into its execution flow to maintain persistence across different device models. The malware continually sends Google’s Gemini model XML dumps of the infected device’s screen and receives step-by-step instructions on how to “pin” itself in the Recent Apps list, allowing it to adapt to any manufacturer’s unique interface and prevent the system from terminating it. Operating primarily as a highly intrusive spyware and VNC module, PromptSpy can intercept lockscreen PINs, record video of screen activity, and grant threat actors full real-time remote control over the device. To further complicate matters, the malware aggressively defends itself by abusing Android Accessibility Services to place invisible overlays over system uninstallation buttons, forcing victims to reboot into Android Safe Mode just to remove the malicious application.

Diesel Vortex Cybercrime Group Targets Global Logistics Sector and Steals 1,600+ Credentials

A cybercrime group known as “Diesel Vortex” orchestrated a sophisticated Phishing-as-a-Service campaign targeting freight and logistics companies across the U.S. and Europe, resulting in over 1,640 stolen credentials and significant financial fraud, including double-brokering and check theft. Operating under the internal brand “GlobalProfit,” the group utilized spearphishing, voice calls, and a clever “Dual-Domain Deception” technique, embedding hidden phishing frames within clean-looking typosquatted domains, to successfully bypass browser security warnings and intercept multi-factor authentication (MFA) codes in real time. Discovered by analysts at Have I Been Squatted through an exposed server directory, the massive operation highlights the critical need for the logistics sector to adopt hardware-bound security keys (like FIDO2) and aggressive DNS filtering to defend against these advanced, MFA-bypassing attacks.

That’s all for this edition! We’d love to hear your thoughts or any news you’ve spotted, drop into the Passbolt community forum and join the conversation.