End-of-Day report
Timeframe: Freitag 27-02-2026 18:00 - Montag 02-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Microsoft testing Windows 11 batch file security improvements
Microsoft is rolling out new Windows 11 Insider Preview builds that improve security and performance during batch file or CMD script execution.
https://www.bleepingcomputer.com/news/microsoft/microsoft-testing-windows-11-batch-file-security-improvements/
QuickLens Chrome extension steals crypto, shows ClickFix attack
A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-steals-crypto-shows-clickfix-attack/
UK warns of Iranian cyberattack risks amid Middle-East conflict
The United Kingdoms National Cyber Security Centre (NCSC) alerted British organizations to a heightened risk of Iranian cyberattacks amid the ongoing conflict in the Middle East.
https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberattack-risks-amid-middle-east-conflict/
A fake FileZilla site hosts a malicious download
A tampered copy of FileZilla quietly contacts attacker-controlled servers using encrypted DNS traffic that can slip past traditional monitoring.
https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download
FinanzOnline-Phishing: Kriminelle drohen mit Hausratpfändung
Oh Schreck: Eine Pfändung des Hausrats droht, weil ein offener Betrag trotz mehrerer Mahnungen nicht bezahlt worden sein soll. Genau das behauptet derzeit eine E-Mail, die angeblich von FinanzOnline stammt. Tatsächlich handelt es sich dabei aber nicht um eine echte Zahlungsaufforderung.
https://www.watchlist-internet.at/news/finanzonline-phishing-hausratpfaendung/
Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
A high-severity CVE-2026-0628 in Chromes Gemini allowed local file access and privacy invasion. Google quickly patched the flaw.
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.
https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure
Cultivating a robust and efficient quantum-safe HTTPS
Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (-PLANTS-), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography introduces into TLS connections requiring Certificate Transparency (CT).
https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.html
Stop Putting Secrets in .env Files
[..] Why do we still store credentials in plaintext .env files?
https://jonmagic.com/posts/stop-putting-secrets-in-dotenv-files/
Fooling Gos X.509 Certificate Verification
Below are two X.509 certificates. The first is the Certificate Authority (CA) root certificate, and the second is a leaf certifcate signed by the private key of the CA.
https://danielmangum.com/posts/fooling-go-x509-certificate-verification/
Agents attacking agents: AI-powered bot exploiting GitHub Actions
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub.
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
Vulnerabilities
Checkmk: Hochriskante Cross-Site-Scripting-Lücke in Netzwerk-Monitor-Software
Die Entwickler haben aktualisierte Checkmk-Versionen herausgegeben. Sie schließen eine mindestens hochriskante Cross-Site-Scripting-Lücke.
https://www.heise.de/news/Checkmk-Hochriskante-Cross-Site-Scripting-Luecke-in-Netzwerk-Monitor-Software-11194483.html
Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VS Code Extension
On February 27 and 28, 2026, versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published to the OpenVSX registry under the aquasecurityofficial.trivy-vulnerability-scanner namespace. Socket identified suspicious behavior in these versions shortly after publication and began investigating the releases.
https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension
LWN Security updates for Monday
https://lwn.net/Articles/1060911/