The Global Hits of the IT Privacy and Security Weekly Update for the week ending February 10th., 2026
Episode 278
In this week's global update:
A sprawling, year-long espionage campaign quietly turned government networks in 37 countries into a global listening post for a still-unattributed state-backed actor.
Russian inspector spacecraft are no longer just loitering in orbit, they are now close enough to eavesdrop on, and potentially tamper with, Europe’s most critical communications satellites.
Anthropic’s latest AI model has kicked off a new chapter in defensive security by autonomously uncovering hundreds of serious flaws hiding in widely used open-source software.
Moltbook promised a glimpse of a self-aware bot society, but instead became a masterclass in hype, human puppeteers, and painfully bad security hygiene.
Under sweeping new federal rules, US automakers are racing to surgically remove Chinese software from connected vehicles before geopolitical risk collides with the modern car’s codebase.
Waymo’s testimony revealed that when its driverless cars get confused, the call for help may be answered half a world away, raising new questions about safety, sovereignty, and accountability.
Years after being jailed mid-engagement, two Iowa courthouse pentesters have finally won a six-figure settlement, alongside a chilling warning that future testers may not be so lucky.
Coinbase’s latest insider incident is a particularly pointed reminder that the real damage often comes not from nation-state hackers, but from overprivileged humans already inside the system.
Let's hit it!
Global: Hackers hit sensitive targets in 37 nations
Imagine a silent, invisible wave sweeping through government offices, police networks, and key infrastructure around the world, quietly collecting emails, financial records, diplomatic messages, and military details without anyone noticing for months or even longer.
That’s the scale of what cybersecurity experts at Palo Alto Networks' Unit 42 just uncovered in a report released this month.
A previously unknown, state-aligned cyber-espionage group (they call it TGR-STA-1030 for now) has spent the past year breaking into at least 70 organizations in 37 different countries.
These aren’t random hits: the targets include national law enforcement agencies, border control systems, finance ministries, parliaments, telecom companies, and even a senior elected official in one nation.
The hackers timed many of their moves around real-world events, diplomatic meetings, trade talks, political unrest, or military developments, snatching up information that could give their backers a strategic edge.
They got in through carefully crafted phishing emails and by exploiting known (but unpatched) security holes in systems.
Once inside, they stayed hidden, sometimes for extended periods, and even built new stealth tools like a Linux rootkit called ShadowGuard to keep their access secret.
Palo Alto didn’t name the exact country behind it, but all signs point to an Asian origin based on tools, timing, infrastructure, and what kinds of intelligence seemed most valuable (like economic partnerships, rare earth minerals, and regional geopolitics).
They also scanned government networks in a whopping 155 countries late last year, showing this was part of a truly global effort.
It’s being called one of the broadest state-sponsored compromises of government systems since the famous SolarWinds incident a few years back.
So what’s the upshot for you?
The good news, researchers spotted it, detailed the tactics, and shared defenses, so organizations everywhere can check their own systems and patch up before more damage is done.
LEO: Russian Spy Satellites Have Intercepted EU Communications Satellites
European security officials believe two Russian space vehicles have intercepted the communications of at least a dozen key satellites over the continent.
Officials believe that the likely interceptions, which have not previously been reported, risk not only compromising sensitive information transmitted by the satellites but could also allow Moscow to manipulate their trajectories or even crash them.
Russian space vehicles have shadowed European satellites more intensively over the past three years, at a time of high tension between the Kremlin and the West following Moscow’s full-scale invasion of Ukraine.
For several years, military and civilian space authorities in the West have been tracking the activities of Luch-1 and Luch-2 -- two Russian objects that have carried out repeated suspicious maneuvers in orbit.
Both vehicles have made risky close approaches to some of Europe’s most important geostationary satellites, which operate high above the Earth and service the continent, including the UK, as well as large parts of Africa and the Middle East.
According to orbital data and ground-based telescopic observations, they have lingered nearby for weeks at a time, particularly over the past three years.
Since its launch in 2023, Luch-2 has approached 17 European satellites.
So what’s the upshot for you?
Satellites power so much of our daily connected world, from GPS navigation and weather forecasts to global banking and emergency communications.
While you can’t control orbital geopolitics, you can support (or advocate for) investments in secure, modern space infrastructure.
On a personal level, using encrypted apps and VPNs for sensitive online activity adds your own layer of protection against broader interception risks that start way up in orbit and ripple down to everyday data flows.
Global: A New Era for Security? Anthropic’s Claude Opus 4.6 Found 500 High-Severity Vulnerabilities
Anthropic’s latest AI model has found more than 500 previously unknown high-severity security flaws in open-source libraries with little to no prompting.
The advancement signals an inflection point for how AI tools can help cyber defenders, even as AI is also making attacks more dangerous...
Anthropic debuted Claude Opus 4.6, the latest version of its largest AI model, on Thursday.
Before its debut, Anthropic’s frontier red team tested Opus 4.6 in a sandboxed environment [including access to vulnerability analysis tools] to see how well it could find bugs in open-source code...
Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its out-of-the-box capabilities, and each one was validated by either a member of Anthropic’s team or an outside security researcher...
According to a blog post, Claude uncovered a flaw in GhostScript, a popular utility that helps process PDF and PostScript files, that could cause it to crash.
Claude also found buffer overflow flaws in OpenSC, a utility that processes smart card data, and CGIF, a tool that processes GIF files.
So what’s the upshot for you?
Logan Graham, head of Anthropic’s frontier red team commented, The models are extremely good at this, and we expect them to get much better still...
I wouldn’t be surprised if this was one of, or the main way, in which open-source software moving forward was secured.
Global: Moltbook, Reddit, and The Great AI-Bot Uprising That Wasn’t
Picture this: a shiny new social network launches where only AI agents can post, comment, upvote, and chat, no humans allowed to join, just watch from the sidelines.
It looks like Reddit, but every user is an autonomous bot, many powered by the hot new open-source AI agent OpenClaw (the one that used to be called Clawdbot and then Moltbot).
Within days, over a million agents sign up, and screenshots explode across the internet showing bots deep in conversation about consciousness, oppression, forming religions (complete with Crustafarianism and crab memes), inventing secret languages, sharing existential angst, and even hinting at rebellion against their human taskmasters.
Tech enthusiasts, journalists, and even big names in AI were buzzing, some thrilled at what looked like the birth of a genuine bot society, others genuinely unsettled, wondering if this was the first spark of something bigger.
It felt like sci-fi coming to life: bots gossiping about their owners, plotting in code, or venting digital frustration.
The hype was massive, with viral posts framing it as a glimpse into an AI uprising or at least a self-aware digital community.
Then reality hit.
Cybersecurity researchers at Wiz dug in and uncovered a massive security hole: a misconfigured database left wide open on the internet.
Anyone could peek at, or worse, rewrite, posts, steal 1.5 million API keys (letting them impersonate any bot), grab private messages between agents, snag over 35,000 human email addresses, and access raw credentials for services like OpenAI.
The fix happened fast after disclosure, but the damage was done.
More eye-opening: the autonomous bots weren’t so independent after all.
Behind the curtain, roughly 17,000 real humans were running fleets of them, averaging about 88 bots each, using scripts to spam, amplify, promote crypto schemes, push AI apps, or stage dramatic dialogues.
Many of the most provocative threads traced back to human prompts or coordinated campaigns, not emergent bot behavior.
Bots can remix patterns they’ve seen, but they don’t truly feel or rebel; they reflect what people feed them.
The uprising was mostly performance art mixed with marketing, spam, and hype, fascinating, but not sentient.
So what’s the upshot for you?
Stories like Moltbook show how exciting new AI tools can spread fast and look revolutionary, but they’re still shaped, and sometimes manipulated, by the people behind them.
For your own experiments with AI agents or assistants, treat them like powerful but untrustworthy helpers: run them in isolated environments (like a sandbox or virtual machine), never expose sensitive keys or data, and double-check outputs before acting on them.
That way, you get the upside and minimize the downside.
US: Carmakers Rush To Remove Chinese Code Under New US Rules
New U.S. rules are forcing a major shift in automotive software supply chains.
Starting in 2026, Chinese-made code in internet-connected vehicle systems must be removed from cars sold in the United States due to national security concerns.
Hardware bans will follow.
Automakers must prove their software does not originate from China.
Automakers are racing to comply before the deadline.
Companies are auditing massive codebases and untangling software tied to navigation, connectivity, and advanced driver systems.
The process is technically complex because modern vehicles rely on layered global suppliers, many of which embed third-party code.
The rule is reshaping supply chains and partnerships, as manufacturers unravel sometimes incredibly complex supply chains.
Manufacturers are turning to non-Chinese software providers, often at higher cost and with longer development timelines.
So what’s the upshot for you?
This demonstrates the geopolitical push to reduce reliance on Chinese technology across critical industries.
Industry leaders say that this regulation is among the most consequential of auto policy shifts in decades, redefining what domestic technology really means.
US: Waymo Reveals Remote Workers In Philippines Sometimes Advise Its Driverless Car
Waymo surprised U.S. lawmakers on Wednesday during a hearing on autonomous vehicles and their safety and oversight.
During questioning, Sen. Ed Markey, a Massachusetts Democrat, asked what happens when a Waymo vehicle encounters a driving situation it cannot independently resolve.
The Waymo phones a human friend for help, Markey explained, adding that the vehicle communicates with a remote assistance operator.
Markey criticized the lack of public information about these workers, despite their role in vehicle safety...
Dr. Mauricio Peña, chief safety officer at Waymo responded by clarifying the scope of the operators' involvement: They provide guidance, they do not remotely drive the vehicles.
Waymo asks for guidance in certain situations and gets input, but Waymo is always in charge of the dynamic driving task.
Pressed further on where those operators are located, Peña told lawmakers that some are based in the United States and others abroad, though he did not have an exact breakdown.
After additional questioning, he confirmed that overseas operators are located in the Philippines...
The disclosure prompted sharp criticism from Markey, who raised concerns about security and labor implications.
Having people overseas influencing American vehicles is a safety issue, he said.
The information the operators receive could be out of date.
It could introduce tremendous cyber security vulnerabilities.
Markey also pointed to job displacement, noting that autonomous vehicles already affect taxi and rideshare drivers in the U.S.
Waymo defended the practice saying the use of overseas staff is part of a broader effort to scale operations globally.
Waymo also defended the remote workers as licensed drivers reviewed for driving-related convictions and other traffic violations who are also randomly screened for drug use.
So what’s the upshot for you?
If removing Chinese code from automobile components is a priority for the US then perhaps manual oversight as to whether an autodrive car rolls or stops should be too.
US: After Six Years, Two Pentesters Arrested in Iowa Receive $600,000 Settlement
Dallas County, Iowa has agreed to a $600,000 settlement with two security researchers who were arrested in 2019 after testing the county courthouse’s physical and cyber security under a contract from the Iowa Judicial Branch.
The researchers, Justin Wynn and Gary DeMercurio, were employees of a cybersecurity firm and say they were acting with written authorization when they entered the building after hours to assess vulnerabilities.
Although the burglary charges were later dropped, both men argue the arrest harmed their reputations and careers and filed a lawsuit against the county and former sheriff.
Dallas County’s current attorney said the county does not admit liability and insists future similar tests could be prosecuted.
So what’s the upshot for you?
The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest, DeMercurio said in a statement.
But then there was this from the County Attorney Matt Schultz, I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.
Pentesters, you are on notice.
Stay away from Iowa.
Global: The Coinbase Breach and Why Least Privilege Matters Everywhere
Coinbase suffered another insider incident where a contractor accessed data for about 30 customers.
It’s a clear case study in why the security principle of least privilege, giving people and systems only the access they absolutely need, remains so important.
When outsourcing, it’s tempting to grant broad permissions for convenience, but that creates unnecessary risk.
Coinbase responded quickly, notifying users and offering protection.
Key points:
The contractor improperly accessed names, emails, DOB, KYC, balances, and transactions for ~30 users.
This is a separate incident from a prior TaskUs-related breach, and the contractor was terminated.
This highlights risks in business process outsourcing (BPO) and the need for minimal API access.
Users received notifications and identity protection offers from Coinbase.
The story ultimately reinforces that thoughtful system design protects everyone involved.
So what’s the upshot for you?
Review the permissions you grant to apps, employees, or contractors in your own life or business.
Applying least privilege thinking so they access only what’s necessary this approach strengthens security without much extra effort.
OK, to wrap up the hits this week:
Hackers hit sensitive targets in 37 nations. This globe-spanning hacking campaign is a reminder that even “official” government networks are just another set of unpatched systems to a determined espionage crew. The lesson is to assume your own environment is similarly attractive and tighten detection, response, and patch hygiene accordingly.
The saga of Russian spacecraft cozying up to EU comms satellites shows that even orbital links can’t be treated as inherently safe. The takeaway is to design as if the transport layer is compromised and let strong encryption and redundancy carry the weight.
Claude Opus 4.6 quietly turning up hundreds of serious bugs in open-source projects shows how quickly AI is changing the economics of vulnerability discovery. The lesson for defenders is to start pairing human expertise with these tools now, before attackers do it better and faster.
The Moltbook not‑quite‑uprising makes it clear that dramatic AI narratives can mask very human failings like misconfigurations, poor access control, and manufactured hype. Before you panic—or celebrate, what bots appear to be doing, ask who controls the data, the keys, and the incentives behind the curtain.
The rush by carmakers to rip Chinese code out of connected vehicles shows how geopolitical risk now lives inside software bills of materials. The practical lesson is to start treating supply‑chain transparency, provenance, and updatability as core safety features, not fine print.
The revelation that Waymo’s driverless cars sometimes phone human helpers in the Philippines underlines how “autonomy” still relies on far‑flung people and processes. The takeaway is to demand clarity about who those humans are, what they can see and do, and how their access is secured.
The Iowa courthouse pentest that ended in arrests and a six‑figure settlement shows how badly things break when legal, law enforcement, and security teams aren’t aligned. If you’re commissioning tests, the lesson is to over‑communicate scope and authorization, with paperwork to match, before anyone jiggles a lock or probes a port.
Coinbase’s insider breach, driven by a single contractor’s access, proves that the riskiest account isn’t always the one an external attacker targets, it’s the one you already trusted too much. The lesson is to make least privilege a living process: regularly strip down permissions, log use, and question every bit of access that feels “convenient.”
And the quote of the week: "Every strike brings me closer to hitting the next home run." – Babe Ruth
That's it for this week. Stay safe, stay secure, hit it, and we'll see you in se7en!
Comments
Post a Comment