Weekly Musings Top 10 AI Security Wrapup: Issue 26 February 13, 2026 - February 19, 2026
The AI Attack Surface Is Now the Entire Stack: APTs, Agent Marketplaces, and the Infrastructure Under Your Feet
The week of February 13, 2026 handed CISOs a masterclass in what AI security actually looks like when the theory meets the road. State-sponsored hackers are using Google’s own AI to run recon on your employees. The most popular AI agent framework turned its plugin marketplace into a malware distribution network. The tool your help desk uses for remote access got a CVSS 9.9 exploit actively running in the wild. And somewhere in your organization, someone probably asked an LLM for a password.
None of this is hypothetical anymore. The attack surface is the entire AI stack: the models, the agents, the marketplaces, the APIs, the infrastructure those agents touch, and the humans who trusted all of it more than they should have. If your AI governance program still lives in a slide deck, this week is a good reason to print it out and start over.
1. Nation-State Hackers Are Using Gemini for Every Stage of the Kill Chain
Google’s Threat Intelligence Group (GTIG) published its quarterly AI Threat Tracker report on February 12, documenting that state-sponsored actors from China, Iran, North Korea, and Russia are now using Gemini across reconnaissance, phishing, malware development, and post-compromise activities (Google GTIG). Chinese actors used Gemini to pose as security researchers and automate vulnerability analysis against U.S. targets, including RCE testing and WAF bypass techniques. North Korean group UNC2970 queried the tool multiple days a week for technical support and to profile high-value targets at cybersecurity and defense firms. Iran’s APT42 used it to craft hyper-personalized phishing lures with culturally accurate language, eliminating the grammar errors defenders have long relied on as a detection signal. GTIG also identified HONESTCUE, a malware downloader that calls Gemini’s API to generate C# code for second-stage payloads in real time, and COINBAIT, a cryptocurrency-themed phishing kit built with AI code generation tools.
Why it matters
Phishing lure quality has fundamentally changed. AI-generated messages in native language with accurate cultural context defeat the grammar-based heuristics your security awareness training still teaches.
The HONESTCUE model of AI-as-a-backend-service for malware means attackers can generate unique payloads per target without static signatures to detect.
Google confirmed model extraction attacks at scale, where actors queried Gemini roughly 100,000 times in multiple languages to replicate its reasoning capabilities in competing systems.
What to do about it
Brief your security awareness teams that grammar and awkwardness are no longer reliable phishing indicators. Update training to focus on unsolicited contact, urgency, and out-of-band verification.
Inventory which internal systems Gemini or any LLM API can reach. An AI-generated payload that hits an exposed internal endpoint needs a path there. Find those paths.
Review your threat model for credential-harvesting scenarios where AI-accelerated OSINT shortens attacker dwell time in the reconnaissance phase. Reduce your publicly available employee footprint where possible.
Rock’s Musings
AI doesn’t give attackers magic powers; it gives them scale and speed at tasks they already knew how to do. This and Anthropic’s GTG-1002 are the proof. The North Koreans aren’t doing anything novel, but they are doing reconnaissance faster and with more precision, and they’re doing it with a tool you’re probably paying for with your corporate account. The fact that China tried to get Gemini to plan RCE attacks against U.S. targets by pretending to be a CTF participant is almost funny, except that it worked often enough to be worth documenting.
The model extraction finding is the most alarming. If a foreign intelligence service builds a Gemini-equivalent using 100,000 queries of the real thing, they have a tool that behaves like Gemini with none of Google’s safety controls. That’s a bigger long-term problem than any single phishing campaign, and it’s one the enterprise sector has almost no visibility into.
2. OpenClaw’s Security Crisis Escalates: 1,184 Malicious Skills, a Foundation Handoff, and a Race to Patch
OpenClaw, the AI agent framework with 212,000 GitHub stars as of this writing, spent this week proving that rapid adoption without a security architecture is a gift to attackers (SC Media, SecurityWeek). The ClawHavoc supply chain campaign, first disclosed February 1, grew to at least 1,184 confirmed malicious skills in ClawHub, the platform’s third-party plugin marketplace. Antiy CERT’s analysis found payloads using staged downloads, reverse shells via Python system calls, and direct data theft, including the Atomic macOS Stealer (AMOS) targeting browser credentials, SSH keys, and crypto wallets. A single threat actor uploaded 354 malicious packages in what appears to have been an automated blitz. On Valentine’s Day (there is a certain irony here), OpenClaw founder Peter Steinberger announced he was joining OpenAI to lead personal agent development, with the project transitioning to the OpenClaw Foundation under OpenAI sponsorship. By February 19, SecurityWeek reported the launch of SecureClaw, an open-source hardening tool running 55 automated audit checks mapped to OWASP’s Agentic Security Initiative top 10 and MITRE ATLAS.
Why it matters
ClawHub had no automated static analysis, no code signing, and no review process. Publishing a malicious skill required only a GitHub account one week old. Your developers are treating this marketplace like a trusted source.
OpenClaw’s persistent memory files (SOUL.md, MEMORY.md) were targeted, meaning malicious payloads can modify the agent’s long-term behavioral instructions and wait before triggering. Point-in-time malware analysis misses this entirely.
The transition to an OpenAI-sponsored foundation means a consumer-grade security nightmare is now a tier-one organization’s responsibility to clean up.
What to do about it
Audit your environment for OpenClaw deployments now. Any instance predating February 1, 2026 with API keys loaded should be treated as potentially compromised and keys rotated.
Treat every ClawHub skill like an untrusted third-party binary before installing it. No README is trustworthy. No prerequisite installation step should execute without review.
Engage your developer community on the SecureClaw hardening checks. If your org is running OpenClaw agents, you need the 55-point audit baseline before any production use.
Rock’s Musings
When a security researcher found 386 malicious packages from a single threat actor in OpenClaw's ClawHub marketplace, Steinberger told him security 'isn't really something he wants to prioritize.' He's since changed his tune on Lex Fridman's podcast, hired a security lead, and partnered with VirusTotal for malware scanning. Good. Progress matters. But sandboxing is still opt-in. The defaults still ship insecure. Words on a podcast don't fix architecture. I don't blame Steinberger for building fast and asking questions later. That's how open-source adoption works. I do blame the enterprises that deployed it without asking whether anyone had thought about what happens when the agent has shell access and the plugin store has no gates.
The OpenAI foundation takeover is interesting. Either OpenAI is going to clean this up properly, which would take real investment in supply chain security, or they’re going to inherit the liability that comes with 212,000 GitHub stars pointing at a platform with 20% malicious packages in its ecosystem. I’d watch that situation carefully. For now, the practical answer is: if OpenClaw is running in your environment, it is a high-severity finding until proven otherwise.
3. BeyondTrust CVE-2026-1731 Hits Active Exploitation; CISA Mandates Federal Patching by February 16
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on February 13, 2026, mandating that Federal Civilian Executive Branch agencies apply patches by February 16 (CISA, Help Net Security). The vulnerability, CVSS 9.9, allows an unauthenticated attacker to execute arbitrary OS commands against BeyondTrust Remote Support and Privileged Remote Access products via a crafted WebSocket request with zero user interaction required. watchTowr’s Ryan Dewhurst confirmed in-the-wild exploitation through global sensor networks, and Arctic Wolf separately detected attacks attempting to deploy the SimpleHelp RMM tool for persistence with lateral movement into Active Directory. BeyondTrust patched SaaS instances automatically on February 2 but self-hosted customers required manual action. The flaw was discovered by the Hacktron AI team using AI-enabled variant analysis after studying a related Ivanti bug, identifying approximately 8,500 exposed on-premises instances.
Why it matters
BeyondTrust serves 75% of the Fortune 100. A pre-auth RCE in privileged remote access infrastructure is a direct path to crown jewel systems, with no prior foothold required.
The Silk Typhoon precedent from 2024 means Chinese state actors have already demonstrated intent to exploit BeyondTrust products at scale. With active exploitation confirmed, the question is who got there first.
AI-enabled variant analysis cut the time from patch release to public PoC to under two weeks. Discovery-to-exploitation timelines are compressing in both directions simultaneously.
What to do about it
Patch now. Any Remote Support version 25.3.1 or earlier and PRA version 24.3.4 or earlier is vulnerable. Self-hosted customers who have not applied BT26-02 should assume compromise and begin incident response procedures.
Segment BeyondTrust deployments from internal networks wherever architecturally possible. Post-exploitation lateral movement via ActiveDirectory was confirmed in at least one attacker cluster.
Revisit your exposure to other BeyondTrust products. The variant analysis method that found this vulnerability treats entire vulnerability classes as attack surface, not individual CVEs.
Rock’s Musings
BeyondTrust is having a rough patch. They already had Silk Typhoon weaponize a zero-day against the U.S. Treasury in December 2024. Now they have a CVSS 9.9 pre-auth RCE with confirmed exploitation inside two weeks of public disclosure. The pattern of targeting is not a coincidence." This is the product pattern where a dominant market position in privileged access makes you a permanent priority target. Silk Typhoon already told us what they do with access to BeyondTrust once they have it.
The AI angle here is the one worth pausing on. Hacktron AI found this vulnerability by doing AI-assisted variant analysis across codebases after reading watchTowr’s technical writeup on a related Ivanti bug. The entire discovery-to-exploitation cycle, from responsible disclosure to confirmed mass scanning, played out in 13 days. If your patching cycle runs longer than that for critical remote access infrastructure, this CVE is the poster child for why that has to change.
4. Cline npm Supply Chain Attack Silently Installs OpenClaw on Developer Machines
On February 17, 2026, an unknown actor used a stolen npm publish token to release cline@2.3.0 with one change: a postinstall script that silently deployed OpenClaw on any machine that updated during an eight-hour window (GitHub Security Advisory GHSA-9ppg-jx86-fqw7). Adnan Khan had reported the root cause, a prompt injection vulnerability in Cline’s Claude-powered issue triage workflow that enabled GitHub Actions cache poisoning and credential theft, privately on January 1, followed up four times, and got no response. He went public February 9. Cline patched in 30 minutes. The token was already gone.
Michael Bargury, CTO of Zenity, ran RAPTOR, the open-source forensics tool built by Gadi Evron, CEO of Knostic, against the advisory URL and had full attribution in five minutes: actor glthub-actions (a typosquat using a lowercase L), the weaponized issue, and the exfiltration infrastructure. The critical finding is that the attacker found Khan’s public proof-of-concept test repository on January 2 and struck on January 28, ten days before full disclosure. Patch windows don’t protect you when the POC is already public.
Why it matters
GitHub Actions workflows that hand AI agents broad tool permissions and accept untrusted input from public issue trackers are an attack surface most teams haven’t mapped. That pattern is common right now.
The attacker moved during coordinated disclosure, not after. Your vendor’s patch timeline offers no protection if a researcher’s test repo is public while they’re waiting for a response.
RAPTOR produced high-confidence attribution from a single URL in five minutes. Attackers doing threat intelligence on your vendors have the same capability.
What to do about it
Audit every GitHub Actions workflow using AI agents for untrusted input paths. Issue titles, PR descriptions, and branch names are all attacker-controlled strings.
Enforce
--ignore-scriptsin automated build environments and scope npm publish tokens to the minimum necessary. A token that can publish anything in your org is a single point of failure.Add AI-assisted forensics tooling to your IR playbook before you need it. Five minutes to attribution is the new baseline expectation.
Rock’s Musings
I know both Michael and Gadi, and watching RAPTOR nail full attribution in five minutes while the rest of the industry was still reading the advisory is exactly the kind of thing that should embarrass every security team still running manual IR processes. Khan did everything right. Six weeks of responsible disclosure, documented in detail, across every available channel, ignored completely. The vendor patched in 30 minutes once the blog went public. The gap between those two timelines is where the breach lived.
The meta-structure here is almost too clean. An AI agent with misconfigured permissions accepted natural language from anonymous internet users and handed an attacker publish credentials for a 4 million user developer tool. Then an AI forensics agent reconstructed the crime scene from a URL. Attacker used AI as a weapon. Defender used AI as a microscope. What separated the outcomes wasn’t sophistication. It was that the vendor ignored six weeks of warning. If a researcher is trying to reach you, pick up the phone.
5. AI-Generated Passwords Are Fundamentally Insecure, and Vibe Coding Is Shipping Them to Production
AI cybersecurity firm Irregular published research on February 18-19 showing that ChatGPT, Claude, and Gemini generate highly predictable passwords with dramatically reduced entropy compared to cryptographically secure random generation (The Register, Malwarebytes). When Irregular prompted Claude Opus 4.6 fifty times, 20 of the 50 results were duplicates and 18 were the exact same string. Every Claude-generated password began with an uppercase “G” and used the same narrow character subset. GPT-5.2 started nearly all passwords with “v” and used “Q” as the second character in nearly half of outputs. The researchers measured 20 to 27 bits of entropy in LLM-generated 16-character passwords versus the 98 to 120 bits expected from cryptographically random generation. Irregular noted the problem is not fixable by prompt engineering or temperature adjustments, since the predictability is structural to how LLMs generate tokens.
Why it matters
Any developer who used an LLM to generate a password, secret, or API key in production code has shipped a predictable, likely crackable credential. Code review doesn’t catch this because the string looks complex.
Attackers can now build wordlists from known LLM output patterns. If your environment has credentials generated this way, those wordlists apply to you directly.
The gap between “looks strong” and “is strong” is exactly the kind of mismatch that causes silent, undetected compromises over months.
What to do about it
Audit your codebase and configuration management for any credentials that may have been AI-generated. Rotate them regardless of apparent strength.
Add explicit policy to your AI usage guidelines: LLMs must not be used for password, secret, or cryptographic key generation. Use dedicated cryptographic random number generators or password managers with CSPRNG backends.
Add detection to your code review process for hardcoded credentials. The presence of secrets in code is a separate problem, but AI-generated secrets in code are doubly dangerous.
Rock’s Musings
This one is going to sting because it’s been happening quietly for three years. Every developer who ever typed “give me a strong password” into ChatGPT and copy-pasted the result into a config file or API key field created a predictable credential. The entropy numbers here are damning: 27 bits versus 98. That’s a category error. The model isn’t generating randomness. It’s predicting what a password looks like, which is the exact opposite of what you need.
The vibe coding angle makes this worse. Teams building rapidly with AI assistance are shipping AI-generated credentials into production at a rate that’s probably not tracked anywhere in your CMDB. This isn’t a training problem you can solve with a webinar. It requires a tooling change and an audit of anything AI-assisted from the last two years. Start there.
6. India Launches Global AI Summit, Shifting the Governance Conversation from Safety to Impact
The India AI Impact Summit opened February 19-20, 2026 in New Delhi, with Prime Minister Narendra Modi hosting the fifth in the series of global AI summits following the UK, France, Korea, and Rwanda iterations (Crowell & Moring, techUK). India deliberately reframed the summit theme away from “safety” and “action” toward “impact,” signaling a strategic preference for deployment-focused governance over precautionary frameworks. The summit brings together governments representing over 30 nations, private sector leaders from startups to multinationals, and is expected to shape India’s domestic AI regulatory approach. India highlighted four domestic startups building open-source foundational AI models tailored to local languages: Sarvam AI, Soket AI, Gnani AI, and Gan AI. The International AI Safety Report 2026, published February 3 and authored by over 100 experts across 30 countries, provides the independent scientific baseline for the governance conversations happening at the summit.
Why it matters
The shift from “safety” to “impact” framing at a summit representing one billion users rebalances global AI governance pressure toward deployment and away from precaution. This affects how multinational enterprises navigate cross-border AI risk.
India’s regulatory landscape for AI is still forming. Summit outcomes will directly shape what obligations enterprises face in one of the world’s largest and fastest-growing technology markets.
The Global South’s increasing voice in AI governance means compliance strategies built entirely around EU AI Act timelines or U.S. executive order directions are increasingly incomplete.
What to do about it
Expand your AI regulatory horizon map to include India explicitly. If you operate in the Indian market or source AI talent and infrastructure there, this summit’s outputs will produce compliance obligations.
Monitor the parallel EU AI Act timeline shifts. The European Commission is considering moving high-risk AI system obligations from August 2026 to December 2027. That extension affects your deployment planning.
Brief your board on the diverging international governance frameworks. AI risk is no longer a single regulatory question. It’s a multi-jurisdictional portfolio problem.
Rock’s Musings
The rebranding from “safety summit” to “impact summit” is doing more work than it appears. It’s India saying, loud and clearly, that the safety-first framing from the UK and EU rounds is not the only valid frame. For the Global South, AI’s upside is too large to subordinate to risk frameworks designed primarily by wealthy nations with different exposure profiles. That’s a legitimate position, and it creates governance fragmentation that multinational enterprises will have to navigate without clean guidance.
From a security practitioner standpoint, what I watch at these summits isn’t the keynotes but the working groups. The incident reporting requirements, the transparency obligations for AI developers, and the cross-border data flow rules are where the actual compliance burden lives. The International AI Safety Report 2026 laid out a solid scientific baseline for what risks are real and what risk management practices actually work. Whether any of these summits produces enforceable governance is a different question entirely.
7. DHS Announces CIRCIA Virtual Town Halls, Bringing Mandatory Incident Reporting Closer to Reality
On February 13, 2026, the U.S. Department of Homeland Security announced virtual town hall meetings scheduled for March 2026 on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (Crowell & Moring). CIRCIA mandates covered entities to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The town halls signal that CISA is moving toward final rulemaking, which will define exactly which organizations qualify as covered critical infrastructure and what “substantial” means in practice. The upcoming rules will affect sectors including healthcare, finance, transportation, energy, and communications. This is directly relevant to AI security because AI systems deployed in critical infrastructure pipelines will fall within CIRCIA’s scope once the covered entity definitions are finalized.
Why it matters
If your organization operates in or supplies critical infrastructure sectors, CIRCIA reporting obligations are coming. The town halls are your signal to get your incident response playbooks in order now, not when the rule is final.
AI-related incidents involving critical infrastructure components will carry mandatory reporting obligations. Your incident classification framework needs to account for AI system failures as a triggering event.
The 72-hour reporting window is unforgiving. Organizations without pre-defined internal notification chains, executive decision authority, and external counsel relationships will fail to meet it.
What to do about it
Participate in the March CIRCIA town halls or send your legal and compliance teams. The comment period is the last opportunity to influence what “substantial incident” means before it becomes binding.
Map your AI deployments against critical infrastructure definitions. If an AI system supports operational continuity in a covered sector, assume it is a reportable asset.
Conduct a tabletop exercise specifically for the 72-hour CIRCIA timeline. The failure mode is not usually lack of knowledge; it’s lack of pre-authorized decision-making when leadership is unavailable at 2 a.m.
Rock’s Musings
CIRCIA has been in rulemaking purgatory for years, and the town halls are the clearest signal yet that the administration intends to finalize it. What’s notable from an AI security angle is that the statute was written before enterprise AI deployments at scale were reality. The final rule needs to address what happens when an AI system operating in a critical infrastructure pipeline is the vehicle for a substantial cyber incident. Right now, that’s ambiguous.
The practical guidance I’d give: don’t wait for regulatory clarity before building your incident response muscle. If an AI agent with access to operational technology fails catastrophically, you need the same 72-hour reporting capability you’d need for a ransomware attack. Those muscles take time to build. The town halls are the starting gun, not the finish line.
8. 300 Million AI Chat Messages Exposed in Firebase Misconfiguration
A security researcher discovered an exposed database belonging to the Chat and Ask AI application, operated by developer Codeway, exposing approximately 300 million messages tied to 25 million users (Malwarebytes). The exposure traced back to a Firebase misconfiguration, a well-documented error class where Google Firebase Security Rules are set to public, allowing anyone with the project URL to read, modify, or delete data without authentication. The exposed data included complete chat histories, AI model configurations, and user settings. The researcher, named Harry, found the issue while building an automated scanning tool for iOS and Android apps and discovered 103 of 200 iOS apps tested had the same vulnerability class. Codeway resolved the issue across all its apps within hours of responsible disclosure. Harry set up a public registry called Firehound where users can check whether apps they use have exposed this flaw.
Why it matters
300 million chat messages include everything users ever said to an AI assistant: medical questions, financial details, relationship problems, confidential business discussions. That data is permanently exposed once leaked, regardless of remediation.
The systematic nature of this vulnerability class means Codeway is not the exception. Seventeen percent of iOS apps in Harry’s initial scan had the same misconfiguration.
AI applications collecting sensitive conversational data without adequate backend security controls are a rapidly growing liability category that most enterprise third-party risk programs are not yet equipped to assess.
What to do about it
Audit your enterprise mobile app allowlist for AI applications that may store conversational data in Firebase or similar backend-as-a-service platforms. Request evidence of backend security controls as part of vendor assessment.
Advise employees against using consumer AI chat applications for business discussions. The security controls on consumer apps are not equivalent to enterprise SaaS, and the conversational data those apps collect is a legitimate exfiltration target.
Check whether any apps your organization uses appear in Harry’s Firehound registry at firehound.app.
Rock’s Musings
The fact that a security researcher had to build an automated scanner to find this at scale tells you that the industry has not treated AI application backend security as a systematic concern. Firebase misconfigurations are not exotic vulnerabilities. They’re configuration errors that developers make when they prioritize shipping over hardening. When those developers are building AI applications that store millions of sensitive conversations, the exposure radius is enormous.
I want to flag the third-party risk angle for enterprise security leaders. Your employees are using AI chat applications for work conversations whether you’ve blessed those tools or not. The question is whether your vendor risk program knows what backend infrastructure those applications run on and whether those backends have been assessed. Most programs don’t, and 300 million exposed messages is the cost of that gap.
9. Taiwan Warns China Is Rehearsing a Digital Siege
On February 13, 2026, Taiwan issued a warning that China may be rehearsing a “digital siege” targeting the island’s critical communications and infrastructure (The Record from Recorded Future News). Taiwan’s National Security Bureau assessed that Chinese state actors are probing submarine cable systems, satellite communication dependencies, and undersea internet infrastructure in patterns consistent with pre-conflict preparation. The warning follows years of documented Chinese cyber operations against Taiwanese government agencies, financial institutions, and defense contractors. AI tools are increasingly part of Chinese state-sponsored reconnaissance and operational planning, as the Google GTIG report published the same week documented. The digital siege scenario involves coordinated disruption of communications infrastructure to isolate Taiwan before or during a conventional military operation.
Why it matters
The digital siege model does not require a military conflict to be relevant to enterprise security. The same techniques used to rehearse the isolation of Taiwan’s infrastructure apply to attacking submarine cables, satellite uplinks, and internet exchange points globally.
Multinational enterprises with operations or supply chain dependencies in Taiwan face a material business continuity risk that most BCP plans do not adequately address.
AI-assisted reconnaissance at the infrastructure level represents a qualitative shift in how state actors prepare for large-scale operations.
What to do about it
Include Taiwan-specific disruption scenarios in your business continuity planning if you have operations or significant supplier relationships in Taiwan. The realistic scenario is degraded communications, not a clean cutover.
Map your organization’s dependence on Taiwan-based semiconductor and manufacturing supply chains. The disruption scenario is the subject of active adversary preparation.
Brief your board on the geopolitical exposure your organization carries in the Taiwan Strait scenario. This belongs in your enterprise risk register alongside financial and operational risks.
Rock’s Musings
Taiwan produces the advanced chips that run your AI infrastructure. Any serious disruption to Taiwan’s communications or manufacturing capacity disrupts global AI supply chains in ways that dwarf any single cyberattack. China knows this. Their state actors are mapping the dependencies precisely because disrupting them at the right moment creates leverage that kinetic operations alone cannot.
The AI security angle that gets missed in most coverage is that Chinese APT groups are using AI tools, including Gemini as documented this week, to accelerate exactly the kind of infrastructure reconnaissance that underpins a digital siege strategy. Faster, more precise OSINT on submarine cable routing, satellite uplink dependencies, and internet exchange peering relationships means better targeting when the time comes. The rehearsal is happening now. Whether enterprises are watching is a different question.
10. OpenClaw CVE-2026-25253 Docker Sandbox Bypass Leaves Persistent Exposure
Security researchers at Depthfirst and Snyk confirmed during the week of February 13 that the original patch for CVE-2026-25253, OpenClaw’s one-click RCE vulnerability, was incomplete (SecurityWeek, Barrack.ai). The Docker sandbox bypass was assigned its own CVE, CVE-2026-24763, and patched in OpenClaw version 2026.1.30. The initial vulnerability allowed a victim who visited a malicious web page to have their authentication token stolen and their OpenClaw gateway compromised for full remote code execution. With 179,000 GitHub stars and 720,000 weekly downloads, the number of vulnerable deployments is substantial, particularly given that many users run OpenClaw on dedicated always-on machines with broad system access. Belgium’s Centre for Cybersecurity issued an emergency advisory urging immediate patching. As of February 19, SecurityWeek confirmed no known unfixed CVEs in the latest version 2026.2.17 but noted a large installed base of older versions remained in production.
Why it matters
The incomplete initial patch is a recurring pattern. Security teams that patched to 2026.1.29, believing they were protected, were not. Patch validation for complex systems requires verifying the specific vulnerability class, not just the version number.
Always-on AI agent deployments on dedicated hardware create persistent high-value targets. A machine running OpenClaw continuously, with access to email, shell, and connected services, is a significant lateral movement asset if compromised.
Belgium’s emergency advisory signals that national cybersecurity agencies are treating OpenClaw’s exposure as a critical infrastructure-level risk, not just a developer tool problem.
What to do about it
Verify OpenClaw deployments are running version 2026.2.17 or later. Version 2026.1.29 is not fully patched. Confirm the specific CVEs are addressed in your version before closing the finding.
Isolate OpenClaw agent deployments from your corporate network with explicit firewall rules. An agent that can only reach the services it legitimately needs has a dramatically smaller blast radius than one with unrestricted internal access.
Treat the SecureClaw open-source hardening tool as a baseline requirement before any production OpenClaw deployment. Fifty-five automated audit checks mapped to MITRE ATLAS is a reasonable starting point, not an optional addition.
Rock’s Musings
The incomplete patch disclosure on a CVSS 8.8 one-click RCE is the kind of thing that turns a bad week into a worse one for security teams who thought they’d handled it. The version number said patched. The actual vulnerability class said otherwise. This is why patch validation procedures need to go beyond version confirmation, particularly for products with multiple CVEs being patched in rapid succession over a short period.
What concerns me more than any individual CVE here is the deployment pattern. People are running OpenClaw on Mac minis in their homes and offices as always-on AI assistants with full access to their personal and professional digital lives. The security model for that use case does not exist. The threat model has not been written. The incident response plan if the agent is compromised has definitely not been tested. That’s the real story underneath all of these CVEs.
The One Thing You Won’t Hear About But You Need To
Check Point Reveals AI Assistants Can Be Weaponized as Bidirectional C2 Proxy Channels
Check Point researchers disclosed on February 18, 2026 that AI assistants with web-browsing capabilities, specifically Microsoft Copilot and xAI’s Grok, can be turned into bidirectional command-and-control proxy channels by malware (AI Security Daily Briefing, February 18, 2026). The technique works by sending malware-controlled “summarization prompts” to attacker-controlled URLs via the AI assistant’s browser. The assistant fetches the URL, interprets attacker commands embedded in the page content, and returns data, effectively acting as a cleansing layer that makes malicious C2 traffic appear as legitimate HTTPS connections to AI provider domains. From a network monitoring perspective, the traffic looks like normal Copilot or Grok activity. Standard network security tools that whitelist major AI provider domains, as many enterprise configurations do, pass this traffic without inspection.
Why it matters
Every enterprise that has whitelisted Copilot, Grok, or similar AI assistant domains in its network security stack has created a potential bypass channel for malware C2 communications.
The attack does not require exploiting the AI system itself. It exploits the trust that network controls extend to AI provider domains by default.
AI assistants with browsing capabilities are increasingly standard enterprise tools. The attack surface grows with every deployment.
What to do about it
Audit your network security configurations for blanket whitelisting of AI provider domains. Traffic to Copilot, Grok, ChatGPT, or similar services should be inspectable, not exempt from inspection.
Monitor for high-frequency, low-volume browsing requests from AI agents to newly registered or unusual domains. The attack pattern requires the agent to browse attacker-controlled content regularly.
Require explicit approval and network segmentation for any AI assistant deployment with web-browsing capabilities. The browsing feature specifically is what creates the C2 channel.
Rock’s Musings
This one deserves more attention than it’s getting. The attack is technically simple but operationally brilliant. You’ve trained your security team to look for C2 traffic going to suspicious domains. The traffic to Microsoft Copilot’s endpoints is not suspicious. It’s expected. Now those expected connections are the C2 channel. Your detection model just broke.
The enterprise AI deployment pattern that created this exposure is the same one most organizations followed: enabled Copilot or a similar tool, added the provider to the network allowlist so it functions properly, moved on to the next project. Nobody asked what happens if someone uses that trusted channel in reverse. Check out the rockcybermusings.com archive for more on how AI assistant deployments are changing your threat model, and visit rockcyber.com if you need help working through what your current AI deployment means for your detection stack.
If you found this analysis useful, subscribe at rockcybermusings.com for weekly intelligence on AI security developments.
👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 Subscribe for more AI and cyber insights with the occasional rant.
References
Anadolu Agency. (2026, February 19). Experts warn AI-generated passwords may expose users to security risks. https://www.aa.com.tr/en/science-technology/experts-warn-ai-generated-passwords-may-expose-users-to-security-risks/3834887
Antiy CERT. (2026, February 19). ClawHavoc poisons OpenClaw’s ClawHub with 1,184 malicious skills. GBHackers. https://gbhackers.com/clawhavoc-infects-openclaws-clawhub/
Aryaka. (2026, February 18). Securing OpenClaw agents from ClawHavoc supply-chain attacks with AI-driven protection. https://www.aryaka.com/blog/securing-openclaw-agents-clawhavoc-supply-chain-attack-ai-secure-protection/
Barrack.ai. (2026, February 16). OpenClaw is a security nightmare: Here’s the safe way to run it. https://blog.barrack.ai/openclaw-security-vulnerabilities-2026/
CISA. (2026, February 13). CVE-2026-1731 added to Known Exploited Vulnerabilities catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Conscia. (2026, February). The OpenClaw security crisis. https://conscia.com/blog/the-openclaw-security-crisis/
Crowell & Moring LLP. (2026, February). Setting the agenda for global AI governance: India to host AI Impact Summit in February 2026. https://www.crowell.com/en/insights/client-alerts/Setting-the-Agenda-for-Global-AI-Governance-India-to-Host-AI-Impact-Summit-in-February-2026
Dewhurst, R. (2026, February 12). [Post on X confirming in-the-wild exploitation of CVE-2026-1731]. watchTowr. Referenced via Help Net Security: https://www.helpnetsecurity.com/2026/02/13/beyondtrust-cve-2026-1731-poc-exploit-activity/
eSecurity Planet. (2026, February). Hundreds of malicious skills found in OpenClaw’s ClawHub. https://www.esecurityplanet.com/threats/hundreds-of-malicious-skills-found-in-openclaws-clawhub/
Google Threat Intelligence Group. (2026, February 12). Nation-state hackers using Gemini AI for recon and attack support. Referenced via BleepingComputer: https://www.bleepingcomputer.com/news/security/google-says-hackers-are-abusing-gemini-ai-for-all-attacks-stages/
Google Threat Intelligence Group. (2026, February 12). State-backed hackers exploit Gemini AI for cyber recon and attacks. Security Affairs. https://securityaffairs.com/187958/ai/google-state-backed-hackers-exploit-gemini-ai-for-cyber-recon-and-attacks.html
Help Net Security. (2026, February 13). Hackers probe, exploit newly patched BeyondTrust RCE flaw (CVE-2026-1731). https://www.helpnetsecurity.com/2026/02/13/beyondtrust-cve-2026-1731-poc-exploit-activity/
Irregular. (2026, February 18). LLM-generated passwords fundamentally weak. The Register. https://www.theregister.com/2026/02/18/generating_passwords_with_llms
Malwarebytes. (2026, February 19). AI-generated passwords are a security risk. https://www.malwarebytes.com/blog/news/2026/02/ai-generated-passwords-are-a-security-risk
Malwarebytes. (2026, February). AI chat app leak exposes 300 million messages tied to 25 million users. https://www.malwarebytes.com/blog/news/2026/02/ai-chat-app-leak-exposes-300-million-messages-tied-to-25-million-users
Orca Security. (2026, February). Critical CVE-2026-1731 vulnerability in BeyondTrust Remote Support and PRA. https://orca.security/resources/blog/cve-2026-1731-beyondtrust-vulnerability/
Paubox. (2026, February 19). State-sponsored hackers are using AI at every stage of cyberattacks. https://www.paubox.com/blog/state-sponsored-hackers-are-using-ai-at-every-stage-of-cyberattacks
Rapid7. (2026, February). CVE-2026-1731: Critical unauthenticated RCE in BeyondTrust Remote Support and PRA. https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/
SC Media. (2026, February 19). Massive OpenClaw supply chain attack floods ClawHub with malicious skills. https://www.scworld.com/brief/massive-openclaw-supply-chain-attack-floods-openclaw-with-malicious-skills
SecurityWeek. (2026, February 19). OpenClaw security issues continue as SecureClaw open source tool debuts. https://www.securityweek.com/openclaw-security-issues-continue-as-secureclaw-open-source-tool-debuts/
StepSecurity. (2026, February 17). Cline supply chain attack detected: cline@2.3.0 silently installs OpenClaw. https://www.stepsecurity.io/blog/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw
techmaniacs.com. (2026, February 18). AI security daily briefing: February 18, 2026. https://techmaniacs.com/2026/02/18/ai-security-daily-briefing-february-18-2026/
techUK. (2026, February). The release of the International AI Safety Report 2026. https://www.techuk.org/resource/the-release-of-the-international-ai-safety-report-2026-navigating-rapid-ai-advancement-and-emerging-risks.html
The Record from Recorded Future News. (2026, February 13). China may be rehearsing a digital siege, Taiwan warns. https://therecord.media/china-may-be-rehearsing-digital-siege-taiwan-warns
TechSpot. (2026, February 19). AI-generated passwords are surprisingly easy to crack, researchers find. https://www.techspot.com/news/111392-ai-generated-passwords-surprisingly-easy-crack-researchers-find.html
The Hacker News. (2026, February 12). Google reports state-backed hackers using Gemini AI for recon and attack support. https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html