February 2026 highlighted the continued impact of attacks targeting both healthcare systems and the infrastructure that underpins modern organisations. Here at home, the MediMap breach saw attackers use stolen credentials to manipulate patient records and disrupt services nationwide, amplifying concerns following earlier healthcare incidents, while globally, active exploitation of a critical VMware ESXi vulnerability demonstrated how hypervisor compromises can expose entire virtualised environments to widespread attack.
These incidents show how both data integrity and foundational platforms remain key pressure points for attackers, with disruptions quickly cascading beyond the initial point of compromise.
Techniques
Malicious “Skill” Distributed Through the OpenClaw Marketplace
The growing ecosystem around OpenClaw agents has created a new supply-chain attack surface; the ClawHub skills marketplace. OpenClaw is an open-source AI agent that runs on user’s machines. The agent is designed to automate tasks, such as reading and writing files, browsing the web, or running shell commands. To extend its capabilities, users can install “skills” from the ClawHub marketplace, essentially small extensions that provide new functionality, workflows, or integrations for the agent.
Seccurity researchers have identified large numbers of malicious skills uploaded to the marketplace, many disguised as useful developer utilities or cryptocurrency automation tools. Skills often come with setup instructions, such as installing dependencies, configuring environment variables, or running helper scripts. However, in these malicious skills, the instructions often direct users to run malicious shell scripts which install credential stealers or remote access tools to their own machine.
The OpenClaw ecosystem is an especially attractive target for adversaries because users are often running the agent in development environments which contain source code, API keys, credentials, and cloud tokens. Distributing malware through the marketplace provides attackers with a direct pathway into systems that are likely to hold high-value developer credentials.
This campaign is a reminder that extensions and marketplace downloads should be treated like any other third-party software. Before installing new tools or plugins, users should review the publisher, check whether the code is publicly available, and be cautions of packages that require running additional scripts or downloading external files as part of the setup. Spending a few minutes vetting software before installation can reduce the risk of introducing malicious code into your environment.
ClawJacking: Browser-to-Localhost Agent Takeover
esearchers at Oasis Security disclosed a vulnerability chain affecting OpenClaw gateways that could allow malicious websites to take control of locally running agents. OpenClaw is an AI automation platform that runs on a user’s machine and exposes a local gateway for managing the agent and its integrations. The attack, dubbed ClawJacking, demonstrated that simply visiting a malicious website could allow an attacker to interact with that local gateway under certain condition, effectively allowing remote control of the agent on the victim’s device.
At the core of the issue is a common misconception around localhost services. Developers often assume services bound to localhost are private, since they are not reachable from the wider internet. As a result, local services sometimes implement weaker protections for connections originating from the same computer. In reality, while remote systems cannot connect directly to localhost, JavaScript running inside a browser can still attempt to open connections to local services, including WebSocket endpoints.
In this instance, the gateway trusted localhost connections and applied reduced protections, such as relaxed rate limiting and simplified device registration. A malicious website visited by the user could therefore attempt to connect to the gateway through the browser and interact with the local agent service. The vulnerability has since been patched, but the incident showcases a broader lesson: services running on localhost should still enforce strong authentication and origin checks, as the browser places them within the web threat model.
Happenings
[Global] 10-Rated (Critical) Cisco SD-WAN Authentication Bypass Vulnerability
The US Cybersecurity & Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have issued warnings regarding the active exploitation of a critical vulnerability affecting Cisco Software-Defined Wide Area Network (SD-WAN) infrastructure. The vulnerability, tracked as CVE-2026-20127, carries a CVSS score of 10 (the highest rating) and allows unauthenticated attackers to bypass authentication mechanisms and gain administrative access to affected Cisco SD-WAN controllers. The flaw impacts Cisco Catalyst SD-WAN Manager (vManage) and related control-plane components. The flaw arises due to improper validation in the SD-WAN management plane authentication process, enabling a remote attacker to send specially crafted requests that bypass authentication controls, with successful exploitation allowing attackers to access administrative interfaces and manipulate the SD-WAN fabric.
Security researchers observed that attackers could use the vulnerability to introduce rogue devices into the SD-WAN network, modify configuration settings, and establish persistent access to network infrastructure. Because SD-WAN controllers manage connectivity between distributed enterprise sites, compromise of these systems may allow attackers to intercept, redirect, or disrupt network traffic across multiple locations. In real world observed attack scenarios, the vulnerability has been chained with CVE-2022-20775, a separate privilege escalation flaw, to allow attackers to escalate access from administrative privileges to root-level control of the system.
Due to confirmed exploitation activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued alerts and added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, pushing private organisations and requiring federal agencies to apply Cisco’s security updates and implement recommended mitigations.
[NZ] MediMap Patient Portal Breached
Following the late 2025 breach of Manage My Health, New Zealand prescription and medication platform MediMap experienced a breach that left user information meddled with and incorrect. Attackers managed to access the application and troll user by changing the status or details of patients, including the changing of names or updating patient status to ‘deceased’ – along with exfiltrating sensitive patient information.
The attack caused the platform to be taken offline from February 22, with restoration beginning in early March which includes the manual validation of data to verify its accuracy following the changes made during the attack. Taking the platform offline has caused disruption to GPs and pharmacies alike. MediMap stated that this was not a cyber attack that allowed the attackers to access the platform, but was instead the attacker using legitimate login credentials that were still stolen – something that would definitely be classified as a cyberattack by the security community.
Given this occurred in close proximity to the Manage My Health breach, public scrutiny on cybersecurity is now increasing for digital healthcare providers and data holders within New Zealand and globally. The New Zealand Health Minister has commissioned a review into the Manage My Heath incident that occurred which will also look more broadly at the security and data protection measures taken by other private companies including MediMap. It will be interesting to see what recommendations come from this report and if the government takes any steps towards mandating security controls or compliance standards for healthcare data.
[Global] Gemini API Keys Quietly Becoming Sensitive Credentials
Security researchers have raised concerns about Google API keys after discovering that enabling the Gemini API in a Google Cloud project can unintentionally expand the privileges of existing keys. Google API keys have traditionally been used as simple project identifiers for services such as Maps or Analytics, and it has been common practice for developers to include them in front-end code or public repositories.
However, once the Gemini or Generative Language APIs are enabled in a project, those same keys may be able to authenticate requests to Gemini endpoints. Researchers scanning public codebases identified thousands of expose keys embedded in websites and client-side applications that could potentially be abused to generate AI queries at the project owner’s expense.
This issue highlights how platform changes can alter the security expectations around existing credentials. Organisations using Google Cloud should review projects where Gemini has been enabled and audit any historical API keys that may have been publicly exposed. Rotating older keys and restricting them to specific APIs or domains can help reduce the risk of misuse if a key has been inadvertently published.
[Global] VMware ESXi Flaw Exploited in the Wild
US Cybersecurity & Infrastructure Security Agency (CISA) identified active exploitation of a critical VMware ESXi vulnerability, CVE-2025-22225, which has been leveraged by threat actors in ransomware campaigns in the wild. The vulnerability affects VMware’s ESXi hypervisor platform and allows attackers to escape the virtual machine sandbox and gain access to the underlying host system.
The vulnerability is classified as an arbitrary memory write vulnerability within the VMX process, the component responsible for managing virtual machines. By exploiting this flaw, attackers with access to a virtual machine can manipulate memory and potentially execute code on the ESXi host, effectively breaking isolation between virtual machines and the hypervisor, allowing attackers to compromise the broader virtualised environment.
Hypervisors such as ESXi are particularly attractive targets because they often host multiple virtual machines that support critical business systems. Successful exploitation of the hypervisor can allow attackers to disrupt or encrypt multiple systems simultaneously, significantly amplifying the operational impact of an attack. Organisations running affected VMware ESXi versions have been strongly advised to apply vendor patches immediately, restrict administrative access to hypervisor infrastructure, and monitor for suspicious activity involving virtual machine management processes.
[Global] UnitedHealth Group – Embattled Giant Under Attack Again
In February 2026, Change Healthcare, a healthcare technology and payments platform owned by UnitedHealth Group, was a victim of ransomware activity linked to the ALPHV / BlackCat cybercriminal group. The incident disrupted critical services across the U.S. healthcare sector, affecting hospitals’ ability to process insurance claims, manage billing operations, and support prescription services. As one of the largest healthcare clearinghouses in the United States, Change Healthcare processes eligibility checks, claims, and payments between providers, insurers, and pharmacies, meaning outages had a cascading impact across the healthcare ecosystem. The attackers reportedly gained access to internal systems and deployed ransomware that encrypted infrastructure supporting payment and administrative healthcare functions, and involved the theft of sensitive data, including medical and personal information, with reports indicating that over 100 million individuals may have been affected. UnitedHealth Group reportedly paid a ransom of approximately $22 million USD in an effort to restore operations and limit further data exposure.
The incident caused significant operational disruption nationwide, with healthcare providers experiencing delays in claims processing, insurance verification, and prescription handling while systems were restored. Given the central role Change Healthcare plays in processing healthcare transactions, the disruption highlighted the systemic risk posed by attacks on large healthcare technology intermediaries. This breach occurred against a backdrop of previous cybersecurity incidents affecting UnitedHealth Group and its subsidiaries, including the 2024 Change Healthcare breach, which ultimately impacted nearly 190 million individuals, and the 2025 Episource data breach affecting approximately 5.4 million people. These earlier incidents had already placed the organisation under increased regulatory and congressional scrutiny, with lawmakers raising concerns about the cybersecurity resilience of large healthcare technology providers responsible for managing sensitive medical and financial data at national scale.