It’s a Paper Trail for the week ending in Feb 28, 2026, and we’ll cover what happened last week in the Information Security space.
Last Week, in Review
- Critical authentication bypass vulnerability – CVE 2026-20127 – in Cisco SD-WAN, with exploitation dating back to 2023, allows an unauthenticated adversary to fully compromise controllers, obtain administrative privileges, and potentially manipulate network configuration. The vulnerability falls under the patch NOW category for organizations using Cisco SD-WAN products. [Cisco, The Hacker News]
- Microsoft, in its recent Cyber Pulse Report, identified that over 80% of Fortune 500 companies have active AI agents built using low-code or no-code tools. It further highlighted that only 47% of the organizations have applied security controls to their GenAI platforms, and 29% of employees use non-approved agents at work. [Microsoft, Microsoft]
- ManoMano – a European online marketplace – confirmed a data breach (allegedly) affecting approximately 38 million individuals (based on attacker claims and third-party reporting) across France, Germany, Italy, Spain, and the United Kingdom. The breach was a result of a compromise of a customer service subcontractor – underscoring the importance of active risk management and governance practices across third- and fourth-party partnerships. [SecurityWeek, TechRepublic, SecurityAffairs]
- VEIR identified that year-over-year tracked exploits rose by 16.5%, with a significant portion of the increase attributed to AI-generated proof-of-concept code, including nonfunctional or misleading exploit content. However, it was noted that only 1% of the reported vulnerabilities in 2025 were weaponized in the wild, with some driving outsized impact than others – highlighting the need to adopt risk-based remediation. [VulnCheck]
Pulse
Qrator Labs identified a C++ botnet loader for Windows operating system – Aeternum C2 – that uses smart contracts hosted on the Polygon blockchain to fetch instructions instead of the traditional approach of loading the information from hardcoded IP(s) and/or domain(s) of centralized command-and-control infrastructure, requiring a shift in how security operation teams think about prevention. [HackRead, Qrator Labs, Cyber Security News]
ReversingLabs discovered a malicious NuGet package – StripeApi[.]Net – impersonating Stripe’s official .NET library including the official package’s branding and readme, and was uploaded by a fake account on February 16. The package’s download count was artificially inflated to make it appear legitimate and instill developer trust in the package. [ReversingLabs, ReversingLabs, The Hacker News]
Orca Security disclosed a passive prompt injection vulnerability – RoguePilot – in GitHub Codespaces that could have allowed attackers to inject malicious Copilot instructions through GitHub issues, potentially leaking GITHUB_TOKEN credentials and enabling repository control. [SecurityWeek, Orca Security]
Fix-it Frank
Claude Code – a popular agentic coding platform by Anthropic – was found to allow adversaries to achieve remote code execution and steal API credentials through malicious project configurations when users clone and open untrusted repositories. Claude Code should be upgraded to v2.0.65+ or later to address GHSA-ph6w-f82w-28w6 – affecting versions prior to 1.0.87, CVE-2025-59536 (September 2025) – affecting versions prior to 1.0.111 (October 2025), and CVE-2026-21852 – affecting versions prior to 2.0.65 (January 2026). [Checkpoint, The Hacker News]
Broadcom released patches for a high-severity command injection security vulnerability – CVE-2026-22719 – affecting VMware Aria Operations. VMware Cloud Foundation and vSphere Foundation should be upgraded to version 9.0.2.0 or later, and Aria Operations to version 8.18.6 or later. [SecurityWeek]
Juniper Networks issued an out-of-band emergency patch for a remote code execution vulnerability – tracked as CVE-2026-21902 – in Junos OS Evolved for PTX series routers. It affects the anomaly detection framework and can grant an unauthenticated adversary with network access the ability to execute arbitrary code with root privileges. [SecurityWeek, Juniper Networks]
The Fine Print
The Marquis Software Solutions v. SonicWall lawsuit, alleges gross negligence and misrepresentation that led to a ransomware attack disrupting operations at 74 U.S. financial institutions. This could set an important precedent for security vendor accountability and may reshape vendor contract requirements, especially in regulated industries like financial services and healthcare. [Bleeping Computer, CyberPress, PacerMonitor]
The EU Cyber Resilience Act (CRA) – a regulation setting mandatory cyber security requirements for hardware and software makers that are placing a product on the European market – vulnerability reporting requirements take effect on September 11, 2026 with all obligations going into full effect by December 11, 2027. [ORC, VinciWorks, EU Commission]
State-specific comprehensive consumer privacy statutes expand to cover 20 states in the USA – with Kentucky, Rhode Island, and Indiana newly joining the list as of January 1, 2026 – while the Federal Trade Commission (FTC) issued a COPPA enforcement policy statement to incentivize responsible age-verification practices and signaled a COPPA Rule review regarding age verification mechanisms. [White & Case, Multistate]
The Bottom Line
The widening gap between AI adoption and AI governance, the shift toward blockchain-based C2 infrastructure, and supply chain attacks targeting both vendor partnerships and developer ecosystems all point to an attack surface expanding faster than most organizations can govern it. Meanwhile, shifting legal and regulatory landscape signal that the legal and regulatory consequences of falling behind may have tangible impact on the organizations.
Thanks for tuning-in to this edition of Paper Trail. If you found this helpful, don’t forget to subscribe.