Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways
In reaction to the recent CVE-2026-25253, the research team analyzed how this vulnerability appears in real-world deployments and what could be identified at internet scale using Hunt[.]io. The analysis focused on internet-exposed browser automation frameworks affected by CVE-2026-25253, including OpenClaw and its forks Clawdbot and Moltbot, which expose web-based control interfaces that store API credentials for multiple AI services. When deployed without proper access controls, these interfaces are directly reachable from the public internet.
Source: Hunt.io

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser-based social engineering combined with living-off-the-land binaries and Python-based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour-based detection and user awareness critical.
Source: Microsoft Security Blog

Brew Hijack: Serving Malware Over Homebrew’s Core Tap
Most of the time, when software is installed, the download is assumed to be secure due to HTTPS and checksum verification. However, research revealed that within Homebrew’s core cask system, some packages are downloaded over plain HTTP without integrity verification. Twenty casks in the official tap were found vulnerable to trivial man-in-the-middle attacks, allowing attackers on the network path to replace legitimate payloads with malware.
Source: Koi.ai

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry shows that two IP addresses now account for 56% of observed exploitation attempts, down from more than a thousand unique sources. One source deploys cryptomining payloads, while the other opens reverse shells directly to the scanner IP, highlighting distinct post-exploitation behaviours.
Source: GreyNoise

Flickr Security Incident Tied to Third-Party Email System
Flickr has notified users of a security incident involving a third-party email service provider that exposed personal information. The company stated that a vulnerability in the provider’s system may have allowed unauthorized access to member data. Exposed information includes names, email addresses, usernames, account types, IP addresses, general location data, and Flickr activity details. Access to the affected system was shut down within hours of discovery.
Source: SecurityWeek