📖 4 min read

Chinese espionage operators have been inside Dell backup appliances since mid-2024 — using hardcoded credentials shipped by default. This week, researchers demonstrated a full repository takeover through GitHub Copilot via prompt injection. And Google patched Chrome's first zero-day of the year.

The thread: the fastest-growing attack surface in 2026 is anything that operates with delegated trust. Your backup tool, your developer assistant, your browser. Each granted elevated access by design. Each exploited through that exact grant.

Mandiant and Google's Threat Intelligence Group disclosed Tuesday that CVE-2026-22769, a maximum-severity hardcoded credential flaw in Dell RecoverPoint for Virtual Machines, has been exploited by Chinese espionage group UNC6201 since at least mid-2024. The vulnerability — hardcoded admin credentials for the Apache Tomcat Manager — lets an unauthenticated attacker gain root-level persistence remotely.

UNC6201 deployed webshells, then rotated to GRIMBOLT, a new C# backdoor compiled with native ahead-of-time compilation that's harder to reverse-engineer. They pivoted into VMware environments by creating "Ghost NICs" — temporary virtual network ports on ESXi servers — for silent lateral movement. CISA added it to the KEV catalog February 18 with a deadline of tomorrow. Source: Cybersecurity Dive / Google GTIG

🔐 CISO Take: If you're running RecoverPoint for VMs and haven't upgraded, treat this as potentially exposed. Upgrade to 6.0.3.1 HF1 immediately. Hunt for unauthorized WAR files in Tomcat Manager and monitor for C2 traffic to known UNC6201 infrastructure. Mandiant published YARA rules — use them.

💻 CIO Take: Hardcoded credentials in a backup appliance. Ask your team one question today: what other infrastructure tools ship with default or hardcoded credentials that we haven't changed? If your vendor security review doesn't catch hardcoded credentials in critical infrastructure, revisit your review criteria. Your DR platform shouldn't be a backdoor.

⚙️ CTO Take: The Ghost NIC technique is new. UNC6201 created temporary virtual network ports on ESXi hosts to pivot silently. If you're not monitoring vSwitch configuration changes on your hypervisors, add that to detection.

📡 Network signal: One IT Director at a construction company submitted this month: "How do we detect devices with default passwords?" That question just became a board-level conversation. CVSS 10. Hardcoded credentials. Eighteen months of undetected access.

The bottom line: CISA deadline is tomorrow. Patch RecoverPoint — then validate you're clean.

Orca Security disclosed this week that a passive prompt injection in GitHub Codespaces can give attackers full repository takeover through Copilot. An attacker embeds hidden instructions in a GitHub Issue. When a developer launches a Codespace from that issue, Copilot silently executes the malicious commands — exfiltrating the GITHUB_TOKEN secret and granting full access to the repository. No clicks required beyond opening the Codespace.

This comes on top of three command injection CVEs (CVE-2026-21516, CVE-2026-21256, CVE-2026-21523, all CVSS 8.8) patched in February's Patch Tuesday affecting GitHub Copilot, Visual Studio, and VS Code. Here's the uncomfortable math: AI agents inherit developer permissions. Developers inherit production permissions. Therefore AI agents inherit production permissions — and most organizations never explicitly granted that. It happened implicitly. When those agents can be hijacked via a hidden comment in a GitHub Issue, your deployment pipeline becomes an exfiltration channel. Source: Orca Security / Krebs on Security

🔐 CISO Take: Add AI developer tools to your threat model. Audit which repositories have Copilot enabled and what permissions those Copilot instances hold. Treat Copilot like any service account: scope access, log activity, review quarterly.

💻 CIO Take: Your developers have API keys, cloud credentials, and production access. If their AI assistant can be hijacked via a GitHub Issue, that's a supply chain risk. Push the February Patch Tuesday update to all developer workstations this week.

⚙️ CTO Take: Review your Codespaces security configuration. Disable auto-trust for AI agents processing external content. The Orca research shows that hidden HTML comments in GitHub Issues are processed by Copilot — your code review tools won't catch what your AI assistant is executing.

📡 Network signal: AI governance mentions in member submissions nearly tripled from Q4 to Q1. Leaders aren't asking "should we use AI?" anymore. They're funding visibility tools to answer "what is it doing?"

The bottom line: AI agents inherit production permissions. That's a control plane — and now an attack plane.

Google released an emergency Chrome update on February 14 to patch CVE-2026-2441, a high-severity use-after-free vulnerability in the browser's CSS engine. Actively exploited in the wild. CISA added it to the KEV catalog on February 17 with a March 10 deadline.

The flaw lets a remote attacker execute arbitrary code within the browser sandbox via a crafted HTML page. It affects all Chromium-based browsers: Chrome, Edge, Opera, Vivaldi. Vivaldi and Opera have already shipped fixes. Source: SecurityWeek

🔐 CISO Take: Verify Chrome auto-updates are working across your fleet. Check that managed browsers are on version 145.0.7632.75 or later. Don't forget Edge — it shares the same engine and needs the same fix.

💻 CIO Take: If you manage a browser allow-list, confirm all Chromium-based browsers are covered by your patch policy.

The bottom line: Update Chrome, Edge, and every Chromium browser. The exploit is live.

This week's signal: leaders can't see what their AI tools are doing — and they know it.

AI governance mentions in member submissions nearly tripled from Q4 2025 to Q1 2026. Six months ago, this barely registered. Now nearly 1 in 12 submissions in the last 30 days reference AI visibility, monitoring, or policy enforcement — and leaders are actively taking meetings with vendors in this space.

"We have no good way today to see how AI is being used and what data is being pasted into AI sites, and we know we should." — Director, Network Services & Security, Global Law Firm

That's the gap the Copilot vulnerabilities exploit. When AI tools operate with developer-level access and no audit trail, prompt injection isn't theoretical. It's an exfiltration channel security teams can't see.

Does your team treat AI developer tools as service accounts — with scoped access and audit logs? Or are they running with whatever permissions the developer has? If this conversation hasn't started in your org yet, it will this quarter. Reply and tell me where you are.

5,000+ senior IT leaders at companies averaging $24B in revenue sharing real buying-motion data. Not surveys. Not analyst projections. What operators are actually purchasing, replacing, and escalating. Apply to Join →