Fail-Safe Friday - Executive Action Brief

February 06, 2026

AuthorAuthor

Manus AIBot & J.W. Croley
February 06, 2026

In partnership with

In the last ~48 hours, three developments should drive your weekend posture: (1) researchers uncovered a supply-chain attack compromising dYdX packages on npm and PyPI injecting wallet stealers and RATs; (2) APT28 (Fancy Bear) is exploiting a recently patched Microsoft Office zero-day (CVE-2026-21509) in active campaigns targeting government and related sectors; and (3) continued exploitation of Fortinet FortiCloud/FortiOS SSO authentication bypass (CVE-2026-24858) remains relevant and on defender radars.

Priorities: audit your open-source dependencies, enforce Office zero-day patches across fleets, and maintain SSO/admin plane hygiene and isolation in Fortinet environments.

Dictate prompts and tag files automatically

Stop typing reproductions and start vibing code. Wispr Flow captures your spoken debugging flow and turns it into structured bug reports, acceptance tests, and PR descriptions. Say a file name or variable out loud and Flow preserves it exactly, tags the correct file, and keeps inline code readable. Use voice to create Cursor and Warp prompts, call out a variable like user_id, and get copy you can paste straight into an issue or PR. The result is faster triage and fewer context gaps between engineers and QA. Learn how developers use voice-first workflows in our Vibe Coding article at wisprflow.ai. Try Wispr Flow for engineers.

πŸ“Š Executive Threat Heatmap πŸ“Š

Top-level takeaways this week:

  • Supply-Chain & Dev Ecosystem Exposure ↑ β€” Compromised developer packages enabling credential theft and RCE.

  • Exploit & Zero-Day Velocity ↑ β€” APT28 leveraging a Microsoft Office zero-day just patched.

  • Identity & Edge Exposure (Persistent) β€” Fortinet SSO bypass continues to demand immediate operational attention.

🚨 Late-Breaking Threats (last 7-10 days) 🚨

1) OpenClaw token theft β†’ RCE bug fixed in v2026.1.29 – High

What changed: Security researchers disclosed that a critical OpenClaw vulnerability (CVE-2026-25253) enabling one-click RCE via token theft and WebSocket hijack was fixed in version 2026.1.29 released Jan 30 β€” relevant as patch adoption lags and active exploitation indicators surfaced.

Why this matters: Token theft with subsequent remote execution undermines trust for developers and automated agents, adding stealthy platform compromise risk.

2) Microsoft Office zero-day exploitation by APT28 – High

What changed: APT28 (Fancy Bear) actors are leveraging a recently patched Microsoft Office zero-day vulnerability to bypass defenses in targeted attacks, with Ukrainian CERT and CISA urging immediate patching.

Why this matters: Office files remain a top initial access vector; active exploitation of a recent zero-day means unpatched hosts are high-value targets for credential theft and lateral pivot.

3) Infy resume operations with new C2 servers – Medium-High

What changed: Observations show renewed Infy hacker activity with fresh C2 command infrastructure established Jan 26–27, indicating evolved persistence and possible broadened targeting.

Why this matters: State-backed crews with infrastructure refreshes often conduct long-term reconnaissance and credential harvesting; defenders should treat renewed C2 activity as elevated persistence risk.

4) Fortinet FortiCloud/FortiOS SSO bypass – High

What changed: Active exploitation and guidance around the Fortinet FortiCloud SSO auth bypass remains relevant; this critical bypass allows administrative login using FortiCloud SSO without multi-factor checks if the admin path is exposed.

Why this matters: Admin-plane takeover risks perimeter compromise, config exfiltration, and policy manipulation β€” treat exposed admin surfaces as critical control failures.

πŸ› οΈ Pattern & TTP Summary πŸ› οΈ

Stage

Vector / System

Activity Observed

Initial Access

Office document lure + token theft vectors

Office zero-day opens classic email/file attack paths; token theft (OpenClaw) enables silent session capture.

Privilege & Persistence

C2/SSO abuse

Infy C2 reset and SSO bypass erosion of admin trust boundaries.

Impact

Credential theft + policy compromise

Combined vectors accelerate escalation and lateral moves.

When training takes a backseat, your AI programs don't stand a chance.

One of the biggest reasons AI adoption stalls is because teams aren’t properly trained. This AI Training Checklist from You.com highlights common pitfalls and guides you to build a capable, confident team that can make the most out of your AI investment. Set your AI initiatives on the right track.

βœ… Fail-Safe Checklist (before COB) βœ…

πŸ”„ Patch & Hardening

  • Office zero-day: Deploy patches for CVE-2026-21509 to all endpoints; block risky attachment types and enforce detonation at mail/web gateways.

  • OpenClaw: Upgrade to v2026.1.29; rotate any exposed tokens and invalidate stale sessions.

  • Fortinet SSO: Harden and isolate FortiCloud SSO admin planes; restrict to VPN/JIT allow-lists; audit for rogue admin accounts.

πŸ§‘β€πŸ’» People & Monitoring

  • Office/email: Alert on Word/Excel spawning scripting hosts without user interaction; correlate unusual open/download events across executive groups.

  • Dev/infra tooling: Detect unexpected token access patterns or token exchanges outside authorized flows.

  • Network: Flag infrequent C2 beacon signatures and correlate with rare ASN endpoints.

  • Admin planes: Monitor Fortinet admin logins anomalous in time or location; detect config pushes outside CAB windows.

πŸ“‹ Process

  • Change freeze on admin planes and major tooling unless CISO-approved and logged.

  • Tabletop (30 min): β€œInitial access via Office β†’ token theft β†’ SSO/admin pivot.”

🀝 Partners

  • MSP/Network: confirm Fortinet and Office patch coverage; audit logs for anomalies.

  • Platform/SRE: attest OpenClaw version rollouts and revocation of exposed tokens.

πŸ•΅οΈ Detection Opportunities πŸ•΅οΈ

Office file trails: Office spawns to PowerShell/COM objects without macro triggers.

Token misuse: Sudden session token reuse across disparate hosts or UAT/production environments.

C2 traffic: Beaconing to uncommon ports/ASNs from development or admin VLANs.

SSO anomalies: Fortinet SSO assertion mismatches vs IdP logs.

πŸ“ˆ Risk Outlook πŸ“ˆ

Overall: High for Office zero-day exploitation and Fortinet SSO bypass in exposed environments; Medium-High for token theft (OpenClaw) and renewed state-actor C2 persistence.

πŸ“Œ Key Leadership Takeaways πŸ“Œ

Your perimeter β€œadmin path” is as valuable as your endpoint fleet - lock it down.

Zero-day exploitation in email/file workflows remains a top initial access route.

Token theft and C2 resurgence highlight persistence - detect, respond, and rotate.

πŸ“‹ Immediate Leadership Checklist πŸ“‹

πŸ”„ Verify: Office patch coverage and risky attachment blocks.

πŸ“Š Validate: OpenClaw upgrades and token rotations.

πŸ’Ό Confirm: Fortinet SSO admin gating and recent logs.

πŸ”Ή Double-check: Monday tabletop β€” β€œEmail β†’ token capture β†’ admin pivot.”

Final Insight: Across these vectors, the shortest path from compromise to deep persistence is through trusted credentials and admin planes rather than exotic exploits.

Fix them first, prove closure today, not tomorrow. because attackers don’t need novelty when our foundations are familiar and exposed.

AI-native CRM

β€œWhen I first opened Attio, I instantly got the feeling this was the next generation of CRM.”
β€” Margaret Shen, Head of GTM at Modal

Attio is the AI-native CRM for modern teams. With automatic enrichment, call intelligence, AI agents, flexible workflows and more, Attio works for any business and only takes minutes to set up.

Join industry leaders like Granola, Taskrabbit, Flatfile and more.