Wednesday War Room – 02/18/2026

This Wednesday's threat landscape says it loud: attackers are living off your trust boundaries.

Author

J.W. Croley
February 18, 2026

In partnership with

Attio is the AI CRM for modern teams.

Connect your email and calendar, and Attio instantly builds your CRM. Every contact, every company, every conversation, all organized in one place.

Then Ask Attio anything:

  • Prep for meetings in seconds with full context from across your business

  • Know what’s happening across your entire pipeline instantly

  • Spot deals going sideways before they do

No more digging and no more data entry. Just answers.

Browsers, endpoints, firmware, update channels, and “helpful” AI tooling are all getting treated like straight-line access paths.

Let’s dive in.

CISA Adds Four Actively Exploited Vulns to KEV

Risk Level: Critical

Business Impact: Confirmed exploitation plus “patch-now” urgency. If any of these are in your stack, your exposure is not theoretical.

What You Need to Know: CISA added four vulnerabilities to the Known Exploited Vulnerabilities alert based on evidence of active exploitation, with a plain-English breakdown and affected products summarized in the CISA KEV update coverage.

Why This Matters:

  • “KEV” is the closest thing we get to a government-issued “people are getting owned by this right now” label.

  • These additions often trigger rapid scanning waves, especially against exposed services and common enterprise stacks.

  • KEV items routinely show up in real incidents because patch latency is predictable, and attackers plan around it.

Executive Actions:

🚨 Identify whether any KEV-listed products exist in your environment and prioritize remediation today.

🩹 Patch or mitigate with compensating controls when patching is not immediately possible.

🔒 Reduce exposure: restrict management interfaces, tighten allowlists, and remove unnecessary internet reachability.

🕵️ Hunt for exploitation indicators on systems that were unpatched during the at-risk window.

Chrome Zero-Day Patched After In-The-Wild Exploitation

Risk Level: Critical

Business Impact: Browser exploitation can enable code execution, credential theft, session hijack, and rapid initial access across high-value user populations.

What You Need to Know: Google pushed an emergency Chrome update fixing the first exploited Chrome zero-day of 2026, tracked as CVE-2026-2441.

Why This Matters: 

  • The browser is the front door for almost every role, including execs and admins.

  • Exploited zero-days plus delayed patching equals “one bad click” becoming “whole fleet risk.”

  • Browsers are also where sessions live, so token theft becomes the real prize.

Executive Actions: 

🧩 Force Chrome updates enterprise-wide and validate version compliance, not just “auto-update enabled.”

🔐 Tighten browser policy: restrict extensions, block risky download types, and enforce safe browsing controls.

🧠 Remind users that “legit site” does not mean “safe session” when browsers are being actively targeted.

🔎 Monitor for suspicious browser-spawned process trees and abnormal credential access patterns post-browse.

Chinese State-Linked Actors Exploiting a Dell Zero-Day Since Mid-2024

Risk Level: High

Business Impact: Quiet exploitation of enterprise hardware/software paths can enable durable access, credential theft, and stealthy persistence in high-value environments.

What You Need to Know: Reporting indicates suspected China-aligned actors have been exploiting a critical Dell vulnerability in zero-day attacks, with details in the Dell zero-day exploitation report.

Why This Matters: 

  • Long-running exploitation suggests mature tradecraft and high confidence in evasion.

  • Dell's presence is common, which increases the odds of broad targeting and opportunistic scanning.

  • “State-backed” usually means patience, stealth, and follow-on targeting beyond the initial foothold.

Executive Actions: 

🧯 Inventory Dell products and affected components quickly, then prioritize patching and configuration hardening.

🔒 Restrict admin and management-plane access paths to trusted networks only.

🕵️ Threat hunt for persistence and credential access on systems tied to endpoint management and admin workflows.

📊 Require confirmation of remediation by the asset owner, not just “we pushed patches.”

Leadership Insight:

This 48-hour window is the same strategic lesson from multiple angles: the attacker is not “breaking in” so much as walking through the systems we over-trust. 

Browsers, firmware update chains, vendor management planes, and developer ecosystems are all becoming primary access paths because they are predictable, widely deployed, and often poorly governed.

The winning posture in 2026 is speed plus guardrails:
Patch faster than exploitation waves, reduce exposure by default, and treat anything that touches identity or automation like privileged infrastructure.

Write PRDs and tests by voice

Dictate PRDs, acceptance tests, and bug reproductions inside Cursor or Warp and get paste-ready text. Wispr Flow auto-tags file names and preserves variable names so your technical writing stays precise. Try Wispr Flow for engineers.

Figure Technology Breach Impacts Nearly 1 Million Accounts

Risk Level: High

Business Impact: Exposure of customer and contact data increases fraud risk, account takeover attempts, and reputational damage.

What You Need to Know: Figure disclosed that attackers stole personal and contact information, impacting nearly one million accounts, per the Figure breach report.

Why This Matters:

  • Breach data becomes fuel for highly convincing phishing, fraud, and identity-based attacks.

  • Customer-impacting incidents rapidly become regulatory and brand problems, not just IT problems.

  • Even “basic PII” enables downstream compromise when combined with credential stuffing and social engineering.

Executive Actions: 

📣 Prepare comms, fraud, and support playbooks for a spike in targeted scams and account takeover attempts.

🔐 Enforce stronger authentication and step-up verification for sensitive customer actions.

🔍 Increase monitoring for credential stuffing, abnormal password resets, and suspicious login patterns.

🧾 Validate data access logging and export controls so you can prove scope fast when it matters.

Keenadu Firmware Backdoor Embedded via Signed Updates

Risk Level: High 

Business Impact: Firmware-level compromise can enable deep persistence, data collection, and remote control that survives normal app reinstalls and some device resets.

What You Need to Know: Kaspersky detailed an Android backdoor called Keenadu embedded in device firmware and distributed via signed OTA updates, with coverage in the Keenadu firmware backdoor report and additional technical summary in the Keenadu OTA update analysis.

Why This Matters: 

  • Firmware backdoors are a different class of problem: harder to detect, harder to remove, longer dwell time.

  • Mobile compromise is identity compromise because phones handle MFA prompts, email, and sensitive apps.

  • Supply chain contamination means “trusted updates” can become the delivery mechanism.

Executive Actions:

📱 Enforce MDM for any device that accesses corporate resources, including baseline security posture checks.

🔐 Require phishing-resistant MFA for privileged access and high-impact workflows.

🧹 Block unknown/unmanaged devices from accessing sensitive apps and internal resources.

🔎 Add mobile incident procedures: device isolation, token/session invalidation, and credential resets.

SmartLoader Uses Trojanized “Oura MCP Server” to Drop StealC

Risk Level: High 

Business Impact: Trojanized developer tooling and fake repos can deliver infostealers, leading to credential theft, session hijack, and rapid lateral movement.

What You Need to Know: Researchers described a SmartLoader campaign using a trojanized Oura MCP server distributed via fake GitHub forks to deliver StealC, per the SmartLoader trojanized MCP server report.

Why This Matters: 

  • Fake repos plus AI-lure packaging scales supply chain attacks into developer populations fast.

  • Infostealers are designed to harvest what matters: browser sessions, passwords, and crypto wallet data.

  • One dev endpoint compromise can become CI/CD compromise if tokens and secrets are exposed.

Executive Actions:

💎 Implement repository and package hygiene: allowlists, publisher verification, and approval workflows.

🔑 Rotate developer tokens regularly and reduce token scope and lifetime wherever possible.

🧪 Monitor for infostealer behaviors: credential store access, unusual browser data reads, and suspicious outbound beacons.

🧱 Segment dev tooling from production access paths and restrict what build runners can reach.

⚙️ Immediate Leadership Checklist ⚙️

🩹 Emergency patch the exploited items first (Chrome zero-day, KEV additions, vendor management planes) and verify compliance within 48 hours

🔒 Remove direct internet exposure from admin consoles and management interfaces, restrict by allowlist/VPN

📱 Treat mobile as identity: enforce MDM posture gates and strengthen MFA for sensitive workflows

💎 Lock down developer supply chain risk: repo policy, package allowlists, token scope reduction, and segmentation

🕵️ Hunt on the lagging systems: unpatched hosts, suspicious browser activity, infostealer indicators, and unexpected config changes

💡 If your security program still assumes “trusted by default,” the attacker is already writing your next incident timeline for you. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

6 Predictions Every CX Leader Should Know

AI is redefining how customer conversations are designed, operated, and improved.

This guide outlines six shifts that will shape enterprise CX in 2026 — and what leaders need to rethink now.