AI in Cybersecurity: Anthropic Launches Claude Code Security; AI-Augmented Attacks Target FortiGate; Cline Supply Chain Compromise Installs OpenClaw

Late last week, Anthropic began rolling out Claude Code Security to a limited group of enterprise and team customers. The new feature can scan software codebases, detect vulnerabilities, and suggest fixes. The announcement appears to have caused concern among investors; some cybersecurity stocks fell several points on Friday. As described by Anthropic, Claude Code Security "scans codebases for security vulnerabilities and suggests targeted software patches for human review." Users can join a waitlist for access to Claude Code Security. Scope of use terms require that users "will only use Claude Code Security to scan code that [their] company owns and to which [their] company holds all necessary rights to scan." They are prohibited from using "Claude Code Security to scan code owned by or licensed from third parties, including but not limited to open source projects or repositories other than those included in [their] company's codebase(s)."

"It’s like an AI-powered assembly line for cybercrime, helping less skilled workers produce at scale." Amazon Threat Intelligence has observed attacks leveraging commercial generative AI services to breach more than 600 FortiGate firewalls worldwide between January 11 and February 18, 2026. The campaign was "consistent with pre-ransomware operations" and relied on AI to scale up attacks "exploiting exposed management ports and weak credentials with single-factor authentication" rather than targeting FortiGate vulnerabilities. Amazon believes the threat actor to be opportunistic, financially motivated, unaffiliated with known threat groups, and low in technical skill, focusing on a high volume of well-known attack techniques and simply moving on from any targets with hardened defenses. Operational security failures revealed the threat actor's publicly accessible infrastructure containing "AI-generated attack plans, victim configurations, and source code for custom tooling" bearing idiosyncrasies and limitations of AI-generated code. The threat actor's initial access tools scanned for internet-exposed FortiGate management interfaces and attempted authentication with commonly reused credentials, seeking configuration files containing credentials and network information. Once inside a targeted network, the threat actor used "well-known open-source offensive tools," attempting to access credential databases, move laterally, and compromise backup infrastructure. The threat actor's own documentation confirms these attacks "largely failed when attempting to exploit anything beyond the most straightforward, automated attack paths." Amazon provides indicators of compromise and guidance for defense and mitigation, noting that as AI-augmented attacks increase, "strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators."

On February 17, 2026, the npm package for Cline CLI, an open-source terminal-based AI coding assistant with over five million installations, was compromised and modified to simultaneously and covertly install OpenClaw. Security researcher Adnan Khan discovered a prompt injection flaw in Cline's issue triage workflow (which itself is automated with Claude) in December 2025, warning of the risk of supply chain attack "if a threat actor were to obtain the production publish tokens." Despite over a month of attempts to contact Cline developers and executives, Khan received no response until after he publicly disclosed the flaw on February 9; the developers' patch was released an hour after Khan's disclosure. On February 10, Khan contacted the Cline team again after receiving an anonymous message that the sender had "obtained valid NPM and OpenVSX credentials for Cline." Although Cline developers rotated credentials the following day, they missed an exposed npm token that was then used on February 17 to publish Cline CLI 2.3.0, which contained one change: a post-install script installing OpenClaw. Khan suspects that his own proof-of-concept exploit was used by the attacker. Version 2.3.0 was active for eight hours before Cline developers revoked the token and deprecated the compromised release, noting that "npm publishing now uses OIDC provenance via GitHub Actions." Cline CLI users must update to 2.4.0 or higher and check for unauthorized OpenClaw installation. The OpenClaw agent has raised serious security concerns (covered in NewsBites Volume 28, numbers 7, 8, and 12) and has been described by news sources and industry professionals as a "security nightmare."

A ransomware attack has prompted the University of Mississippi Medical Center (UMMC) to temporarily stop operating its clinics across the state. UMMC has canceled scheduled elective surgeries and other appointments at those locations; the appointments will be rescheduled after the attack has been mitigated. UMMC became aware of the attack early on Thursday, February 19, and the clinics are expected to remain closed through Tuesday, February 24. Hospitals and emergency departments are open and operating under downtime procedures. The disruptions extend to UMMC's EPIC electronic medical record system, so staff are recording patient information with pen and paper. UMMC is working with the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) with assistance from the Federal Bureau of Investigation (FBI).

South Carolina-based molecular diagnostics company Vikor Scientific, now known as Vanta Diagnostics, has disclosed that a ransomware attack against one of its vendors compromised electronic protected health information (PHI). The incident targeted Catalyst RCM, a revenue cycle management company. The incident also affected KorGene, a molecular testing lab owned by Vikor Scientific, as well as KorPath, a Florida-based anatomical pathology lab and Vanta Diagnostics partner. Vikor Scientific reported the incident to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) as affecting the PHI of nearly 140,000n individuals. According to a breach notification posted on the Catalyst RCM website, the company learned of suspicious activity on its secure file management system "on or about November 13, 2025." A subsequent investigation "determined that an authorized login and password to our system were used to access one server between November 8, 2025, and November 9, 2025, and copied data without permission creating an unauthorized use of the data." Compromised data include names, dates of birth, payment card information, medical treatment history, diagnosis information, and health insurance information. Catalyst RCM is notifying affected individuals by mail.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a pair of vulnerabilities in the Roundcube Webmail web-based email client to the Known Exploited Vulnerabilities (KEV) catalog. Both are reportedly being actively exploited. CVE-2025-49113 is a critical deserialization of untrusted data vulnerability that could be leveraged to achieve remote code execution. It affects Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11; Roundcube released updates to address the flaw in June 2025. CVE-2025-68461 is a high-severity cross-site scripting vulnerability that affects Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12; Roundcube released patches for the vulnerability in December 2025. Both CVEs have mitigation deadlines of March 13, 2026 for Federal Civilian Executive Branch (FCEB) agencies.

The US Department of Energy (DoE) has fixed a vulnerability in an Office of Critical Minerals and Energy Innovation portal that allowed anyone to register and use email accounts that appeared to be associated with DoE but were never verified to be associated with authorized individuals. The individual controlling such an account "could request internal documents, direct recipients to malicious attachments or insert themselves into ongoing program discussions without suspicion." Researcher Ronald Lovelace is credited on DoE's responsible vulnerability disclosure page, but the department has provided no details about the issue. According to Nextgov/FCW, Lovelace discovered the vulnerability "us[ing] a standard reconnaissance method called subdomain enumeration to uncover the verification flaw."

The US Federal Bureau of Investigation (FBI) has published a FLASH alert with guidance for organizations to guard against ATM jackpotting, an attack that involves both physical and software/firmware level manipulation of cash machines to dispense currency on demand. The attacks target the physical ATM, not customer accounts. Since 2020, the FBI has received reports of more than 1,900 jackpotting incidents. In 2025 alone, more than 700 incidents were reported with losses exceeding US $20 million. The threat actors use malware tailored to the attacks: for example, "Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do." Jackpotting attacks depend on having physical access to the ATMs. The FLASH alert lists indicators of compromise (IoCs), including digital IoCs, persistent mechanisms, and physical interaction IoCs. Suggested mitigations cover physical and hardware security, as well as logging (enabling, maintaining, and preserving logs), auditing (ATM devices, changing default credentials, and conducting pre-production assessments), network security (IP whitelisting), endpoint detection and response (anti-malware and anti-virus, software whitelisting), and threat intelligence, including familiarization with maintenance schedules, participating inn information sharing through industry groups, and training employees to be alert to anomalies that could indicate jackpotting attacks. Organizations are asked to report suspicious activity to their local FBI field office (www.fbi.gov/contact-us/field-offices) or the FBI Internet Crime Complaint Center (www.ic3.gov).

A federal grand jury in California has indicted three former Google engineers on charges of conspiracy to commit trade secret theft from Google and other leading technology companies, theft and attempted theft of trade secrets, and obstruction of justice. Two of the defendants, sisters Samaneh Ghandali and Soroor Ghandali, worked at Google before going to work for an unnamed organization, identified as Company 3; Mohammadjavad Khosravi, who is married to one of the sisters, worked at an organization identified as Company 2. The defendants exfiltrated confidential and sensitive data," including trade secrets related to processor security and cryptography and other technologies."

Oleksandr Didenko of Kyiv, Ukraine, has been sentenced to five years in prison for his role in a scheme that stole identities of US citizens and sold them to people in North Korea for fraudulently obtaining employment with US tech companies. Didenko operated a company that facilitated the use of stolen identities; he also managed the proxy identities and facilitated operations of at least three laptop farms that were used to disguise the North Korean workers’ locations. Didenko pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft in November 2025. He has agreed to forfeit more than US $1.4 million and has been ordered to pay US $46,550 in restitution and serve 12 months of supervised release.