Your phone works for them now.

Ivanti zero-days trigger emergency warnings around the globe. Singapore blames a China-linked spy crew for hitting all four major telcos. DHS opens a privacy probe into ICE surveillance. Researchers flag a zero-click RCE lurking in LLM workflows. Ransomware knocks local government payment systems offline in Florida and Texas. Chrome extensions get nosy with your URLs. BeyondTrust scrambles to patch a critical RCE. A Polish data breach suspect is caught eight years later. It’s the Monday Business Breakdown. Ben Yelin gives us the 101 on subpoenas. And federal prosecutors say two Connecticut men bet big on fraud, and lost.

Today is Monday February 9th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Exploitation of Ivanti Endpoint Manager Mobile (EPMM) prompts emergency warnings from governments and cyber agencies worldwide.

A wave of cyberattacks exploiting critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) has prompted emergency warnings from governments and cyber agencies worldwide. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow attackers to take control of managed mobile devices without authentication. Ivanti patched the issues in late January and warned customers to treat exposed systems as potentially compromised.

The Dutch Data Protection Authority and Judicial Council confirmed breaches, with work-related staff data accessed. The European Commission also reported an attack on its mobile device management infrastructure, though it said the incident was contained quickly. CISA added one flaw to its Known Exploited Vulnerabilities Catalog, while agencies in Canada, Singapore, and the UK warned of active exploitation. No public attribution has been made, and investigations continue.

Singapore says a China-linked cyber espionage group targeted all four of the country’s major telecommunications providers. 

Singapore says a China-linked cyber espionage group targeted all four of the country’s major telecommunications providers in a sustained spying campaign. The Cyber Security Agency of Singapore said the threat actor UNC3886 carried out a “deliberate, targeted, and well-planned” operation against M1, SIMBA Telecom, Singtel, and StarHub, using advanced tools to gain covert, long-term access.

The activity was first disclosed in July, with details withheld pending national security review. Singapore later launched “Cyber Guardian,” its largest-ever cyber incident response effort, involving more than 100 defenders over 11 months. Authorities said attackers accessed parts of telecom networks, and in one case limited critical systems, but found no evidence of service disruption or customer data theft. Officials warned telecom infrastructure remains a prime target for state-backed actors.

DHS investigates potential privacy abuses tied to ICE. 

The Department of Homeland Security Inspector General has launched an investigation into potential privacy abuses tied to Immigration and Customs Enforcement surveillance and biometric data programs. In a letter to Senators Mark Warner and Tim Kaine, Inspector General Joseph Cuffari said his office has begun an audit examining how DHS collects, shares, and secures personally identifiable information and biometric data used in immigration enforcement.

The audit will assess compliance with federal law and whether these practices may have resulted in unlawful searches or privacy violations. The senators’ request highlights concerns raised by reporting on DHS technologies, including contracts with Palantir, Clearview AI, license plate data access, social media monitoring tools, and biometric databases. Lawmakers argue DHS has shown disregard for civil liberties, raising questions about the responsible use of powerful surveillance tools.

Researchers warn of a critical zero-click remote code execution vulnerability in large language model workflows. 

Security firm LayerX has disclosed a critical zero-click remote code execution vulnerability that exposes a fundamental trust boundary failure in large language model workflows. The flaw affects Claude Desktop Extensions and allows full system compromise through a malicious Google Calendar event, without user interaction or confirmation. LayerX rated the issue a maximum 10 out of 10, citing more than 10,000 affected users and over 50 extensions.

The problem is architectural rather than a traditional software bug. Claude’s extensions run with full system privileges and can autonomously chain low-trust data sources, like calendars, to high-privilege execution tools. Researchers warned this creates unsafe trust violations in AI-driven automation. LayerX disclosed the issue to Anthropic, which reportedly chose not to remediate it for now.

Local governments in Florida and Texas find their payment systems disrupted by ransomware. 

A ransomware attack on BridgePay Network Solutions has disrupted payment systems used by local governments and businesses in Florida and Texas. The Florida-based company said it is working with the Federal Bureau of Investigation and the United States Secret Service to investigate and recover from the incident, which caused system-wide outages. BridgePay has not provided a restoration timeline but said it does not believe payment card data was stolen.

The outage forced cities including Palm Bay and Frisco to take online payment portals offline, directing residents to pay in person. BridgePay processes about 40 million transactions monthly. No ransomware group has claimed responsibility, and restoration efforts remain ongoing.

A new Google Chrome vulnerability allows browser extensions to infer full URLs. 

A newly disclosed vulnerability in Google Chrome allows browser extensions to infer the full URL of any open tab without requesting traditional tab or host permissions. Security researcher Luan Herrera reported the issue in January, showing that extensions using only the declarativeNetRequest API can exploit timing differences between blocked and allowed network requests.

By dynamically injecting blocking rules and measuring page reload times, a malicious extension can reconstruct URLs character by character, leaking sensitive data such as OAuth tokens, password reset links, and private queries. The flaw affects current stable and development versions of Chrome and appears to stem from long-standing architectural behavior in Chromium. Chromium developers have labeled the issue “won’t fix,” citing infeasible mitigation. Herrera has urged clearer permission disclosures, warning users that minimal permissions can still expose browsing history.

BeyondTrust urges customers to patch a critical RCE flaw. 

BeyondTrust has warned customers to urgently patch a critical pre-authentication remote code execution flaw affecting its Remote Support and Privileged Remote Access products. Tracked as CVE-2026-1731, the vulnerability stems from an OS command injection issue discovered by researchers at Hacktron AI. The flaw allows unauthenticated attackers to execute arbitrary commands without user interaction. BeyondTrust has secured its cloud systems and urged on-premises customers to upgrade, noting thousands of exposed instances remain at risk if unpatched.\

The long arm of the law nabs a Polish suspect eight years after a major data breach. 

Polish authorities have charged a suspect nearly eight years after a major data breach at Morele.net, one of the largest in the country’s history. The 2018 breach exposed data from more than two million customers, including names, contact details, addresses, and hashed passwords. Investigators initially failed to identify the attacker, but renewed efforts led to the arrest of a 29-year-old suspect in January. According to Central Bureau for Combating Cybercrime, the suspect has admitted the offenses and now faces up to two years in prison.

Monday Business Breakdown. 

Cybersecurity funding and deal activity remains strong, with multiple companies announcing sizable raises and acquisitions across the sector. Florida-based CyberFOX secured a nine-figure growth investment led by Level Equity, marking its first external funding and signaling plans for product expansion, AI development, and acquisitions. Blockchain intelligence firm TRM Labs raised $70 million at a valuation above $1 billion, while supply chain security firm RapidFort and agentic AI startup Outtake raised $42 million and $40 million respectively.

Additional funding went to startups including Orion, RADICL, Kasada, and several early-stage AI security firms. On the M&A front, LevelBlue agreed to acquire Alert Logic, while Varonis, Semperis, and Westcon-Comstor each announced acquisitions to expand their security portfolios.

Federal prosecutors say two Connecticut men were all-in on fraud. 

Federal prosecutors say two Connecticut men turned online gambling promotions into a long-running side hustle, allegedly defrauding FanDuel and rival betting sites of roughly $3 million. According to a 45-count indictment, Amitoj Kapoor and Siddharth Lillaney are accused of buying stolen personal data for about 3,000 victims and using it to create thousands of fake accounts on platforms including DraftKings and BetMGM, all in pursuit of new-user bonuses.

Prosecutors say the operation was methodical. Kapoor allegedly kept the stolen identities neatly organized in a spreadsheet called “Tracker.xlsx,” while background-check services helped answer verification questions. Winning bets were cashed out through virtual cards, then funneled into accounts they controlled. Authorities say the scheme ran for years, until it didn’t. Both men now face charges ranging from wire fraud to money laundering, with decades of potential prison time on the line.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.