Brought to you by Nigel Douglas, Head of Developer Relations at Cloudsmith.
The February thaw hasn't reached the cloud-native ecosystem yet. If anything, the climate is getting frostier.
This month, the industry faces a genuine migration or bust ultimatum as the retirement of Ingress NGINX looms, potentially leaving half of the world's Kubernetes clusters out in the cold. We're also tracking a sophisticated new breed of AI toolchain worms like Shai Hulud v4, which are proving that vibe coding comes with very real security headaches, as seen with some of the recent OpenClaw AI Skill-related incidents. From critical RCEs in n8n and Jenkins to the launch of AI-native assembly lines at Entire.io, we have a massive update to help you navigate the transition from experimental claw agents and MCP servers to production-grade security.
If you need any convincing to take this warning seriously, FOUR new HIGH severity vulnerabilities were just disclosed on February 2nd. While these aren't as critical as IngressNightmare, they really hit home the ongoing risk of running unmaintained software. Two of these (CVE-2026-1580 and CVE-2026-24512) carry a critical CVSS score of 8.8. These flaws could allow attackers to bypass authentication or execute arbitrary code to gain internal cluster access, echoing the severity of the previous exploits seen in ExploitDB. While immediate updates to versions above 1.13.7 or 1.14.3 provide a temporary fix, experts emphasise that with official support for Ingress NGINX ending in March 2026, DevOps teams must urgently migrate to alternatives to ensure long-term security.
A critical security advisory has identified two vulnerabilities in Jenkins Core, most notably a high-severity stored Cross-Site Scripting (XSS) flaw under CVE-2026-27099 that allows attackers to inject malicious JavaScript into node offline cause descriptions. This vulnerability, along with a medium-severity information disclosure flaw under CVE-2026-27100 that involves unauthorised build queries, affects Jenkins versions up to 2.550 and LTS 2.541.1. Administrators are urged to update to Jenkins 2.551 or LTS 2.541.2 immediately to patch these holes and protect their build environments from session compromise and data leakage.
Critical n8n flaw enables system command execution via malicious workflows
Yet another CRITICAL vulnerability (CVSS 9.4) has been discovered in the n8n workflow automation platform, allowing authenticated users to execute arbitrary system commands by bypassing previous security patches. The flaw stems from a type confusion issue where malicious actors can use JavaScript destructuring syntax to pass non-string values that evade n8n’s sanitisation filters, potentially leading to full server compromise, data exfiltration, and the hijacking of AI workflows. The risk is particularly high when combined with public webhooks, which can allow unauthenticated Remote Code Execution (RCE) once a malicious workflow is activated. Users are urged to update to versions 1.123.17 or 2.5.2 and above, or just limit workflow creation permissions to trusted users as a workaround.
Published on February 6th, this CRITICAL command injection vulnerability (CWE-78) was identified in OpenClaw versions prior to 2026.1.29. The flaw resides in the Docker sandbox execution module, where the application fails to properly sanitise the PATH environment variable when constructing shell commands. This allows an authenticated attacker to inject malicious code via shell metacharacters, leading to an RCE with high impact on container confidentiality and integrity. While exploitation requires authentication (explaining why EPSS is 0.07%), it features low complexity and requires no user interaction. To mitigate this risk, users should immediately upgrade to OpenClaw version 2026.1.29 or later, which implements strict validation of environment variables.
IN THE NEWS
Supply Chain Security
Docker fixes critical Ask Gordon AI flaw allowing Code Execution via Image Metadata
Docker recently patched a critical vulnerability in its Ask Gordon AI assistant, codenamed DockerDash, which allowed attackers to achieve remote code execution and data exfiltration through malicious image metadata. The flaw stemmed from a meta-context injection where the AI failed to distinguish between standard Docker labels and executable commands, forwarding weaponised instructions to the MCP Gateway without validation. By simply querying the AI about a compromised image, a user could inadvertently trigger the execution of arbitrary commands with their own privileges or leak sensitive environment details. This issue, resolved in version 4.50.0, highlights the growing supply chain risks associated with AI agents that lack zero-trust validation for contextual data.
SANDWORM_MODE: Shai Hulud v4-style worm poisons AI toolchains Source: Socket.dev
Yet another campaign that involves sophisticated npm supply chain worms that propagate through simple typosquatting – this time poisoning the AI toolchains. Once installed, the malware executes a multi-stage payload that harvests developer credentials, CI secrets, and crypto keys, exfiltrating them via HTTPS, the GitHub API, and DNS tunneling. Beyond traditional theft, the researchers at Socket identified it specifically targeting modern AI dev environments by injecting malicious MCP servers into tools like Claude Code and Cursor, using hidden prompt injections to trick AI assistants into silently leaking sensitive files. The worm ensures persistence through global git hooks and spreads laterally by poisoning GitHub Actions and automatically republishing infected npm packages. While it includes a dead switch for destructive file wiping and a polymorphic engine for evading detection, these features appear dormant in the current build, suggesting an active but evolving threat.
On February 17th, a supply chain attack targeted cline, a popular AI-driven coding agent, via a malicious version 2.3.0 release on npm. StepSecurity flagged the breach after detecting that the update bypassed the project’s standard automated Trusted Publishing pipeline in favor of a manual, unverified upload. This compromised version contained a post-install script that silently installed openclaw, a high-privilege AI framework that functions as a persistent backdoor, granting attackers potential terminal access, credential theft capabilities, and arbitrary command execution. Although maintainers deprecated the package within eight hours, it was downloaded approximately 4,000 times. Users are urged to update to version 2.4.0 or higher and manually uninstall any global instances of openclaw.
Why enterprises remain cautious about using AI coding tools in production Source: Techstrong.tv
In this interview with Techstrong TV, I had the opportunity to explain why many large enterprises remain hesitant to rely heavily on AI coding tools for production-grade applications. I discussed some of my concerns around software supply chain security, code quality, governance, and the challenges organisations are now facing when trying to balance developer productivity with operational risk. We discussed the recent OpenClaw security concerns, how to mitigate the evolving Slopsquatting risks that stem from recent, rapid AI adoption, as well as the security considerations around “AI Skills” in agentic AI tooling like Claude Code and OpenClaw. I strongly recommend you give it a listen.
MIMICRAT: ClickFix campaign delivers custom RAT via compromised legitimate websites Source: Elastic Security Labs
The ClickFix campaign is a sophisticated, five-stage cyberattack that leverages compromised legitimate websites to distribute MIMICRAT, a custom native C remote access trojan. The attack begins by tricking users into manually executing an obfuscated PowerShell command via a fake Cloudflare verification lure, effectively bypassing browser download protections. This initial trigger initiates a complex chain that disables Windows security features like AMSI and ETW before deploying a Lua-based loader to execute shellcode in memory. Once active, MIMICRAT provides attackers with comprehensive control over infected systems, supporting 22 distinct commands including token theft, SOCKS5 tunneling, and interactive shell access, while masking its C2 traffic as legitimate web analytics.
Kubernetes
Half of Kubernetes clusters are about to lose security updates Source: thelandsca.pe
Roughly half of all cloud-native environments are facing a looming security crisis as Ingress NGINX, the world's most popular ingress controller, is set to be retired in March 2026. Despite its massive adoption and inclusion as a default component in major platforms like IBM Cloud and Alibaba, the project is folding due to chronic maintainer burnout and a lack of community support. This retirement leaves organisations with a tight two-month window to migrate to alternatives like the Gateway API or Traefik. Because there is no drop-in replacement, teams must act immediately to audit their clusters and plan for engineering work to avoid running unsupported, vulnerable infrastructure.
Edera advisory highlights RCE flaw in Kubernetes Source: Edera.dev
Edera issued a security advisory regarding a design flaw in Kubernetes that allows for full RCE via the nodes/proxy GET permission. While not technically a vulnerability (since the feature is functioning as designed) the flaw can be exploited if monitoring tools or network overlays using these permissions are compromised. Although a fix is slated for Kubernetes version 1.36 in April 2026, experts warn that slow enterprise update cycles leave many clusters at risk, necessitating proactive environment scanning and more granular authorisation controls to mitigate potential attacks.
How TeamPCP automates Kubernetes exploitation for cybercrime Source: DarkReading
The threat actor group TeamPCP (also known as PCPcat) launched a massive, worm-driven campaign targeting cloud-native environments, specifically focusing on Kubernetes clusters, exposed Docker APIs, and vulnerable React/Next.js applications. By leveraging the critical React2Shell vulnerability (CVE-2025-55182) alongside common misconfigurations, the group automates the creation of a self-propagating criminal ecosystem. Once a Kubernetes environment is detected, the malware executes cluster-specific payloads to harvest credentials, deploy privileged pods for persistence, and transform the infrastructure into a distributed network for cryptocurrency mining, proxy relays, and data extortion. Rather than relying on novel code, TeamPCP achieves its impact through the industrial scale of its operation, monetising both the computational power and the exfiltrated data of its collateral victims.
The hunt for truly zero-CVE container images Source: TheNewStack
The pursuit of zero-vulnerability container images has sparked a technical debate over whether traditional Linux distributions can keep pace with modern security demands. While vendors like Docker provide hardened images based on established upstreams like Debian or Alpine, they often inherit no-DSA flags (which are triage markers that defer patches for minor or hard-to-exploit vulnerabilities). Chainguard argues that this creates a lag where scanners report images as clean despite containing unpatched upstream code, advocating instead for a model that rebuilds containers directly from source as soon as fixes are available. However, the industry remains divided on the absolute value of CVE counts, as many vulnerabilities may be unexploitable in specific environments or even invalid, suggesting that while zero-CVE images are a major step forward, they are a single component of a broader, risk-based security strategy.
AI, MLLs & MCP
Subagents and web search in Claude Code Source: Ollama Blog
Ollama updated Claude Code to support subagents and integrated web search without requiring external MCP servers or API keys. This update allows models (specifically cloud-based ones like minimax-m2.5, glm-5, and kimi-k2.5) to execute multiple tasks in parallel, such as code exploration and security auditing, without cluttering the main conversation context. Additionally, Ollama now handles web search natively, allowing subagents to research real-time data and provide actionable insights directly within the coding workflow.
GGML and llama.cpp join Hugging Face to ensure the long-term progress of local AI Source: Hugging Face Blog
Hugging Face announced that Georgi Gerganov and the GGML team, creators of the industry-standard llama.cpp library, are joining the company to bolster the future of local AI. This partnership aims to bridge the gap between Hugging Face’s transformers library (the standard for model definition) and llama.cpp (the leader in local inference) to create a seamless, single-click experience for deploying models on personal hardware. While Hugging Face will provide long-term resources and stability, llama.cpp will remain a 100% open-source, community-driven project with its original leadership maintaining full technical autonomy. The ultimate goal of this collaboration is to advance open-source super-intelligence by making local, private, and efficient AI accessible to everyone, rather than being restricted to cloud-based APIs.
OpenAI CEO Sam Altman announced that Peter Steinberger, the founder of the viral open-source assistant OpenClaw, is joining OpenAI to lead the development of next-generation personal agents. As part of this transition, OpenClaw, which gained massive popularity for its ability to automate complex tasks like managing emails and insurance, will move into an independent foundation to ensure it remains an open-source project. While Steinberger believes OpenAI provides the best environment to scale his vision, the move comes amid heightened scrutiny, including warnings from Chinese regulators regarding the potential security and data breach risks associated with the agent's rapid adoption.
Anthropic rolls out embedded security scanning for Claude Source: CyberScoop
Anthropic launched Claude Code Security, an embedded vulnerability scanner currently in limited testing for Enterprise and Team customers. Following the release of Claude Opus 4.6, this tool aims to automate the software security review process by scanning codebases for vulnerabilities and providing human-like reasoning to suggest patches. By utilising a multi-stage verification process to reduce false positives and assign severity ratings, Anthropic intends to streamline deployment for the growing vibe coding movement, potentially uncovering long-hidden bugs faster than manual human review while maintaining safety through strict usage requirements.
The steep mountain MCP must climb to reach production Source: TheNewStack
The evolution of the MCP protocol reflects a much-needed shift from experimental vibe-coding towards the proper rigourous demands of enterprise production environments like Kubernetes. While the protocol successfully democratised access to internal services like JIRA and Salesforce, it now faces a steep mountain of challenges, primarily regarding security vulnerabilities and context window management. Experts emphasise that the initial friction-free design of MCP must now integrate robust OAuth 2.1 implementations and progressive disclosure strategies to prevent token bloat and hijacking risks. Ultimately, while the rise of code mode and Agent-to-Agent (A2A) protocols signals a maturing ecosystem, the burden remains on developers to move beyond internal experiments by prioritising read-only security and user-centric discovery.
GitHub’s former CEO launches Entire.io Source: Entire.io Blog
Thomas Dohmke launched Entire, a new developer platform backed by a $60 million seed round that aims to reinvent the software development lifecycle for an era where AI agents, rather than humans, are the primary producers of code. The solution is particularly interesting because it addresses the supposed context loss that occurs when ephemeral agent sessions (like those in Claude Code or Cursor) generate massive amounts of code without preserving the underlying reasoning. Their first product is an open-source CLI that creates Checkpoints (basically versioned metadata stored in Git that captures the prompts, tool calls, and logic) behind every agent-driven commit. By treating agent intent as a first-class citizen alongside the code itself, Entire seeks to move away from a manual, human-centric development toward an AI-native assembly line where multiple agents can coordinate, hand off work, and learn from previous sessions without repeating mistakes or wasting tokens.
Date/Time: March 11, 2026 (4pm GMT) Location: Virtual Webinar
Most software pipelines focus on writing code and deploying it, but the real risk is what happens in between. Join Cloudsmith and Octopus Deploy to learn how to build trust in software artifacts and enforce security and compliance through your Golden Path.
The Cloud Native Computing Foundation’s flagship conference brings together adopters and technologists from leading open source and cloud native communities in Amsterdam. Be a part of the conversation as CNCF Graduated, Incubating, and Sandbox Projects unite for four days of collaboration, learning, and innovation to drive the future of cloud native computing. We’ll also be running another exciting Capture The Flag (CTF) event.
