Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack.

The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.

“In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both,” researchers Michael Tigges, Anna Pham, and Bryan Masters said.

A Chrome extension named “QuickLens — Search Screen with Google Lens” has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.

QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google.

However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension.

Fake Next.js repos abuse VS Code and npm to run in-memory JavaScript C2; GitLab banned 131 accounts.

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.

The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.