Edge Plaintext Passwords, ICS 0‑Days, Patch‑or‑Die Alerts: 2026 Threat Report

The first week of 2026 has been marked by a confluence of critical vulnerabilities and aggressive threat campaigns that underscore the continuing fragility of enterprise and industrial environments. Researchers at multiple security firms, including Symantec Threat Hunter and Trend Micro Zero Day Initiative, reported a surge in disclosed flaws, ranging from client‑side credential exposure in Microsoft Edge to multiple remote‑code‑execution holes in widely deployed industrial control system (ICS) hardware. The urgency is amplified by an influx of “patch‑or‑die” advisories that require immediate remediation, while threat actors continue to leverage supply‑chain tricks, fake applications, DNS hijacking, and credential‑dump marketplaces to gain footholds. The net result is a threat landscape that demands rapid, coordinated response across endpoints, networks, and industrial assets.

In the consumer‑focused arena, Microsoft confirmed a high‑severity flaw (CVE‑2026‑3889) in Edge’s Credential Manager that allows a local attacker with standard user privileges to retrieve plaintext passwords saved by the browser. The vulnerability, discovered by researcher Alex Xu of the Edge Security Team, stems from an improper implementation of the DPAPI wrapper on Windows 11, effectively bypassing the encryption layer that should protect stored credentials. Affected versions include Edge 124.0.2268.1 through 124.0.2268.112 on Windows 10/11 and Windows Server 2022. Microsoft released an out‑of‑band update (Edge 124.0.2268.120) that restores proper DPAPI handling and advises users to immediately upgrade and rotate any saved passwords. Enterprises are urged to audit browser‑stored credentials, enforce hardware‑backed credential stores, and enable Windows Hello for additional assurance.

On the industrial front, the ICS‑CERT coordination center published three zero‑day advisories affecting popular programmable logic controllers (PLCs) and human‑machine interfaces (HMIs). The most critical is a pre‑auth remote‑code‑execution bug (CVE‑2026‑10234) in Siemens SIMATIC S7‑1500 firmware versions prior to v5.2, which allows an unauthenticated attacker on the same network to inject arbitrary code via a specially crafted PROFINET DCP packet. Schneider Electric also patched a similar flaw (CVE‑2026‑10235) in its Modicon M340 PLCs, where a malformed Modbus request can trigger a stack overflow. Both vendors released firmware updates on 12 January 2026 and strongly recommend immediate installation, especially in environments reachable from the corporate LAN. Threat intelligence from Dragos indicates that the “Volt Typhoon” group has begun scanning for vulnerable S7‑1500 devices, suggesting active exploitation may follow shortly.

Beyond these high‑profile vulnerabilities, a wave of opportunistic attacks continues to target developers and end‑users alike. A malicious npm package named “event‑stream‑v3” was discovered to contain a backdoor exfiltrating environment variables to a Discord webhook, compromising thousands of CI/CD pipelines. Simultaneously, multiple fake mobile applications impersonating popular trading platforms were uploaded to third‑party app stores, delivering the AsyncRAT payload. DNS hijacking campaigns dubbed “DarkPower” have abused forgotten subdomains to redirect traffic to phishing pages, while stolen credential dumps have appeared in public Discord channels, feeding brute‑force attacks against corporate VPN portals. Security teams should enforce multi‑factor authentication, monitor for unusual DNS changes, keep software inventories up to date, and employ behavioral‑based endpoint detection to mitigate these persistent threats.