Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed “Ni8mare.” n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm. Since n8n serves as a central automation hub, it often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it an attractive target for threat actors.
Source: BleepingComputer

In-Depth Analysis Report on LockBit 5.0: Operation and Countermeasures
Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment. The group also uses the Stealbit tool to exfiltrate data. From August 2021 to August 2022, LockBit accounted for 30.25% of known ransomware attacks, and in 2023, it made up around 21% of the attacks. The group’s extortion demands and recovery costs have resulted in billions of dollars in losses. Despite the efforts of law enforcement agencies, LockBit continues to pose a serious threat to cybersecurity worldwide. The LockBit 5.0 ransomware group operates the DLS website, which lists the companies that have been successfully breached by the group. While no South Korean companies are included on the list, many foreign companies have been identified as victims. The group has launched ransomware attacks against companies in a wide range of industries, including IT, electronics, law firms, and churches.
Source: AhnLab ASEC

Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments. GreyNoise customers have received an Executive Situation Report (SITREP) including IOCs and other valuable intelligence from this investigation. Customers, please check your inbox. The first campaign exploited server-side request forgery vulnerabilities—tricks that force your server to make outbound connections to attacker-controlled infrastructure. The campaign ran from October 2025 through January 2026, with a dramatic spike over Christmas—1,688 sessions in 48 hours. Attackers used ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure to confirm successful SSRF exploitation via callback validation.
Source: GreyNoise

Critical React Router Flaws: CVE-2025-61686 Exposes Server Files
Developers relying on the popular React Router library are being urged to patch their applications immediately following the disclosure of multiple high-severity vulnerabilities. The flaws, ranging from unauthorized file access to Cross-Site Scripting (XSS), threaten the integrity of web applications using both the react-router and @remix-run ecosystems. The most critical of the bunch, tracked as CVE-2025-61686, carries a devastating CVSS score of 9.1. This vulnerability strikes at the heart of session management, potentially allowing attackers to breach the server’s file system.
Source: SecurityOnline

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.
Source: CloudSEK