OAuth Redirection Abuse Enables Phishing and Malware Delivery
Microsoft observed phishing campaigns abusing OAuth’s by design redirection mechanisms to target government and public sector organizations. Attackers leveraged silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker controlled infrastructure without stealing tokens. Microsoft Defender detected malicious activity across email, identity, and endpoint signals, and Microsoft Entra disabled the identified OAuth applications. Related OAuth abuse activity remains ongoing and requires continued monitoring.
Source: Microsoft Security Blog

Web Based Indirect Prompt Injection Observed Targeting AI Agents
Researchers documented real world cases of indirect prompt injection where attackers embed hidden instructions into website content later processed by large language models and AI agents. Instead of directly interacting with the model, adversaries exploit features such as webpage summarization and automated content analysis, causing the AI system to unknowingly execute malicious prompts. The potential impact scales with the sensitivity and privileges of the affected AI environment.
Source: Unit 42

Amazon Confirms Drone Strikes Damaged AWS Data Centers in Middle East
Amazon confirmed that three AWS data centers in the United Arab Emirates and one in Bahrain were damaged by drone strikes, resulting in a significant outage impacting multiple cloud services. The disruption affected the AWS Middle East UAE region ME CENTRAL 1 and the AWS Middle East Bahrain region ME SOUTH 1, with services still experiencing impact following the incident.
Source: BleepingComputer

SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
The threat cluster SloppyLemming has been linked to attacks against government entities and critical infrastructure operators in Pakistan and Bangladesh. The campaign used two separate infection chains to deploy the BurrowShell malware and a Rust based keylogger. Researchers noted that the use of Rust represents an evolution in the actor’s tooling compared to earlier campaigns relying on more traditional frameworks.
Source: The Hacker News

Google Confirms Exploitation of Qualcomm Android Component Vulnerability
Google disclosed that CVE 2026 21385, a high severity vulnerability affecting an open source Qualcomm component used in Android devices, has been exploited in the wild. The flaw involves a buffer over read in the graphics component and is described as memory corruption linked to an integer overflow. The issue was reported in December 2025 and customers were notified in early February 2026.
Source: The Hacker News

Chrome Gemini Panel Vulnerability Allowed Extension Hijacking
Researchers disclosed CVE-2026-0628, a high severity vulnerability in Google Chrome’s Gemini Live feature that could allow malicious browser extensions with basic permissions to hijack the Gemini panel and access local files. The flaw could have enabled privilege escalation by tapping into the browser environment. Google was notified responsibly and released a fix in early January before public disclosure.
Source: Unit 42

APT28 Linked to MSHTML Zero Day Exploited Before Patch Tuesday
The Russia linked threat actor APT28 is believed to have exploited CVE-2026-21513, a high severity MSHTML security feature bypass vulnerability with a CVSS score of 8.8, before it was patched in Microsoft’s February 2026 Patch Tuesday release. The flaw allowed attackers to bypass security protections over a network and may have been used in targeted operations.
Source: SecurityWeek

StegaBin Campaign Uses Malicious npm Packages and Pastebin Steganography
Researchers identified 26 malicious npm packages deploying a multi stage credential harvesting operation targeting developers. The campaign, dubbed StegaBin, hides command and control infrastructure within Pastebin content using character level steganography. The infection chain ultimately installs a remote access trojan and a nine module infostealer toolkit targeting developer assets including SSH keys, git repositories, browser credentials, and locally stored secrets.
Source: Socket

Thousands of Google Cloud API Keys Exposed with Gemini Access
Research revealed nearly 3,000 publicly exposed Google Cloud API keys embedded in client side code. Although typically used as billing project identifiers, these keys could be abused to authenticate to sensitive Gemini endpoints and access private data once APIs were enabled, highlighting risks tied to key exposure in web applications.
Source: The Hacker News

ClawJacked Flaw Enabled Hijacking of Local OpenClaw AI Agents
A high severity vulnerability in OpenClaw allowed malicious websites to connect to locally running AI agents via a WebSocket gateway bound to localhost. Under specific conditions involving social engineering, attackers could gain control of the agent without plugins or additional extensions. The issue has since been fixed by the vendor.
Source: The Hacker News

Cisco Patches Catalyst SD WAN Zero Day Exploited by Highly Sophisticated Hackers
Cisco released emergency patches for a critical Catalyst SD WAN zero day vulnerability tracked as CVE-2026-20127 with a CVSS score of 10. The flaw can be remotely exploited to bypass authentication and gain administrative privileges on vulnerable devices. It affects the peering authentication mechanism of Catalyst SD WAN Controller and Catalyst SD WAN Manager, allowing unauthenticated remote attackers to send crafted requests.
Source: SecurityWeek

Microsoft Warns Developers of Fake Next.js Job Repositories Delivering In Memory Malware
A coordinated developer targeting campaign is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establishing persistent access. The activity aligns with broader job themed lures designed to blend into routine developer workflows and increase the likelihood of code execution.
Source: The Hacker News

New Dohdoor Malware Campaign Targets Education and Health Care
Cisco Talos identified an ongoing campaign delivering a previously undisclosed backdoor named Dohdoor. The malware uses DNS over HTTPS for command and control communications and can reflectively download and execute additional payloads. The campaign targeted organizations in the education and health care sectors in the United States through a multi stage attack chain.
Source: Cisco Talos

UnsolicitedBooker Targets Central Asian Telecoms with LuciDoor and MarsSnake Backdoors
The threat cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan. The campaign involves deployment of two backdoors named LuciDoor and MarsSnake. Researchers report the use of several unique tools of Chinese origin.
Source: The Hacker News

Malicious NuGet Package Targets Stripe
Researchers discovered a malicious NuGet package mimicking Stripe.net, a widely used package with more than 70 million downloads. The campaign follows earlier activity targeting cryptocurrency related developer ecosystems and highlights continued supply chain risks within package repositories.
Source: ReversingLabs

Telegram Channels Expose Rapid Weaponization of SmarterMail Flaws
Security researchers observed threat actors rapidly sharing proof-of-concept exploits and stolen administrator credentials related to CVE-2026-24423 and CVE-2026-23760 within underground Telegram channels and forums. The critical flaws enable remote code execution and authentication bypass on exposed SmarterMail servers, and weaponization occurred within days of public disclosure.
Source: BleepingComputer

AI in the Middle: Web-Based AI Services Used as C2 Proxies
Threat actors are increasingly leveraging legitimate AI service domains as command and control proxies, blending malicious traffic into normal enterprise activity. AI tools are also being used to generate phishing content, write scripts, analyze stolen data, and even develop full C2 frameworks, significantly reducing operational cost and time-to-scale for attackers.
Source: Check Point Research

Firebase Misconfiguration Exposed 300 Million AI App Messages
An exposed Firebase database leaked approximately 300 million messages belonging to more than 25 million users of the Chat & Ask AI application. As the app acts as a gateway to multiple major AI models, the configuration error had a broad privacy impact across its global user base.
Source: Hackread

CISA Warns of Critical Honeywell CCTV Authentication Bypass
CISA issued an alert regarding CVE-2026-1670, a critical vulnerability affecting multiple Honeywell CCTV products. The flaw allows unauthenticated attackers to change password recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The vulnerability carries a CVSS score of 9.8.
Source: BleepingComputer

GrayCharlie Hijacks Law Firm Websites in Suspected Supply Chain Attack
The threat actor GrayCharlie compromised WordPress websites and injected malicious JavaScript that redirected visitors to NetSupport RAT payloads delivered through fake browser update pages. A cluster of compromised U.S. law firm websites suggests a potential supply chain compromise involving a shared IT provider.
Source: Recorded Future

UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Mandiant and Google Threat Intelligence Group identified active zero-day exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769 with a CVSS score of 10.0. The threat cluster UNC6201, assessed as PRC-linked, has exploited the flaw since at least mid-2024 to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor named GRIMBOLT.
Source: Google Cloud Blog

Spam Campaign Abuses Atlassian Jira Cloud to Target Government and Corporate Entities
Threat actors abused Atlassian Jira Cloud and its connected email system to conduct automated spam campaigns, bypassing traditional email security controls by leveraging the trusted domain reputation of Atlassian products. The campaign, active from late December 2025 through late January 2026, primarily targeted government and corporate entities and redirected victims to investment scams and online casino pages.
Source: Trend Micro

Vulnerabilities in Popular PDF Platforms Enabled Account Takeover and Data Exfiltration
Researchers uncovered more than a dozen vulnerabilities in PDF platforms developed by Foxit and Apryse that could have enabled account takeover, data exfiltration, and other attacks. The issues were responsibly disclosed, and both vendors have released patches addressing the reported flaws.
Source: SecurityWeek

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware
Notepad++ released version 8.9.2 to address abuse of its software update mechanism by an advanced threat actor. The updated release introduces additional verification controls for signed installers downloaded from GitHub and signed XML responses from the update server, strengthening the integrity of the update process.
Source: The Hacker News

Flaws in Popular VSCode Extensions Expose Developers to Attacks
High and critical severity vulnerabilities affecting widely used Visual Studio Code extensions, collectively downloaded more than 128 million times, could be exploited to steal local files and execute remote code. Affected extensions include Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers report that prior disclosure attempts did not receive a response from maintainers.
Source: BleepingComputer

BeyondTrust Patches Critical RCE Vulnerability
BeyondTrust has released patches for a critical vulnerability in Remote Support (RS) and Privileged Remote Access (PRA) that could allow unauthenticated remote code execution. Tracked as CVE-2026-1731 (CVSS 9.9), the flaw can be exploited via specially crafted requests to execute OS commands as the site user. Successful exploitation requires no authentication or user interaction and may result in system compromise, unauthorized access, data exfiltration, and service disruption. The issue affects RS versions 25.3.1 and earlier and PRA versions 24.3.4 and earlier. Approximately 8,500 internet-exposed on-prem RS deployments are believed to be potentially affected.
Source: SecurityWeek

Fortinet Patches Critical SQL Injection Flaw Allowing Unauthenticated Code Execution
Fortinet has issued security updates addressing CVE-2026-21643 (CVSS 9.1), a critical SQL injection vulnerability in FortiClientEMS. The flaw allows unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests. Improper neutralization of special elements in SQL commands enables remote exploitation without authentication. Organizations using vulnerable FortiClientEMS versions are advised to apply patches immediately to prevent system compromise.
Source: The Hacker News

Warlock Ransomware Breaches SmarterTools via Unpatched SmarterMail Server
SmarterTools confirmed that the Warlock (Storm-2603) ransomware group breached its network by exploiting an unpatched SmarterMail instance. The compromised server had not been updated to the latest version and was reportedly set up outside standard patch management oversight. Although approximately 30 SmarterMail servers were deployed across the network, one unmaintained VM enabled initial access. SmarterTools stated that core business applications and customer account data were not affected.
Source: The Hacker News

Largest Multi-Agency Cyber Operation Targets APT UNC3886 in Singapore
Singapore authorities disclosed that Advanced Persistent Threat actor UNC3886 conducted a deliberate and targeted campaign against the country’s telecommunications sector. All four major telecom operators – M1, SIMBA Telecom, Singtel, and StarHub – were targeted. The campaign was identified in July 2025, with operational details withheld to preserve security. The coordinated response involved multiple agencies to contain and counter the threat posed to critical infrastructure.
Source: Cyber Security Agency of Singapore

New SSHStalker Linux Botnet Uses Legacy Exploits and IRC-Based Control
A newly identified Linux botnet dubbed SSHStalker relies on exploitation techniques dating back to 2009. The botnet uses IRC-based command and control, multiple Linux kernel exploits, cron-based persistence mechanisms, and watchdog relaunch models. It deploys scanners and additional malware across infected systems. While artifacts resemble Romanian-linked botnet campaigns such as Outlaw and Dota, researchers have not confirmed a direct link, suggesting a derivative or copycat operator may be responsible.
Source: SecurityWeek

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2019. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim.
Source: Google Cloud

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Cybersecurity researchers have called attention to a massive campaign that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as worm-driven, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce). TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.
Source: The Hacker News

Recent SolarWinds Flaws Potentially Exploited as Zero-Days
Attacks targeting internet-accessible SolarWinds Web Help Desk (WHD) instances for initial access may have exploited recently patched vulnerabilities as zero-days, Microsoft says. As part of a multi-stage intrusion in December 2025, hackers compromised the vulnerable WHD deployments to spawn PowerShell and download and execute additional payloads. However, Microsoft says it could not confirm whether the hackers exploited new or older SolarWinds vulnerabilities known to be exploited in the wild. The tech giant says the compromised product was vulnerable to CVE-2025-40551 and CVE-2025-40536, both patched in January 2026, but also to CVE-2025-26399, which was fixed in September 2025.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Germany Warns of Signal Account Hijacking Targeting Senior Figures
Germany’s domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). A defining characteristic of this attack campaign is that no malware is used, nor are technical vulnerabilities in the messaging services exploited, the two agencies said.
Source: BleepingComputer

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways
In reaction to the recent CVE-2026-25253, the research team analyzed how this vulnerability appears in real-world deployments and what could be identified at internet scale using Hunt[.]io. The analysis focused on internet-exposed browser automation frameworks affected by CVE-2026-25253, including OpenClaw and its forks Clawdbot and Moltbot, which expose web-based control interfaces that store API credentials for multiple AI services. When deployed without proper access controls, these interfaces are directly reachable from the public internet.
Source: Hunt.io

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser-based social engineering combined with living-off-the-land binaries and Python-based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour-based detection and user awareness critical.
Source: Microsoft Security Blog

Brew Hijack: Serving Malware Over Homebrew’s Core Tap
Most of the time, when software is installed, the download is assumed to be secure due to HTTPS and checksum verification. However, research revealed that within Homebrew’s core cask system, some packages are downloaded over plain HTTP without integrity verification. Twenty casks in the official tap were found vulnerable to trivial man-in-the-middle attacks, allowing attackers on the network path to replace legitimate payloads with malware.
Source: Koi.ai

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry shows that two IP addresses now account for 56% of observed exploitation attempts, down from more than a thousand unique sources. One source deploys cryptomining payloads, while the other opens reverse shells directly to the scanner IP, highlighting distinct post-exploitation behaviours.
Source: GreyNoise

Flickr Security Incident Tied to Third-Party Email System
Flickr has notified users of a security incident involving a third-party email service provider that exposed personal information. The company stated that a vulnerability in the provider’s system may have allowed unauthorized access to member data. Exposed information includes names, email addresses, usernames, account types, IP addresses, general location data, and Flickr activity details. Access to the affected system was shut down within hours of discovery.
Source: SecurityWeek

Critical Sandbox Escape Flaw Found In Popular vm2 NodeJS Library
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Source: BleepingComputer

Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
Source: BleepingComputer

CISA Adds Five Known Exploited Vulnerabilities To Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The newly added flaws include vulnerabilities affecting the Linux kernel, Microsoft Office, GNU InetUtils, and SmarterTools SmarterMail, underscoring continued exploitation of long-known and recently disclosed weaknesses across widely deployed software.
Source: CISA

Investigation Into International “ATM Jackpotting” Scheme Results In Additional Indictments
A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as ATM jackpotting. Fifty-six others had already been charged. The case involves Venezuelan and Colombian nationals, including members of the Tren de Aragua group, and includes charges related to bank fraud, bank burglary, computer fraud, and damage to protected computers.
Source: U.S. Department of Justice

SoundCloud Data Breach Exposes Email Addresses Of Millions Of Users
In December 2025, SoundCloud disclosed unauthorized activity that allowed attackers to map publicly available profile information to email addresses for approximately 20% of its users. The exposed data included tens of millions of email addresses, usernames, and related profile metadata. Attackers later attempted extortion before publicly releasing the dataset the following month.
Source: BleepingComputer

Critical CERT-In Advisories – January 2026: SAP, Microsoft, and Atlassian Vulnerabilities
January 2026 was a wake-up month for enterprise security teams. In a single week, CERT-In released three high-severity advisories exposing critical flaws across SAP, Microsoft, and Atlassian, the very platforms that run finance systems, identity layers, developer pipelines, and collaboration tools inside most enterprises. These weren’t theoretical bugs. One Windows vulnerability was already being exploited in the wild. While others enabled remote code execution, privilege escalation, data theft, and full system takeover. If your organization runs SAP S/4HANA, Windows, Azure, Jira, Confluence, or Bitbucket, this wasn’t a patch cycle you could afford to ignore. This article breaks down what was affected, how attackers could abuse these flaws, and exactly what security teams must do to stay ahead before these vulnerabilities turn into breaches.
Source: Security Boulevard

Hackers Targeting Cisco Unified CM Zero-Day
Cisco on Wednesday announced patches for yet another zero-day vulnerability targeted by threat actors. The flaw, tracked as CVE-2026-20045 and classified as critical, affects several of Cisco’s unified communications products, including Cisco Unified Communications Manager (CM) and its Session Management Edition (SME), Unified CM IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. According to Cisco, a remote, unauthenticated attacker can exploit CVE-2026-20045 to execute malicious commands on the underlying OS of the device.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Nova Ransomware Claims Breach of KPMG Netherlands
KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated. The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day. Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations. The group has established a reputation for targeting professional services firms and financial sector entities that manage high-value and confidential client information.
Source: Dig.watch

Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms
Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations. The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba’s Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card. Several types of vulnerabilities were identified, including hardcoded credentials and encryption keys, weak passwords, lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection issues.
Source: SecurityWeek