This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn’t need novel tricks. They used what was already exposed and moved in without resistance.
Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior. Different victims, same playbook: look normal, move quickly, spread before alarms go off.
For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle. Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward.
⚡ Threat of the Week
Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability in the n8n workflow automation platform permits unauthenticated remote code execution and potential full system compromise. The flaw, referred to as Ni8mare and tracked as CVE‑2026‑21858, affects locally deployed instances running versions prior to 1.121.0. The issue stems from how n8n handles incoming data, offering a direct path from an external, unauthenticated request to compromise the automation environment. The disclosure of CVE‑2026‑21858 follows several other high‑impact vulnerabilities publicized over the past two weeks, including CVE‑2026‑21877, CVE‑2025‑68613, and CVE‑2025‑68668. The problem appears in Form-based workflows where file-handling functions are executed without first validating that the request was actually processed as “multipart/form-data.” This loophole allows an attacker to send a specially crafted request using a non-file content type while crafting the request body to mimic the internal structure expected for uploaded files. Because the parsing logic does not verify the format of the incoming data, it enables an attacker to access arbitrary file paths on the n8n host and even escalate it to code execution. “The impact extends to any organization using n8n to automate workflows that interact with sensitive systems,” Field Effect said. “The worst‑case scenario involves full system compromise and unauthorized access to connected services.” However, Horizon3.ai noted that successful exploitation requires a combination of pre-requisites that are unlikely to be found in most real-world deployments: An n8n form component workflow that’s publicly accessible without authentication and a mechanism to retrieve the local files from the n8n server.
🔔 Top News
- Kimwolf Botnet Infects 2M Android Devices — The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks. Kimwolf’s rapid growth is largely fueled by its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client. Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222. The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices. When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices. When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution.
- China-Linked Hackers Likely Developed Exploit for Trio of VMware Flaws in 2024 — Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed more than a year before a set of three flaws it relied on were made public. The attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process. The attackers disabled VMware’s own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have allowed the attackers to hit a broad range of environments. Huntress, which observed the activity in December 2025, said there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner.
- China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. The campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors.
- Two Malicious Chrome Extensions Caught Prompt Poaching — Two new malicious extensions on the Chrome Web Store, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, and AI Sidebar with DeepSeek, ChatGPT, Claude, and more, were found to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers’ control. The technique of browser extensions to stealthily capture AI conversations has been codenamed Prompt Poaching. The extensions, which were collectively installed 900,000 times, have since been removed by Google.
- PHALT#BLYX Targets Hospitality Sector in Europe — A new multi-stage malware campaign targeting hospitality organizations in Europe using social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death (BSoD) errors to trick users into manually executing malicious code under the guise of reservation-cancellation lures. Dubbed PHALT#BLYX, the campaign represents an evolution from earlier, less evasive techniques. Previous versions relied on HTML Application files and mshta.exe. The latest iteration, detected in late December 2025, instead abuses MSBuild.exe, a trusted Microsoft utility, to compile and execute a malicious project file. This living-off-the-land (LotL) approach enables the malware to bypass many endpoint security controls and deliver a heavily obfuscated variant of DCRat. The activity is assessed to be the work of Russian-speaking threat actors. The attacks leverage a social engineering tactic called ClickFix, where users are tricked into manually executing seemingly harmless commands that actually install malware. It operates by deceiving users into taking an action to “fix” a non-existent issue by either automatically or manually copying and pasting a malicious command into their terminal or Run dialog.
️🔥 Trending CVEs
Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.
This week’s list includes — CVE-2026-21858, CVE-2026-21877, CVE-2025-68668 (n8n), CVE-2025-69258, CVE-2025-69259, CVE-2025-69260 (Trend Micro Apex Central), CVE-2026-20029 (Cisco Identity Services Engine), CVE-2025-66209, CVE-2025-66210, CVE-2025-66211, CVE-2025-66212, CVE-2025-66213, CVE-2025-64419, CVE-2025-64420, CVE-2025-64424, CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 (Coolify), CVE-2025-59470 (Veeam Backup & Replication), CVE-2026-0625 (D-Link DSL gateway routers), CVE-2025-65606 (TOTOLINK EX200), CVE-2026-21440 (@adonisjs/bodyparser), CVE-2025-68428 (jsPDF), CVE-2025-69194 (GNU Wget2), CVE-2025-43530 (Apple macOS Tahoe), CVE-2025-54957 (Google Android), CVE-2025-14026 (Forcepoint One DLP Client), CVE-2025-66398 (Signal K Server), CVE-2026-21483 (listmonk), CVE-2025-34468 (libcoap), CVE-2026-0628 (Google Chrome), CVE-2025-67859 (Linux TLP), CVE-2025-9222, CVE-2025-13761, CVE-2025-13772 (GitLab CE/EE), CVE-2025-12543 (Undertow HTTP server core), CVE-2025-14598 (BeeS Examination Tool), CVE-2026-21876 (OWASP Core Rule Set), CVE-2026-22688 (Tencent WeKnora), CVE-2025-61686 (@react-router/node, @remix-run/node, and @remix-run/deno), and CVE-2025-54322 (Xspeeder SXZOS).
📰 Around the Cyber World
- India Denies it Plans to Demand Smartphone Source Code — India’s Press Information Bureau (PIB) has refuted a report from Reuters that said the Indian government has proposed rules requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures to tackle online fraud and data breaches. Some of the key requirements mentioned in the report included preventing apps from accessing cameras, microphones or location services in the background when phones are inactive, periodically displaying warnings prompting users to review all app permissions, storing security audit logs, including app installations and login attempts, for 12 months, periodically scanning for malware and identify potentially harmful applications, making all pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, deletable, notifying a government organization before releasing any major updates or security patches, detecting if a device has been rooted or jailbroken, and blocking installation of older software versions. The PIB said, “The Government of India has NOT proposed any measure to force smartphone manufacturers to share their source code,” adding, “The Ministry of Electronics and Information Technology has started the process of stakeholders’ consultations to devise the most appropriate regulatory framework for mobile security. This is a part of regular and routine consultations with the industry for any safety or security standards. Once a stakeholder consultation is done, then various aspects of security standards are discussed with the industry.” It also said no final regulations have been framed, adding the government has been engaging with the industry to better understand technical and compliance burden and best international practices, which are adopted by the smartphone manufacturers.
- Meta Says There was No Instagram Breach — Meta said it fixed an issue that “let an external party request password reset emails for some people.” It said there is no breach of its system and user accounts are secure. The development comes after security software vendor Malwarebytes claimed, “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.” This data is available for free on numerous hacking forums, with the poster claiming it was gathered through an unconfirmed 2024 Instagram API leak. However, the cybersecurity community has shared evidence suggesting the scraped data may have been collected in 2022.
- 8.1M Attack Sessions Related to React2Shell — Threat intelligence firm GreyNoise said it recorded over 8.1 million attack sessions since the initial disclosure of React2Shell last month, with “daily volumes stabilizing in the 300,000–400,000 range after peaking above 430,000 in late December.” As many as 8,163 unique source IPs across 1,071 ASNs spanning 101 countries have participated in the efforts. “The geographic and network distribution confirms broad adoption of this exploit across diverse threat actor ecosystems,” it said. “The campaign has produced over 70,000 unique payloads, indicating continued experimentation and iteration by attackers.”
- Salt Typhoon Linked to New U.S. Hacks — Chinese hacking group Salt Typhoon is alleged to have hacked the email systems used by congressional staff on multiple committees in the U.S. House of Representatives, according to a report from Financial Times. “Chinese intelligence accessed email systems used by some staffers on the House China committee in addition to aides on the foreign affairs committee, intelligence committee, and armed services committee, according to people familiar with the attack,” it said. “The intrusions were detected in December.”
- Russian Basketball Player Accused of Ransomware Ties Freed in Prisoner Swap — A Russian basketball player accused of being involved in a ransomware gang was freed in a prisoner exchange between Russia and France. Daniil Kasatkin, 26, was arrested in July 2025 shortly after arriving in France with his fiancée. He is alleged to have been involved in a ransomware group that allegedly targeted nearly 900 entities between 2020 and 2022. While the name of the ransomware gang was not revealed, it’s believed to be the now-defunct Conti group. Kasatkin’s lawyer said he was not involved in ransomware attacks and claimed the accusations related to a second-hand computer he purchased.
- Illicit Crypto Activity Reaches Record $158B in 2025 — Illicit cryptocurrency activity reached an all-time high of $158 billion in 2025, up nearly 145% from 2024, according to TRM Labs. Despite this surge, the activity has continued to decline as a share of overall cryptocurrency activity, declining from 1.3% in 2024 to 1.2% in 2025. “Inflows to sanctioned entities and jurisdictions rose sharply in 2025, led by USD 72 billion received by the A757 token, followed by an additional USD 39 billion sent to the A7 wallet cluster,” the blockchain intelligence firm said. “This growth was highly concentrated: more than 80% of sanctions-linked volume was connected to Russia-linked entities, including Garantex, Grinex, and A7.” A7 is assessed to operate as a hub connecting Russia-linked actors with counterparties across China, Southeast Asia, and Iran-linked networks. “The spike in illicit volume doesn’t reflect a failure of enforcement — it reflects a maturing ecosystem and better visibility,” said Ari Redbord, Global Head of Policy at TRM Labs. “Crypto has moved from novelty to durable financial infrastructure, and illicit actors — including geopolitical actors – are operating within it the same way they do in traditional finance: persistently, at scale, and increasingly exposed.” In a related report, Chainalysis said illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% increase year-over-year, with Chinese money laundering networks operated by criminal syndicates behind scam operations emerging as a prominent player in the illicit on-chain ecosystem.
- China Tightens Oversight of Personal Data Collection on Internet — China has issued draft regulations for the governance of personal information collection from the internet and its use, as part of its efforts to safeguard users’ rights and promote transparency. “The collection and use of personal information shall follow the principles of legality, legitimacy, necessity, and integrity, and shall not collect and use personal information through misleading, fraud, coercion, and other means,” the draft rules released by the Cyberspace Administration of China (CAC) on January 10, 2026, state. “The collection and use of personal information shall fully inform the subject of the collection and use of personal information and obtain the consent of the subject of the personal information; the collection and use of sensitive personal information shall obtain the separate consent of the subject of the personal information.” In addition, app developers are responsible for maintaining the security and compliance, and ensuring that camera and microphone permissions are accessed only when taking photos, or making video or audio recordings.
- Security Flaw in Kiro GitLab Merge Request Helper — A high-severity vulnerability has been disclosed in Kiro’s GitLab Merge Request Helper (CVE-2026-0830, CVSS score: 8.4) that could result in arbitrary command injection when opening a maliciously crafted workspace in the agentic IDE. “This may occur if the workspace has specially crafted folder names within the workspace containing injected commands,” Amazon said. The issue has been addressed in version 0.6.18. Security researcher Dhiraj Mishra, who reported the flaw in October 2025, said it can be abused to run arbitrary commands on the developer’s machine by taking advantage of the fact that GitLab Merge Request Helper passes repository paths to a sub-process without enclosing them in quotes, enabling an attacker to incorporate shell meta-characters and achieve command execution.
- Phishing Attacks Leverage WeChat in China-Linked Fraud Operations — KnowBe4 said it has observed a spike in phishing emails targeting the U.S. and EMEA that use WeChat “Add Contact” QR code lures, jumping from only 0.04% in 2024 to 5.1% by November 2025. “While the overall volume remains relatively low, this represents a 3,475% increase across these regions,” it said. “Additionally, 61.7% of these phishing emails were written in English, and a further 6.5% were in languages other than Chinese or English, indicating a growing and targeted diversification.” In these high-volume phishing schemes, emails centered around job opportunity themes urge recipients to scan an embedded QR code to add an HR representative on WeChat. The emails are sent using a mass mailer toolkit that uses spoofed domains and Base64-encoding to evade spam filters. Should a victim fall for the bait and add them on WeChat, the threat actors build rapport with them before carrying out financially motivated scams. “These monetary transfers take place via WeChat Pay, which offers a fast payment service that’s difficult to trace and reverse,” KnowBe4 said. “The platform also provides a largely closed ecosystem. Identity details and conversation histories exist inside Tencent’s environment, which can make cross-border investigation and recovery slow.”
- Phishing Campaign Delivers GuLoader — A new phishing campaign disguised as an employee performance report is being used to deliver a malware loader called GuLoader, which then deploys a known remote access trojan known as Remcos RAT. “It allows threat actors to perform malicious remote control behaviors such as keylogging, capturing screenshots, controlling webcams and microphones, as well as extracting browser histories and passwords from the installed system,” AhnLab said. The development comes as WebHards impersonating adult video games have been employed to propagate Quasar RAT (aka xRAT) in attacks targeting South Korea.
- Critical Vulnerability in zlib — A critical security flaw in zlib’s untgz utility (CVE-2026-22184, CVSS score: 9.3) could be exploited to achieve a buffer overflow, resulting in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, architecture, build flags, and memory layout. The issue affects zlib versions up to and including 1.3.1.2. “A global buffer overflow vulnerability exists in the TGZfname() function of the zlib untgz utility due to the use of an unbounded strcpy() call on attacker-controlled input,” researcher Ronald Edgerson said. “The utility copies a user-supplied archive name (argv[arg]) into a fixed-size static global buffer of 1024 bytes without performing any length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write past the end of the global buffer, leading to memory corruption.”
- BreachForums Database Leaked — The website “shinyhunte[.]rs”, named after the ShinyHunters extortion gang, has been updated to leak a database containing all records of users associated with BreachForums, which emerged in 2022 as a replacement for RaidForums, and has since cycled through different iterations. In April 2025, ShinyHunters shut down BreachForums, citing an alleged zero-day vulnerability in MyBB. Subsequently, the threat actor also claimed the site had been turned into a honeypot. The database includes metadata of 323,986 users. “The database could be acquired as a result of a web application vulnerability in a CMS or through possible misconfiguration,” Resecurity said. “This incident proved that data breaches are possible not only with legitimate businesses but also with cybercriminal resources generating damage and operating on the dark web, which can have a much greater positive impact.” Accompanying the database is a lengthy manifesto written by “James,” who names several individuals and their aliases: Dorian Dali (Kams), Ojeda Nahyl (N/A, Indra), Ali Aboussi, Rémy Benhacer, Nassim Benhaddou, Gabriel Bildstein, and MANA (Mustapha Usman). An analysis of the data has revealed that the majority of actors were identified as originating from the U.S., Germany, the Netherlands, France, Turkey, the U.K., as well as the Middle East and North Africa, including Morocco, Jordan, and Egypt. In a statement posted on BreachForums website (“breachforums[.]bf”), its current administrator N/A described James as a former ShinyHunters member who has released an older database. In another message shared on “shinyhunte[.]rs” in December 2025, James was outed as a “Frenchman” and a “former associate who operated in the shadows to organize ransomware attacks, particularly the one targeting Salesforce without the approval of the other members.”
🎥 Cybersecurity Webinars
- Stop Guessing Your SOC Strategy: Learn What to Build, Buy, or Automate — Modern SOC teams are overloaded with tools, noise, and promises that don’t translate into results, making it hard to know what to build, buy, or automate. In this session, AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cut through the clutter with a practical, vendor-neutral look at SOC operating models, maturity, and real-world decision frameworks—leaving teams with a clear, actionable path to simplify their stack and make their SOC work more effectively.
- How Top MSSPs Are Using AI to Grow in 2026: Learn Their Formula — By 2026, MSSPs are under pressure to do more with less, and AI is becoming the edge that separates those who scale from those who stall. This session explores how automation reduces manual work, improves margins, and enables growth without adding headcount, with real-world insights from Cynomi founder David Primor and Secure Cyber Defense CISO Chad Robinson on turning expertise into repeatable, high-value services.
🔧 Cybersecurity Tools
- ProKZee — It is a cross-platform desktop tool for capturing, inspecting, and modifying HTTP/HTTPS traffic. Built with Go and React, it’s fast, clean, and runs on Windows, macOS, and Linux. It includes a built-in fuzzer, request replay, Interactsh support for out-of-band testing, and AI-assisted analysis via ChatGPT. Full Docker support keeps setup and development simple for security researchers and developers.
- Portmaster — It is a free, open-source firewall and privacy tool for Windows and Linux that shows and controls all system network connections. Built by Safing in Austria, it blocks trackers, malware, and unwanted traffic at the packet level, routes DNS securely via DoH/DoT, and offers per-app rules, privacy filtering, and an optional multi-hop Safing Privacy Network, without relying on third-party clouds.
- STRIDE GPT — It is an open-source AI-based threat modeling framework that automates the STRIDE method to identify risks and attack paths in modern systems. It supports GenAI and agent-based applications, aligns with the OWASP LLM and Agentic Top 10, detects RAG and multi-agent architectures, and produces clear attack trees with mitigation guidance—connecting traditional threat modeling with AI-era security risks.
Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.
Conclusion
Seen together, these updates show how quickly familiar systems turn risky when trust isn’t questioned. Most of the damage didn’t begin with clever exploits. It began with ordinary tools quietly doing more than anyone expected.
It rarely takes a dramatic failure. A missed patch. An exposed service. A routine click that slips through. Multiply those small lapses, and the impact spreads faster than teams can contain it.
The lesson is straightforward. Today’s threats grow out of normal operations, moving at speed and scale. The advantage comes from spotting where that strain is building before it breaks.
