Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

Ravie LakshmananJan 26, 2026Hacking News / Cybersecurity

Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week’s recap shows that pattern clearly.

Attackers are moving faster than defenses, mixing old tricks with new paths. “Patched” no longer means safe, and every day, software keeps becoming the entry point.

What follows is a set of small but telling signals. Short updates that, together, show how quickly risk is shifting and why details can’t be ignored.

⚡ Threat of the Week

Improperly Patched Flaw Exploited Again in Fortinet Firewalls — Fortinet confirmed that it’s working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. “We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” the company said. The activity has been found to exploit an incomplete patch for CVE-2025-59718 and CVE-2025-59719, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices. In the absence of a fix, users are advised to restrict administrative access of edge network devices and turn off FortiCloud SSO logins by disabling the “admin-forticloud-sso-login” setting.

🔔 Top News

• TikTok Forms New U.S. Entity to Avoid Federal Ban — TikTok officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok’s Chinese parent company, ByteDance, selling the majority of its stake to a group of majority-American investors, while it will retain a 19.9% stake in the business. The Chinese government hasn’t commented publicly on the agreement. The deal ends years of regulatory uncertainty that began in August 2020, when President Trump announced plans to ban the app, citing national security concerns.
• VoidLink Generated Almost Entirely Using AI — VoidLink, the recently discovered Linux malware which targets Linux-based cloud servers, was likely generated almost entirely by artificial intelligence (AI), signaling a significant evolution in the use of the technology to develop advanced malware. What was significant in alerting researchers to AI involvement in building VoidLink was a development plan that accompanied the project and was accidentally left exposed by its author. The developer also utilized regular checkpoints to ensure that the model was developing as instructed and that the code worked. The result was a malware which the researchers who first detailed VoidLink described as “sophisticated, modern and feature-rich.” The discovery is a watershed moment for malware development, underscoring a shift in how AI can be used to design advanced malicious programs. “The security community has long anticipated that AI would be a force multiplier for malicious actors. Until now, however, the clearest evidence of AI-driven activity has largely surfaced in lower-sophistication operations, often tied to less experienced threat actors, and has not meaningfully raised the risk beyond regular attacks,” Check Point said. “VoidLink shifts that baseline: its level of sophistication shows that when AI is in the hands of capable developers, it can materially amplify both the speed and the scale at which serious offensive capability can be produced.” From a defensive point of view, the use of AI also complicates attribution, as the generated code removes a lot of usual clues and makes it harder to determine who’s really behind an attack.
• Critical GNU InetUtils telnetd Flaw Detailed — A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 (CVSS score: 9.8), affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. The vulnerability was introduced as part of a code change in March 2015. The flaw allows an attacker to establish a Telnet session without providing valid credentials, granting unauthorized access to the target system. SafeBreach Labs, in a root cause analysis of CVE-2026-24061, described it as easy to exploit and that an attacker can supply a “-f” flag for the “/usr/bin/login” executable, effectively skipping the interactive authentication and giving them a root shell. It has also released a public proof-of-concept (PoC) exploit for the flaw.
• Vishing Attacks Target Identity Providers — Threat actors who specialize in voice phishing (aka vishing) have started using bespoke phishing kits that can intercept targets’ login credentials while also allowing attackers to control the authentication flow in a targeted user’s browser in real-time. “Where threat actors could once pay for access to a kit with basic features that targeted all popular Identity Providers (Google, Microsoft Entra, Okta, etc.) and cryptocurrency platforms, a new generation of fraudsters are attempting to sell access to bespoke panels for each targeted service,” Okta said. The ShinyHunters extortion gang has claimed responsibility for some of the attacks, Bleeping Computer reported.
• CrashFix Crashes Browsers to Deliver Malware — A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser as a precursor to ClickFix attacks. Unlike typical ClickFix schemes that use non-existent security alerts or CAPTCHAs to lure users into executing malicious commands, the new CrashFix variant leverages a malicious extension that first intentionally crashes the victim’s browser and then delivers a fraudulent fix. When the browser is restarted, the extension displays a deceptive pop-up that shows a fake warning and suggests scanning the system to identify the problem. Doing so opens a new window with a bogus warning about detected security issues, along with instructions on how to fix the problem, which involve executing malicious commands in the Windows Run prompt, in a typical ClickFix fashion. While the extension has since been removed, the attacks are designed to deliver a new Python-based remote access tool called ModeloRAT. The findings show that browser extensions are a high-risk attack vector for enterprises, allowing threat actors to bypass traditional security controls and gain a foothold on corporate endpoints.
• Contagious Interview Evolves to Deliver Backdoor via VS Code — The North Korean threat actors behind the Contagious Interview campaign are employing a new mechanism that uses Microsoft Visual Studio Code (VS Code) to deliver a previously unseen backdoor that enables remote code execution on developer systems. The attack chain starts when targets are asked to clone and open malicious repositories hosted on GitHub, GitLab, or Bitbucket, typically framed as part of a technical assignment or code review exercise related to the hiring process. “The most important facilitator for this attack vector is the configuration’s runOptions property, which supports a runOn value of folderOpen, causing the defined task to execute automatically when a workspace is opened,” Abstract Security said. “Contagious Interview actors exploit this by including malicious shell commands in tasks.json files. When a victim clones a repository to their local machine and opens it in VS Code, the malicious task executes and kicks off the infection chain leading to malware installation.” The malicious payloads are mostly hosted on Vercel domains, but other domains like vscodeconfig(.)com and vscode-load.onrender(.)com have also been identified. In at least one case, the “tasks.json” file is used to install a malicious npm package named “jsonwebauth.” Contagious Interview has been active since 2022, primarily targeting software developers and IT professionals, especially in the blockchain and cryptocurrency sectors. As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified between August 2024 and September 2025, most of which are concentrated around South Asia and North America.

• 1Password Adds Warnings for Phishing Sites — Password manager 1Password has added a new security feature that warns users when they’re on a phishing or spoofed site, and they’re prompted to enter their credentials. “When a 1Password user clicks a link where the URL doesn’t match their saved login, 1Password won’t autofill their credentials,” it said. “When a user attempts to paste their credentials, the 1Password browser extension displays a pop-up warning, prompting them to pause and exercise caution before proceeding.”
• Malicious Chrome Extensions Steal OpenAI API Keys and User Prompts — A malicious Google Chrome extension named H-Chat Assistant (ID: dcbcnpnaccfjoikaofjgcipcfbmfkpmj) with over 10,000 users has been found to steal users’ OpenAI API keys at scale. It’s estimated to have exfiltrated at least 459 unique API keys to an attacker-controlled Telegram channel. “Once the extension is installed, users are prompted to add an OpenAI API key to interface with the chatbot,” Obsidian Security said. “The API key exfiltration occurs once a user deletes a chat or chooses to log out of the application.” While the extension works as advertised, compromised keys could enable unauthorized access to affected users’ OpenAI instances. The extension is still available for download as of writing. Obsidian Security said it has since uncovered dozens of Chrome extensions that are sending user prompts and other data to third-party/external servers. “Several of the extensions impersonate ChatGPT, creating a false sense of trust that conversations and data are only being transmitted to OpenAI,” it added.
• PasteReady Extension Pushes Malware After Purchase — In more extension-related news, the PasteReady browser extension has been used to push malware after it was put up for sale. Secure Annex’s John Tuckner said the PasteReady was made available for sale on extensionhub(.)io May 7, 2025, and the ownership transfer happened on December 27, 2025. “Version 3.4 with malware was pushed December 30, 2025,” Tuckner said in a post on X. “It was removed from the Chrome Web Store for malware January 14, 2026.”
• Microsoft Complies with Court Order to Hand Over a BitLocker Encryption Key in Fraud Case — Microsoft gave the U.S. Federal Bureau of Investigation (FBI) BitLocker keys to unlock encrypted data stored on three laptops of Windows users charged in a fraud indictment, Forbes reported. The development marks the first publicly known instance of Microsoft providing BitLocker keys. Microsoft backs up BitLocker keys to its servers when the service is set up from an active Microsoft account. While Microsoft does offer the ability to stash the keys elsewhere, such as a file or to a USB flash drive, customers are encouraged to store it on its cloud for easy key recovery. The company has since confirmed that it provides BitLocker recovery keys for encrypted data if it receives a valid legal order and the user has stored the keys on its servers, and that it’s legally required to produce the keys stored on its servers. Apple also provides a similar service, but with two tiers: Standard data protection and Advanced Data Protection for iCloud. According to Microsoft’s most recent Government Requests for Customer Data Report, covering July 2024 through December 2024, the company received a total of 128 requests from law enforcement organizations around the world. Of these, only four of them, three in Brazil and one in Canada, led to the disclosure of content.
• Ilya Lichtenstein Wants a Cybersecurity Job — Ilya Lichtenstein, who was behind the massive hack of cryptocurrency exchange Bitfinex in 2016, said he has changed his ways. “Ten years ago, I decided that I would hack the largest cryptocurrency exchange in the world,” Lichtenstein wrote on LinkedIn. “This was a terrible idea. It was the worst thing I had ever done,” he added. “It upended my life, the lives of people close to me, and affected thousands of users of the exchange. I know I disappointed a lot of people who believed in me and grossly misused my talents.” Lichtenstein was arrested in 2022 for the hack, and was released to home confinement earlier this month after serving nearly four years in prison. In the post, Lichtenstein said he has “always been motivated by technical challenges rather than material wealth” and that mathematics became his “escape from the hard realities of the prison world.” Lichtenstein concluded by saying he wants to work in cybersecurity. “I think like an adversary,” he said. “I’ve been an adversary. Now I can use those same skills to stop the next billion-dollar hack.”
• Anthropic Details Assistant Axis — AI company Anthropic has detailed what it describes as the “Assistant Axis,” a pattern of neural activity in large language models that governs their default identity and helpful behavior. The axis is believed to be created during post-training, when models are taught to play the role of an “Assistant,” or it’s likely that it already exists in pre-trained models. “By monitoring models’ activity along this axis, we can detect when they begin to drift away from the Assistant and toward another character,” Anthropic said. “And by constraining their neural activity (‘activation capping’) to prevent this drift, we can stabilize model behavior in situations that would otherwise lead to harmful outputs.”
• China Blames Taiwan for 1000s of Cyber Attacks — The Chinese government said it investigated nearly 4,000 cyber attacks in 2025 that originated from Taiwan. The figure represents a 25% increase year-over-year. The attacks sought to steal classified information from critical mainland sectors, including transportation, finance, science and technology, and energy. Some of the operations were allegedly carried out by the Taiwanese military.
• Romania Dismantles Murder-for-Hire Operation — Romanian authorities dismantled an organized criminal group that operated a murder-for-hire operation. The group ran a website that allowed anonymous users to pay for assassinations using cryptocurrencies through an escrow system. Authorities executed three search warrants in the municipalities of Bucharest and Râmnicu Vâlcea and questioned two individuals behind the scheme. They also seized more than $750,000 in digital assets and cash worth 292,890 lei, $650,000, and €48,600 from their homes.
• Ireland Proposes New Law Allowing Police to Use Spyware — The Irish government plans to draft legislation that would make it legal for law enforcement to use spyware. The Minister for Justice, Home Affairs and Migration, Jim O’Callaghan, said the government has approved proposals for an “updated and comprehensive legal framework for lawful interception” that will also “include robust legal safeguards to provide continued assurance that the use of such powers is necessary and proportionate.” The ministry also noted there is an urgent need for a new legal framework for lawful interception to counter serious crime and security threats.
• Microsoft Emerges as the Most Impersonated Brand in Q4 2025 — Microsoft has emerged as the most commonly impersonated brand in phishing attacks during the fourth quarter of 2025. Microsoft was followed by Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase. “Scammers ramped up brand impersonation attacks throughout Q4 2025, timing their campaigns around when people are busiest online, shopping for deals, renewing subscriptions, or looking for jobs,” Guardio said. “Attackers weaponize brand recognition, betting that a Microsoft billing alert or Facebook security notification will bypass skepticism when it arrives during year-end account reviews, holiday coordination chaos, or gift card purchase rushes.”
• Germany Expels Russian Diplomat Accused of Spying — Germany expelled a Russian diplomat accused of spying, further escalating geopolitical tensions between Berlin and Moscow over intelligence activity linked to the war in Ukraine. “We do not accept espionage in Germany – and particularly not under the cover of diplomatic status. We summoned the Russian Ambassador to the Federal Foreign Office today and informed him that the individual who spied on behalf of Russia is to be expelled,” the German Foreign Office said. German outlet Der Spiegel and Russian independent media organization The Insider identified the expelled diplomat as Andrei Mayorov, Russia’s deputy military attache in Germany. Mayorov reportedly holds the rank of colonel in Russia’s military intelligence agency, the GRU. He is alleged to have acted as the handler for Ilona Kopylova, a dual Ukrainian-German citizen who was arrested in Berlin on suspicion of spying for Russia.
• Bad Actors Hijack Snap Publisher Domains for Malware Delivery — Scammers are hijacking legitimate Canonical Snap Store publisher accounts by registering expired domains associated with those accounts to trigger password resets. Once in control, these attackers push malicious updates to established, trustworthy applications to deploy cryptocurrency wallet-draining malware. The domain resurrection attack has hijacked accounts associated with two Linux packages storewise.tech and vagueentertainment.com. The threat actors behind this campaign are believed to be located in Croatia.
• Handala Group Uses Starlink For Attacks — The Iranian hacktivist group known as Handala has been observed carrying out attacks via Starlink connections. According to Check Point, activity from the group ceased when the Iranian regime cut off the internet across the country, but has since resumed as of January 17, 2026, from Starlink IP ranges and hitting targets across the Middle East.

• 884 Flaw Exploited for the First Time in 2025 — As many as 884 vulnerabilities were exploited for the first time in 2025, up from 768 CVEs in 2024. According to vulnerability management company VulnCheck, 28.96% of Known Exploited Vulnerabilities (KEVs) were weaponized on or before the day their CVE was published, an increase from the 23.6% observed in 2024. Network edge devices, including firewalls, VPNs, and proxies, were the most frequently targeted technologies, followed by content management systems and open source software. “This reinforces the urgency for organizations to act quickly on newly disclosed vulnerabilities while continuing to reduce long-standing vulnerability backlogs,” VulnCheck said.
• 2 Venezuelans Convicted in U.S. for Using Malware to Hack ATMs — Two Venezuelan nationals, Luz Granados, 34, and Johan Gonzalez-Jimenez, 40, are set to be deported after being convicted of conspiracy and computer crimes in an ATM jackpotting scheme. “Jimenez and Granados targeted older model Automated Teller Machines (ATM) throughout the southeastern United States to steal money after business hours,” the U.S. Justice Department said. “The defendants would approach an ATM at nighttime and remove the outer casing of the machine and then connect a laptop computer to install malware that overcame the ATM’s security protocols. Once installed, the ATMs dispersed cash to the perpetrators until the ATM’s funds are exhausted.” Granados has been sentenced to time served and has been ordered to pay $126,340 in restitution. Gonzalez-Jimenez was sentenced to 18 months in federal prison and was ordered to pay $285,100 in restitution.
• Russian National Pleads Guilty to Ransomware Spree — A Russian national has pleaded guilty to leading the Zeppelin ransomware group that targeted at least 50 victims during a four-year period ending between May 2018 and August 2022. Ianis Aleksandrovich Antropenko faces up to 25 years in jail and fines up to $750,000, CyberScoop reported. He has also been ordered to pay restitution to his victims and forfeit property, CyberScoop reported. In August 2025, the U.S. Justice Department unsealed six warrants authorizing the seizure of over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle. The cryptocurrency was seized from a wallet controlled by Antropenko.
• Critical Security Flaws in OpenKM — Multiple zero-day vulnerabilities have been disclosed in OpenKM that could result in remote code execution, unrestricted SQL execution, and file disclosure. The flaws remain unpatched, according to Terra System Labs. “The discovered issues allow a single authenticated administrator to fully compromise the OpenKM server, backend database, and sensitive stored documents,” the Indian cybersecurity company said. “The findings highlight systemic security design weaknesses in trusted administrative interfaces and demonstrate how these flaws can be chained to achieve complete system takeover.”
• Command Injection Flaw in Vivotek Legacy Firmware — Akamai has disclosed details of a new vulnerability within Vivotek legacy firmware that allows remote users to inject arbitrary code into the filename supplied to upload_map.cgi. The security issue has been assigned the CVE identifier CVE-2026-22755 (CVSS score: 9.3). “This exploit affects a wide range of legacy older camera models, allowing attackers to execute malicious commands as the root user without requiring authentication,” security researcher Larry Cashdollar said. “It enables attackers to upload files with filenames that, when processed by the server, execute system commands and result in root access.”
• Mamba PhaaS Kit Detailed — Cybersecurity researchers have shed light on a phishing-as-a-service (PhaaS) kit named Mamba that first emerged in 2023 coinciding with the emergency of adversary-in-the-middle (AiTM) phishing. “Campaigns associated with Mamba phishing operations are most commonly delivered through email-based lures designed to drive the victim directly to the phishing URL,” CYFIRMA said. “These lures typically impersonate routine business or security-related communications to create urgency and legitimacy. Mamba’s design reflects a growing reliance on service-based phishing tooling, where operational efficiency and repeatability are prioritized over bespoke attack development.”
• New Stanley Kit Guarantees Chrome Web Store Approval — A threat actor is selling access to a toolkit dubbed Stanley that can build malicious Chrome extensions that pass the Web Store verification process. “For $2,000 to $6,000, Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley said. The toolkit is being sold on a Russian-speaking hacking forum for prices ranging from $2,000 to $6,000. It comes with a C2 panel that allows customers to target individual infections for specific actions. “Once a target is selected, attackers configure URL hijacking rules specific to that user,” Varonis said. “Beyond passive hijacking, operators can actively lure users to targeted pages through real-time notification delivery. The notifications come from Chrome itself, not a website, so they carry more implicit trust.” More importantly, the URL hijacking rules ensure that the browser’s address bar continues to display a legitimate domain, while the victim actually sees and interacts with the attacker’s phishing page. Thus when a victim navigates to a targeted website, the extension intercepts the navigation and overlays a fullscreen iframe containing the phishing page. It’s designed to steal login credentials and financial information by deceiving people into thinking they’re visiting real websites.
• EmEditor Supply Chain Compromise Analyzed — The December 2025 supply chain attack targeting EmEditor allowed unknown threat actors to distribute a multi-stage malware capable of credential theft, data exfiltration, and follow-on intrusion through lateral movement, while also taking steps to evade detection by disabling event tracing for Windows. “EmEditor has longstanding recognition within Japanese developer communities as a recommended Windows-based editor,” Trend Micro said. “This suggests that the attackers are targeting this specific user base, or that they have a particular target among EmEditor users and used the compromised download page as a delivery mechanism.” The malware has been found to exclude systems located in Armenia, Belarus, Georgia, Kazakhstan, and Kyrgyzstan, suggesting that they could be of Russian origin or from the Commonwealth of Independent States (CIS).
• Abusing Azure Private Link to Access Azure Resources — New research has found that certain configurations of Microsoft Azure’s Private Endpoint architecture could be exploited to stage denial-of-service (DoS) attacks against Azure resources. Palo Alto Networks Unit 42 said over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. “For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail,” the cybersecurity company said. “In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.” To counter the attacks, it’s advised to enable fallback to public DNS resolution and manually add DNS records for affected resources.

🎥 Cybersecurity Webinars

• Cloud Forensics Is Broken. This Is What Works Now → Cloud attacks move fast and often leave little evidence behind. This webinar explains how modern cloud forensics uses host-level data and AI to help security teams understand what happened, how it happened, and respond faster in today’s cloud environments.
• How to Build a Smarter SOC Without Adding More Tools → Security teams are stretched thin, with too many tools and too little clarity. This webinar breaks down how modern SOCs really work, focusing on practical choices around what to build, buy, and automate—without hype. It’s for teams looking to make smarter decisions with the tools and resources they already have.
• When Today’s Encryption Won’t Be Enough Tomorrow → Quantum computing is moving from theory to reality, and it will change how data security works. Information that is encrypted today may be broken in the future using more powerful systems. This webinar helps security leaders understand what that risk means in practical terms and how to start preparing now, using clear, real-world approaches that protect data without disrupting existing systems.

🔧 Cybersecurity Tools

• NetAlertX – It is a simple tool that helps you see what devices are connected to your network. It keeps a live list of computers, phones, servers, and other hardware, and shows when something new appears or changes. This makes it useful for spotting unknown devices, tracking assets, and staying aware of what’s happening across your network without using heavy or complex security tools.
• RzWeb – It is a simple way to look inside software files without installing any tools. It runs fully in your web browser, so you can open a file and start examining how it works right away. Everything happens on your own machine, which makes it useful for quick checks, learning, or analysis when you don’t want to set up a full reverse-engineering environment.

Disclaimer: These tools are for learning and research only and have not been fully security-tested. Review the code carefully, use it only in safe environments, and follow all applicable rules and laws.

Conclusion

This edition makes one thing clear: risk now sits in everyday tools and normal choices. Small gaps are all it takes.

None of these stories stands alone. They point to a wider pattern where speed matters and delays cost real damage. Treat this list as a snapshot. The details will change. The pressure will not.