🛑 Chinese-speaking attackers hijacked a SonicWall VPN to escape VMware ESXi guest VMs.

Huntress stopped it before ransomware, but the chain abused 3 VMware zero-days now on CISA’s KEV list.

🔗 Read → https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html

Europol says Spanish police arrested 34 suspects linked to Black Axe, a Nigeria-origin crime syndicate.

The 🕵️‍♂️ group is tied to cyber fraud, trafficking, and violent crime worldwide. Investigators estimate €5.93M in fraud losses, with cash and bank funds seized in Spain.

🔗 Read → https://thehackernews.com/2026/01/europol-arrests-34-black-axe-members-in.html

⚠️ Chinese crime groups are running 🐷 pig-butchering scams like a startup.

Researchers found $2,500 turnkey kits with fake trading sites, apps, hosting, and laundering—built to scale fast, no skills needed.

🔗 Read details here → https://thehackernews.com/2026/01/researchers-uncover-service-providers.html

🏥🤖 Anthropic just rolled out Claude for Healthcare.

U.S. users can connect lab results and health records, get plain-English explanations, spot patterns, and prep for doctor visits.

Data sharing is opt-in and not used for training

🔗 Read → https://thehackernews.com/2026/01/anthropic-launches-claude-ai-for.html

🚨 New GoBruteforcer wave is hijacking crypto and blockchain databases to expand a password-brute-forcing botnet.

Researchers link the spike to AI-generated setup guides and reused defaults in legacy stacks like XAMPP. These servers are easy to take over, stay online 24/7, and scale attacks fast.

🔗 Read → https://thehackernews.com/2026/01/gobruteforcer-botnet-targets-crypto.html

➡️🛑 Pentesting in 2026 isn’t failing at testing. It’s failing at what happens after.

In a new analysis, Dan DeCloss explains why static reports slow real progress—and why teams that actually reduce risk treat findings as living inputs to daily work, not PDFs that get forgotten.

Why execution, not output, now defines pentest success → https://thehackernews.com/expert-insights/2026/01/the-2026-state-of-pentesting-how-modern.html

🚨 This week’s cyber risk moved fast and wide.

⚙️ Automation abused
📱 Mobile botnets scaled
📡 Telecoms mapped
💸 Crypto crime surged
🧪 Exploits outpaced patches
🗂️ Crime forums leaked
🧩 AI chats stolen
🐛 Bugs weaponized
🇮🇳 Policy pushback
📩 Political inboxes hit

One pattern. Many fronts.

Here’s the full recap of what mattered most ↓ https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html

🚨 Attackers uploaded fake n8n community nodes to npm to steal OAuth tokens from live workflows.

The packages mimicked real integrations, ran with full n8n access, decrypted credentials during execution, and exfiltrated them.

Eight were removed, but activity appears ongoing.

🔗 Read about it here → https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html

🚨 CISA confirms active exploitation of a Gogs flaw now added to the KEV list.

CVE-2025-8110 (CVSS 8.7) abuses symlink handling to write outside repositories, enabling code execution. Around 700 exposed instances are already compromised.

🔗 Read → https://thehackernews.com/2026/01/cisa-warns-of-active-exploitation-of.html

Researchers uncovered SHADOW#REACTOR, a multi-stage campaign delivering Remcos RAT.

It starts with an obfuscated VBS launcher, moves through PowerShell, and rebuilds fragmented text payloads in memory. The defining trait is text-only stagers and LOLBin abuse to reduce detection.

🔗 Read → https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html

Annual pentests are too slow and narrow for today's threats.
Stop chasing every vulnerability and start validating what’s actually exploitable. Exposure Validation filters your list down to the risks that matter most.

Check out the guide: https://thn.news/exposure-validation-intro

🚨 ServiceNow patched a critical AI Platform flaw enabling unauthenticated user impersonation and actions as the victim.

CVE-2025-12420 (CVSS 9.3) affects Now Assist and Virtual Agent. Fixed Oct 30. No known exploitation.

🔗 Details here → https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Researchers disclosed VoidLink, a modular Linux malware built for long-term, stealthy cloud access.

It detects AWS, Azure, GCP, Docker, and Kubernetes, adapts its behavior, steals credentials, and enables lateral movement using rootkit-style techniques 🧩

🔗 Read here → https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html

🚨 The most effective attacks in 2025 still rely on 2015-era tactics—just at far greater scale.

Supply-chain abuse remains central, from npm package takeovers to long-term trust attacks like XZ Utils. AI didn’t change attacker strategy; it automated execution, reducing time, cost, and manpower.

🔗 Why fundamentals still fail → https://thehackernews.com/2026/01/what-should-we-learn-from-how-attackers.html

🤖 AI agents now build, test, and deploy code on their own. The real risk isn’t the model—it’s who controls what the agent can run, call, and access.

This WEBINAR breaks down MCPs, permissions, and practical controls to secure agentic AI without slowing teams.

⏳ Save your seat → https://thehackernews.com/2026/01/webinar-t-from-mcps-and-tool-access-to.html

🚨 Malicious Chrome extension targeted MEXC users by abusing an already logged-in browser session.

It auto-created new API keys, secretly enabled withdrawals, hid that permission in the UI, and sent the keys to a Telegram bot.

Uninstalling the extension didn’t revoke 🔑 access.

🔗 Read → https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html

🚨 A web skimming campaign active since January 2022 is still stealing checkout data from compromised e-commerce sites.

Researchers found Magecart-style JavaScript that hides from admins, swaps real Stripe forms with fakes, steals card and personal data, then erases itself.

🔗 How the skimmer works → https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html

🚨 Ukraine’s CERT reports PLUGGYAPE malware attacks on defense forces from Oct–Dec 2025.

Hackers used Signal and WhatsApp, posing as charities to deliver password-protected archives. New variants add stealth and flexible C2 via external services.

🔗 Read → https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html

🚨 Node.js fixed a DoS bug where apps crash instead of throwing a catchable error.

🧩 CVE-2025-59466 impacts Next.js, React Server Components, and most APM tools via AsyncLocalStorage. When async_hooks is enabled, deep recursion can force a hard process exit, dropping services.

🔗 Read → https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

⚠️ Microsoft’s first Patch Tuesday of 2026 fixes 114 Windows flaws, including one exploited in the wild.

CVE-2026-20805 is a local info-leak in Desktop Window Manager that can expose memory addresses and weaken ASLR.

🔗 Read → https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

🚨 Fortinet fixed a CVSS 9.4 bug in FortiSIEM that allows unauthenticated code execution.

The issue is in the phMonitor service on TCP port 7900. Crafted requests can trigger OS command injection, enabling file writes as admin and escalation to root via a scheduled task.

🔗 Details → https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

🔐 Patch now. Restrict access to port 7900.