Researchers uncovered SHADOW#REACTOR, a multi-stage campaign delivering Remcos RAT.

It starts with an obfuscated VBS launcher, moves through PowerShell, and rebuilds fragmented text payloads in memory. The defining trait is text-only stagers and LOLBin abuse to reduce detection.

🔗 Read → https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html

Annual pentests are too slow and narrow for today's threats.
Stop chasing every vulnerability and start validating what’s actually exploitable. Exposure Validation filters your list down to the risks that matter most.

Check out the guide: https://thn.news/exposure-validation-intro

🚨 ServiceNow patched a critical AI Platform flaw enabling unauthenticated user impersonation and actions as the victim.

CVE-2025-12420 (CVSS 9.3) affects Now Assist and Virtual Agent. Fixed Oct 30. No known exploitation.

🔗 Details here → https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Researchers disclosed VoidLink, a modular Linux malware built for long-term, stealthy cloud access.

It detects AWS, Azure, GCP, Docker, and Kubernetes, adapts its behavior, steals credentials, and enables lateral movement using rootkit-style techniques 🧩

🔗 Read here → https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html

🚨 The most effective attacks in 2025 still rely on 2015-era tactics—just at far greater scale.

Supply-chain abuse remains central, from npm package takeovers to long-term trust attacks like XZ Utils. AI didn’t change attacker strategy; it automated execution, reducing time, cost, and manpower.

🔗 Why fundamentals still fail → https://thehackernews.com/2026/01/what-should-we-learn-from-how-attackers.html

🤖 AI agents now build, test, and deploy code on their own. The real risk isn’t the model—it’s who controls what the agent can run, call, and access.

This WEBINAR breaks down MCPs, permissions, and practical controls to secure agentic AI without slowing teams.

⏳ Save your seat → https://thehackernews.com/2026/01/webinar-t-from-mcps-and-tool-access-to.html

🚨 Malicious Chrome extension targeted MEXC users by abusing an already logged-in browser session.

It auto-created new API keys, secretly enabled withdrawals, hid that permission in the UI, and sent the keys to a Telegram bot.

Uninstalling the extension didn’t revoke 🔑 access.

🔗 Read → https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html

🚨 A web skimming campaign active since January 2022 is still stealing checkout data from compromised e-commerce sites.

Researchers found Magecart-style JavaScript that hides from admins, swaps real Stripe forms with fakes, steals card and personal data, then erases itself.

🔗 How the skimmer works → https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html

🚨 Ukraine’s CERT reports PLUGGYAPE malware attacks on defense forces from Oct–Dec 2025.

Hackers used Signal and WhatsApp, posing as charities to deliver password-protected archives. New variants add stealth and flexible C2 via external services.

🔗 Read → https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html

🚨 Node.js fixed a DoS bug where apps crash instead of throwing a catchable error.

🧩 CVE-2025-59466 impacts Next.js, React Server Components, and most APM tools via AsyncLocalStorage. When async_hooks is enabled, deep recursion can force a hard process exit, dropping services.

🔗 Read → https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

⚠️ Microsoft’s first Patch Tuesday of 2026 fixes 114 Windows flaws, including one exploited in the wild.

CVE-2026-20805 is a local info-leak in Desktop Window Manager that can expose memory addresses and weaken ASLR.

🔗 Read → https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

🚨 Fortinet fixed a CVSS 9.4 bug in FortiSIEM that allows unauthenticated code execution.

The issue is in the phMonitor service on TCP port 7900. Crafted requests can trigger OS command injection, enabling file writes as admin and escalation to root via a scheduled task.

🔗 Details → https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

🔐 Patch now. Restrict access to port 7900.

📊 New research across 4,700 websites finds 64% of third-party apps access sensitive data without business justification, up from 51% last year.

The increase reflects governance gaps, not new exploits. Marketing scripts and tag managers account for much of the exposure.

🔗 Key findings and accountability breakdown → https://thehackernews.com/2026/01/new-research-64-of-3rd-party.html

🧭 Ad-hoc OSINT is still widely used across fraud, KYC, and investigations.

As Oskar Gross explains, this approach creates real operational and security risk—analysts expose themselves, evidence gets lost, and teams unknowingly redo the same work.

Scaling OSINT depends on standardized workflows and preservation, not more tools.

🔗 Inside why ad-hoc OSINT breaks at scale → https://thehackernews.com/expert-insights/2026/01/why-ad-hoc-osint-doesnt-scale-from.html

🔐 Active malware campaign abuses DLL side-loading in a signed GitKraken ahost.exe.

A rogue libcares-2.dll is placed beside it to hijack DLL search order, bypass signature checks, and run code; invoice/RFQ lures drop stealers and RATs.

🔗 Read → https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.html

Everyone’s building with AI in the cloud.

Few are thinking about how to actually secure it.

NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

Worth a watch → https://thn.news/secure-cloud-insights

🚨 Researchers null-routed traffic to 550+ AISURU/Kimwolf C2 nodes since early Oct 2025.

Kimwolf has compromised 2M+ Android devices—mostly unsanctioned TV boxes via exposed ADB—and resold them as residential proxies.

🔗 Learn more → https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html

⏱️ 🔍 Many SOCs in 2026 still rely on manual malware review, which slows investigations as alert volumes rise.

Automation-first workflows reduce tool switching and manual correlation, shifting analyst time toward response. In enterprise SOCs using automated sandboxing, MTTR dropped by ~21 minutes per incident.

🔗 Learn how automation reduces response friction → https://thehackernews.com/2026/01/4-outdated-habits-destroying-your-socs.html

🛑 Microsoft says it disrupted RedVDS, a crimeware-as-a-service platform tied to phishing and financial fraud.

For $24/month, criminals rented disposable, no-log Windows RDP servers to run scams at scale. Microsoft links RedVDS activity to ~$40M in reported U.S. fraud losses since March 2025.

🔗 Details here → https://thehackernews.com/2026/01/microsoft-legal-action-disrupts-redvds.html

🛑 Palo Alto Networks patched a high-severity DoS flaw in GlobalProtect.

CVE-2026-0227 (CVSS 7.7) lets unauthenticated attackers repeatedly crash firewalls into maintenance mode.

🛡️ PoC exists; no active exploitation seen.

🔗 Read → https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html

🚨 50 CISOs surveyed. 1 clear AI priority for 2026.

As AI agents access source code, cloud infrastructure & customer data, security leaders are making tough budget decisions.

New survey data reveals:
✓ The #1 AI risk driving 2026 budgets
✓ Where current AI security falls short
✓ Which controls get funded first
✓ Budget allocation figures

Beyond Identity is sharing the complete findings in their next webinar:

📅 Tuesday, Jan 27 | 12pm ET
🔗Register here: https://thn.news/ciso-ai-insights