🚨 Malicious Chrome extension targeted MEXC users by abusing an already logged-in browser session.

It auto-created new API keys, secretly enabled withdrawals, hid that permission in the UI, and sent the keys to a Telegram bot.

Uninstalling the extension didn’t revoke 🔑 access.

🔗 Read → https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html

🚨 A web skimming campaign active since January 2022 is still stealing checkout data from compromised e-commerce sites.

Researchers found Magecart-style JavaScript that hides from admins, swaps real Stripe forms with fakes, steals card and personal data, then erases itself.

🔗 How the skimmer works → https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html

🚨 Ukraine’s CERT reports PLUGGYAPE malware attacks on defense forces from Oct–Dec 2025.

Hackers used Signal and WhatsApp, posing as charities to deliver password-protected archives. New variants add stealth and flexible C2 via external services.

🔗 Read → https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html

🚨 Node.js fixed a DoS bug where apps crash instead of throwing a catchable error.

🧩 CVE-2025-59466 impacts Next.js, React Server Components, and most APM tools via AsyncLocalStorage. When async_hooks is enabled, deep recursion can force a hard process exit, dropping services.

🔗 Read → https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

⚠️ Microsoft’s first Patch Tuesday of 2026 fixes 114 Windows flaws, including one exploited in the wild.

CVE-2026-20805 is a local info-leak in Desktop Window Manager that can expose memory addresses and weaken ASLR.

🔗 Read → https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

🚨 Fortinet fixed a CVSS 9.4 bug in FortiSIEM that allows unauthenticated code execution.

The issue is in the phMonitor service on TCP port 7900. Crafted requests can trigger OS command injection, enabling file writes as admin and escalation to root via a scheduled task.

🔗 Details → https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

🔐 Patch now. Restrict access to port 7900.

📊 New research across 4,700 websites finds 64% of third-party apps access sensitive data without business justification, up from 51% last year.

The increase reflects governance gaps, not new exploits. Marketing scripts and tag managers account for much of the exposure.

🔗 Key findings and accountability breakdown → https://thehackernews.com/2026/01/new-research-64-of-3rd-party.html

🧭 Ad-hoc OSINT is still widely used across fraud, KYC, and investigations.

As Oskar Gross explains, this approach creates real operational and security risk—analysts expose themselves, evidence gets lost, and teams unknowingly redo the same work.

Scaling OSINT depends on standardized workflows and preservation, not more tools.

🔗 Inside why ad-hoc OSINT breaks at scale → https://thehackernews.com/expert-insights/2026/01/why-ad-hoc-osint-doesnt-scale-from.html

🔐 Active malware campaign abuses DLL side-loading in a signed GitKraken ahost.exe.

A rogue libcares-2.dll is placed beside it to hijack DLL search order, bypass signature checks, and run code; invoice/RFQ lures drop stealers and RATs.

🔗 Read → https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.html

Everyone’s building with AI in the cloud.

Few are thinking about how to actually secure it.

NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

Worth a watch → https://thn.news/secure-cloud-insights

🚨 Researchers null-routed traffic to 550+ AISURU/Kimwolf C2 nodes since early Oct 2025.

Kimwolf has compromised 2M+ Android devices—mostly unsanctioned TV boxes via exposed ADB—and resold them as residential proxies.

🔗 Learn more → https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html

⏱️ 🔍 Many SOCs in 2026 still rely on manual malware review, which slows investigations as alert volumes rise.

Automation-first workflows reduce tool switching and manual correlation, shifting analyst time toward response. In enterprise SOCs using automated sandboxing, MTTR dropped by ~21 minutes per incident.

🔗 Learn how automation reduces response friction → https://thehackernews.com/2026/01/4-outdated-habits-destroying-your-socs.html

🛑 Microsoft says it disrupted RedVDS, a crimeware-as-a-service platform tied to phishing and financial fraud.

For $24/month, criminals rented disposable, no-log Windows RDP servers to run scams at scale. Microsoft links RedVDS activity to ~$40M in reported U.S. fraud losses since March 2025.

🔗 Details here → https://thehackernews.com/2026/01/microsoft-legal-action-disrupts-redvds.html

🛑 Palo Alto Networks patched a high-severity DoS flaw in GlobalProtect.

CVE-2026-0227 (CVSS 7.7) lets unauthenticated attackers repeatedly crash firewalls into maintenance mode.

🛡️ PoC exists; no active exploitation seen.

🔗 Read → https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html

🚨 50 CISOs surveyed. 1 clear AI priority for 2026.

As AI agents access source code, cloud infrastructure & customer data, security leaders are making tough budget decisions.

New survey data reveals:
✓ The #1 AI risk driving 2026 budgets
✓ Where current AI security falls short
✓ Which controls get funded first
✓ Budget allocation figures

Beyond Identity is sharing the complete findings in their next webinar:

📅 Tuesday, Jan 27 | 12pm ET
🔗Register here: https://thn.news/ciso-ai-insights

🚨 This week’s ThreatsDay Bulletin!

Hackers are hiding in everyday systems — cloning voices, faking invoices, breaking controllers, and stealing $26M in crypto.

Each story shows how attacks now look normal until it’s too late.

🔗 Full report: https://thehackernews.com/2026/01/threatsday-bulletin-ai-voice-cloning.html

⚠️ Researchers disclosed a one-click Copilot attack that enables silent data exfiltration.

A legitimate Copilot URL injects hidden instructions, bypasses safeguards, and can keep exfiltrating data even after the chat is closed.

🔗 Learn more → https://thehackernews.com/2026/01/researchers-reveal-reprompt-attack.html

🚨 A WordPress plugin with 40,000+ active installs is being actively exploited.

CVE-2026-23550 (CVSS 10.0) in Modular DS allows unauthenticated attackers to gain admin access by bypassing authentication through a flawed routing mechanism.

🔗 Details → https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html

🧠🔐 AI security isn’t a model problem. It’s a workflow problem.

As AI connects apps, data, and actions, attackers target context—inputs, outputs, extensions, and permissions—not algorithms

🔗 Why AI workflow control now defines real security → https://thehackernews.com/2026/01/model-security-is-wrong-frame-real-risk.html

🔐⚙️ AWS fixed a CI misconfiguration in some AWS-managed GitHub repos, including the AWS JavaScript SDK.

The flaw, CodeBreach, involved broken webhook regex filters that could let untrusted users trigger privileged builds and expose admin tokens.

🔗 Read here → https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html

🚨 Cisco fixed a CVSS 10.0 RCE in AsyncOS after it was exploited as a zero-day by the China-nexus APT UAT-9686.

The flaw enables root-level command execution through the Spam Quarantine feature when it is exposed to the internet.

🔗 Read details → https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html