π₯ ThreatsDay Bulletin: First of 2026
β’ GhostAd drains phones
β’ GlassWorm hits Macs
β’ AWS key flaw
β’ DPRK fake devs
β’ Meta ad cleanup
β’ Proxy botnets
β’ Crypto heists
β’ Cloud exploits
β’ Android fraud
β’ Hacktivist ops
β’ OceanLotus malware
β’ Magecart upgrade
β’ Disney fined
Full recap β¬οΈ https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
β’ GhostAd drains phones
β’ GlassWorm hits Macs
β’ AWS key flaw
β’ DPRK fake devs
β’ Meta ad cleanup
β’ Proxy botnets
β’ Crypto heists
β’ Cloud exploits
β’ Android fraud
β’ Hacktivist ops
β’ OceanLotus malware
β’ Magecart upgrade
β’ Disney fined
Full recap β¬οΈ https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
π₯13π2
π¨ A former Coinbase support agent was arrested in India after hackers bribed contractors to steal customer data.
The breach exposed 69,461 users and led to a $20M ransom demand. Coinbase cut ties with involved vendors and says more arrests are coming.
π Details β https://thehackernews.com/2025/12/weekly-recap-mongodb-attacks-wallet.html#:~:text=Former%20Coinbase%20Customer%20Service%20Agent%20Arrested%20in%20India
The breach exposed 69,461 users and led to a $20M ransom demand. Coinbase cut ties with involved vendors and says more arrests are coming.
π Details β https://thehackernews.com/2025/12/weekly-recap-mongodb-attacks-wallet.html#:~:text=Former%20Coinbase%20Customer%20Service%20Agent%20Arrested%20in%20India
π17π7π±6π₯4
Researchers uncovered phishing sent through Google Cloudβs built-in email feature. Emails came from google[.]com, not spoofed domains, making them harder to spot.
Clicks passed through Google-hosted pages before stealing Microsoft login credentials.
π Read β https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html
Clicks passed through Google-hosted pages before stealing Microsoft login credentials.
π Read β https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html
π₯26π€―8β‘5π1
APT36 (Transparent Tribe) has been linked to new espionage attacks against Indian government and academic targets.
Emails deliver ZIP files with PDF-looking LNK shortcuts that run malware via mshta.exe and load the RAT in memory.
π Technical details β https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html
Emails deliver ZIP files with PDF-looking LNK shortcuts that run malware via mshta.exe and load the RAT in memory.
π Technical details β https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html
π20π₯5π€―5
Attack Surface Management usually proves visibility, not safety.
Teams count assets and alerts, but canβt show reduced exposure.
ROI only appears when risky assets get owned and fixed faster, not when inventories grow.
π Why ASM feels busy but ineffective β https://thehackernews.com/2026/01/the-roi-problem-in-attack-surface.html
Teams count assets and alerts, but canβt show reduced exposure.
ROI only appears when risky assets get owned and fixed faster, not when inventories grow.
π Why ASM feels busy but ineffective β https://thehackernews.com/2026/01/the-roi-problem-in-attack-surface.html
π13π₯2π2
β οΈ Researchers disclosed VVS Stealer, a Python-based infostealer built to drain Discord tokens and browser data.
alerts to stay active. Obfuscated with PyArmor, itβs designed to slip past signature-based defenses.
πRead β https://thehackernews.com/2026/01/new-vvs-stealer-malware-targets-discord.html
alerts to stay active. Obfuscated with PyArmor, itβs designed to slip past signature-based defenses.
πRead β https://thehackernews.com/2026/01/new-vvs-stealer-malware-targets-discord.html
π₯14β‘4π3π2
Ilya Lichtenstein, sentenced in 2024 for laundering funds tied to the 2016 Bitfinex hack, says he was released early.
He credits the First Step Act after serving time for moving proceeds from 119,754 bitcoin stolen in the breach.
π Read β https://thehackernews.com/2026/01/bitfinex-hack-convict-ilya-lichtenstein.html
He credits the First Step Act after serving time for moving proceeds from 119,754 bitcoin stolen in the breach.
π Read β https://thehackernews.com/2026/01/bitfinex-hack-convict-ilya-lichtenstein.html
π8π€―6π€4β‘1π₯1
π₯ No reset for cyber risk in 2026.
The latest recap shows steady pressure across common systems.
π§ IoT botnets abusing React2Shell
π Trust Wallet Chrome extension breach
𧩠Malicious browser extensions at scale
πΈ Crypto scams via fake wallet updates
π‘ Botnets targeting exposed routers
π§βπ» Phishing via legitimate services
π Old flaws reused and re-exploited
ποΈ Supply chain gaps in plugins and tools
π Read the latest weekly cyber recap β https://thehackernews.com/2026/01/weekly-recap-iot-exploits-wallet.html
The latest recap shows steady pressure across common systems.
π§ IoT botnets abusing React2Shell
π Trust Wallet Chrome extension breach
𧩠Malicious browser extensions at scale
πΈ Crypto scams via fake wallet updates
π‘ Botnets targeting exposed routers
π§βπ» Phishing via legitimate services
π Old flaws reused and re-exploited
ποΈ Supply chain gaps in plugins and tools
π Read the latest weekly cyber recap β https://thehackernews.com/2026/01/weekly-recap-iot-exploits-wallet.html
π₯6π3π2
Passwords, perimeter tools, and annual training are no longer enough on their own. Across SaaS, endpoints, and supply chains, attackers move faster by abusing trust and context.
The report shows how defenders are responding β from hardware-backed identity to binary verification. Identity is becoming the control plane.
π Full analysis and expert insights β https://thehackernews.com/2026/01/the-state-of-cybersecurity-in-2025key.html
The report shows how defenders are responding β from hardware-backed identity to binary verification. Identity is becoming the control plane.
π Full analysis and expert insights β https://thehackernews.com/2026/01/the-state-of-cybersecurity-in-2025key.html
π₯7β‘4π4
π‘οΈA Russia-linked hacking group is using Viber to target Ukrainian military and government entities.
Instead of email, victims receive ZIP files containing fake Office-themed shortcuts that quietly launch malware.
The attack chain ends with Remcos RAT, giving attackers full remote control.
π Read β https://thehackernews.com/2026/01/russia-aligned-hackers-abuse-viber-to.html
Instead of email, victims receive ZIP files containing fake Office-themed shortcuts that quietly launch malware.
The attack chain ends with Remcos RAT, giving attackers full remote control.
π Read β https://thehackernews.com/2026/01/russia-aligned-hackers-abuse-viber-to.html
π8π₯5π±4π3π€―1
π More than 2 million Android devices were quietly absorbed into the Kimwolf botnet.
It spreads mainly through exposed ADB, turning phones, smart TVs, and boxes into proxy relays and DDoS infrastructure.
Activity links to large-scale attacks and active resale of residential bandwidth.
π Read β https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html
It spreads mainly through exposed ADB, turning phones, smart TVs, and boxes into proxy relays and DDoS infrastructure.
Activity links to large-scale attacks and active resale of residential bandwidth.
π Read β https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html
π€―18π₯12π5π€2π1
π¨ Popular workflow automation platform n8n disclosed a critical flaw that lets authenticated users with workflow edit rights execute OS commands on the host.
Tracked as CVE-2025-68668, the issue carries a CVSS score of 9.9.
π Details here β https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
Tracked as CVE-2025-68668, the issue carries a CVSS score of 9.9.
π Details here β https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
π±9π₯7π3π3β‘2π€―1
β οΈ AdonisJS users are being advised to patch a critical flaw in adonisjs/bodyparser.
CVE-2026-21440 (CVSS 9.2) allows arbitrary file writes via path traversal when upload filenames arenβt explicitly sanitized.
π Read β https://thehackernews.com/2026/01/critical-adonisjs-bodyparser-flaw-cvss.html
CVE-2026-21440 (CVSS 9.2) allows arbitrary file writes via path traversal when upload filenames arenβt explicitly sanitized.
π Read β https://thehackernews.com/2026/01/critical-adonisjs-bodyparser-flaw-cvss.html
π7π€2π€―2
This media is not supported in your browser
VIEW IN TELEGRAM
β‘ Identity risk is no longer about bad policies. Itβs about blind spots.
IAM tools only cover whatβs fully onboarded. Everything else becomes identity dark matter, where accounts and access exist without oversight.
As environments scale, this unmanaged layer grows quietly.
π How identity goes dark β https://thehackernews.com/2026/01/what-is-identity-dark-matter.html
IAM tools only cover whatβs fully onboarded. Everything else becomes identity dark matter, where accounts and access exist without oversight.
As environments scale, this unmanaged layer grows quietly.
π How identity goes dark β https://thehackernews.com/2026/01/what-is-identity-dark-matter.html
π5
AI-powered VS Code forks are suggesting extensions that are missing from Open VSX.
That gap leaves the names unclaimed, letting anyone publish code under them.
Koi showed how a fake PostgreSQL extension spread via a single click.
π Read β https://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html
That gap leaves the names unclaimed, letting anyone publish code under them.
Koi showed how a fake PostgreSQL extension spread via a single click.
π Read β https://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html
β‘4π3π2
The Patching Paradox: You can't patch a device while itβs saving a life.
Stop chasing 10k vulnerabilities and start validating True Risk. Join us Jan 20 to learn how to secure legacy IoMT without clinical downtime.
Save your seat: https://thn.news/healthcare-sec-insights
Stop chasing 10k vulnerabilities and start validating True Risk. Join us Jan 20 to learn how to secure legacy IoMT without clinical downtime.
Save your seat: https://thn.news/healthcare-sec-insights
π4
β οΈ Bluetooth headphones built on Airoha chips have flaws that let attackers connect without pairing and control device functions over the air.
The issue sits in the RACE protocol and requires vendor firmware updates to fix.
π Learn more β https://thehackernews.com/2026/01/weekly-recap-iot-exploits-wallet.html#:~:text=Flaws%20in%20Bluetooth%20Headphones%20Using%20Airoha%20Chips%20Detailed
The issue sits in the RACE protocol and requires vendor firmware updates to fix.
π Learn more β https://thehackernews.com/2026/01/weekly-recap-iot-exploits-wallet.html#:~:text=Flaws%20in%20Bluetooth%20Headphones%20Using%20Airoha%20Chips%20Detailed
π€9π4π4
π¨ CERT/CC disclosed an unpatched flaw in the end-of-life TOTOLINK EX200.
A firmware upload error can start an unauthenticated root telnet service, giving full control after web admin access.
π Read β https://thehackernews.com/2026/01/unpatched-firmware-flaw-exposes.html
A firmware upload error can start an unauthenticated root telnet service, giving full control after web admin access.
π Read β https://thehackernews.com/2026/01/unpatched-firmware-flaw-exposes.html
π1π1
β οΈ Warning: Two Chrome extensions with 900,000+ installs were found stealing ChatGPT and DeepSeek conversations, plus all open tab URLs.
Researchers call this prompt poaching.
π Read here β https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html
Researchers call this prompt poaching.
π Read here β https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html
π±6π1
π European hotels are facing a phishing campaign abusing Booking-com cancellation emails.
Victims hit a fake site, see a fake blue screen, and are told to run a PowerShell βfix.β That installs DCRat via MSBuild.exe, sets Defender exclusions, and persists on the system.
π Learn more β https://thehackernews.com/2026/01/fake-booking-emails-redirect-hotel.html
Victims hit a fake site, see a fake blue screen, and are told to run a PowerShell βfix.β That installs DCRat via MSBuild.exe, sets Defender exclusions, and persists on the system.
π Learn more β https://thehackernews.com/2026/01/fake-booking-emails-redirect-hotel.html
π₯9π8π1π€1