π¨ Fake SymPy on PyPI is targeting Linux devs. The package sympy-dev clones the real project text, poses as a dev build, and has 1,100+ downloads since Jan 17.
It activates only when certain math functions run, then loads an XMRig miner fully in memory to avoid traces.
π Learn how the loader works β https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
It activates only when certain math functions run, then loads an XMRig miner fully in memory to avoid traces.
π Learn how the loader works β https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
π€―7β‘1
Learn cybersecurity risk management from the experts at Georgetown. Attend our webinar on TBD.
Sign up - https://thn.news/risk-mgmt-insight
Sign up - https://thn.news/risk-mgmt-insight
π6
β οΈπ§ Email is still the easiest way in.
In Google Workspace, BEC attacks often carry no links or malware, so native defenses miss them. One compromised inbox can expose years of sensitive email and files.
Hardening helps, but blind spots remain.
π Gmail limits, real attack paths β https://thehackernews.com/2026/01/filling-most-common-gaps-in-google.html
In Google Workspace, BEC attacks often carry no links or malware, so native defenses miss them. One compromised inbox can expose years of sensitive email and files.
Hardening helps, but blind spots remain.
π Gmail limits, real attack paths β https://thehackernews.com/2026/01/filling-most-common-gaps-in-google.html
π8
Behind every bar in this report is time won, money saved, or risk stopped.
@anyrun_app helps businesses boost DR by 36% & reduce MTTR by 21 minutes with better attack visibility for SOC & MSSP teams.
See how it can support your org in 2026 π https://thn.news/threat-intel-hub
@anyrun_app helps businesses boost DR by 36% & reduce MTTR by 21 minutes with better attack visibility for SOC & MSSP teams.
See how it can support your org in 2026 π https://thn.news/threat-intel-hub
π₯8
π₯ ThreatsDay Bulletin β Get this weekβs active threat landscape...
π Zero-click Pixel exploit
𧱠EU moves to lock down the tech supply chain
π·οΈ Mass WordPress plugin reconnaissance
π’ Malvertising β infostealers & RATs
π§Ύ Fake invoices, loans, and proxyware abuse
π 18,000+ active C2 servers exposed
πΈ Crypto scams racing past $17B
π§ ATM malware ring dismantled
π Read all 20 updates β https://thehackernews.com/2026/01/threatsday-bulletin-pixel-zero-click.html
π Zero-click Pixel exploit
𧱠EU moves to lock down the tech supply chain
π·οΈ Mass WordPress plugin reconnaissance
π’ Malvertising β infostealers & RATs
π§Ύ Fake invoices, loans, and proxyware abuse
π 18,000+ active C2 servers exposed
πΈ Crypto scams racing past $17B
π§ ATM malware ring dismantled
π Read all 20 updates β https://thehackernews.com/2026/01/threatsday-bulletin-pixel-zero-click.html
π4π€4β‘2π2
π¨ An 11-year-old critical flaw in GNU InetUtils telnetd lets attackers log in as root with no password.
Tracked as CVE-2026-24061 (CVSS 9.8), it affects all versions 1.9.3β2.7 due to an unsanitized USER environment value passed to login.
β οΈ Exploitation has already been observed in the wild.
π Read βhttps://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
Tracked as CVE-2026-24061 (CVSS 9.8), it affects all versions 1.9.3β2.7 due to an unsanitized USER environment value passed to login.
β οΈ Exploitation has already been observed in the wild.
π Read βhttps://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
π€―18π±4π₯2β‘1π1
β οΈ Osiris ransomware hit a major food service operator in Southeast Asia, researchers say.
The attack used a custom POORTRY driver to shut down security tools, then encrypted systems and exfiltrated data to cloud storage.
π Details here β https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html
The attack used a custom POORTRY driver to shut down security tools, then encrypted systems and exfiltrated data to cloud storage.
π Details here β https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html
π12π±7π₯2β‘1
π οΈβ οΈ Attackers are abusing trusted IT tools, not deploying malware.
A new campaign steals email logins, then installs legitimate RMM software for silent, long-term access.
Because the tools are signed and allowed, many security controls donβt trigger.
π Details β https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
A new campaign steals email logins, then installs legitimate RMM software for silent, long-term access.
Because the tools are signed and allowed, many security controls donβt trigger.
π Details β https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
π5π3π±3β‘2
πΊπΈ TikTok confirmed a new U.S. joint venture to stay operational in the country.
ByteDance will reduce its stake to 19.9%, giving majority control to U.S. investors.
U.S. user data and algorithms will move to Oracleβs U.S. cloud with third-party security audits.
π Read β https://thehackernews.com/2026/01/tiktok-forms-us-joint-venture-to.html
ByteDance will reduce its stake to 19.9%, giving majority control to U.S. investors.
U.S. user data and algorithms will move to Oracleβs U.S. cloud with third-party security audits.
π Read β https://thehackernews.com/2026/01/tiktok-forms-us-joint-venture-to.html
π9π±5π€3π€―1
π¨ Fortinet confirms active exploitation of CVE-2025-59718 / 59719, allowing FortiGate FortiCloud SSO bypass β even on fully patched devices.
Attackers abuse crafted SAML logins to gain admin access, add persistent accounts, enable VPN, and steal configs. Disabling FortiCloud SSO is advised.
π Details β https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html
Attackers abuse crafted SAML logins to gain admin access, add persistent accounts, enable VPN, and steal configs. Disabling FortiCloud SSO is advised.
π Details β https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html
π8π±5β‘1
π¨ CISA added four exploited vulnerabilities to its KEV list, impacting Zimbra, Versa SD-WAN, Vite, and a compromised npm package linked to a supply-chain attack.
β³ U.S. federal agencies must apply fixes by Feb 12 under BOD 22-01.
π CVEs, fixes, and deadlines β https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
β³ U.S. federal agencies must apply fixes by Feb 12 under BOD 22-01.
π CVEs, fixes, and deadlines β https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
π₯7π3β‘1
π¨ CISA confirms active exploitation of a critical VMware vCenter Server flaw.
CVE-2024-37079 allows remote code execution via a DCE/RPC heap overflow if an attacker has network access.
π Details β https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.html
CVE-2024-37079 allows remote code execution via a DCE/RPC heap overflow if an attacker has network access.
π Details β https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.html
π₯10π€―6π€2
π΅π± Poland blocked what officials described as its strongest cyberattack on the energy sector in years.
ESET links it to Russia-aligned Sandworm, which used a new DynoWiper malware to target β‘ power plants and renewable energy systems in late Dec 2025.
πDetails β https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html
ESET links it to Russia-aligned Sandworm, which used a new DynoWiper malware to target β‘ power plants and renewable energy systems in late Dec 2025.
πDetails β https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html
π8π7
π€ AI agents now move faster than IAM can see.
Shared agents quietly gain broad, long-lived access across systems, often with no clear owner. Thatβs how access drift begins.
The risk isnβt stolen credsβitβs valid access used in unsafe ways that never trigger alerts.
π Read β https://thehackernews.com/2026/01/who-approved-this-agent-rethinking.html
Shared agents quietly gain broad, long-lived access across systems, often with no clear owner. Thatβs how access drift begins.
The risk isnβt stolen credsβitβs valid access used in unsafe ways that never trigger alerts.
π Read β https://thehackernews.com/2026/01/who-approved-this-agent-rethinking.html
π4β‘3
β οΈ Russian users hit by a new phishing chain delivering Amnesia RAT and ransomware.
Fake business docs and LNK files do the work β no exploits. Payloads are split across GitHub and Dropbox, then Microsoft Defender is disabled using defendnot.
πFull attack chain and defenses β https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html
Fake business docs and LNK files do the work β no exploits. Payloads are split across GitHub and Dropbox, then Microsoft Defender is disabled using defendnot.
πFull attack chain and defenses β https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html
π₯28π€―4π±3π€2β‘1π1
π§βπ» North Koreaβs Konni group is using AI-assisted PowerShell malware to target blockchain developers.
Campaigns hit Japan, Australia, and India via Google adβstyle phishing links that bypass filters and drop EndRAT.
π Inside the full attack chain β https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html
Campaigns hit Japan, Australia, and India via Google adβstyle phishing links that bypass filters and drop EndRAT.
π Inside the full attack chain β https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html
π₯9β‘5π€―4π3π2
π Attackers now use π€ AI to write, hide, and mutate malware in real time. Google and Anthropic confirm AI-orchestrated attacks running autonomously end to end.
They bypass EDR by looking normal on each endpoint. The tell is in network behavior.
π How network signals expose what endpoints miss β https://thehackernews.com/2026/01/winning-against-ai-based-attacks.html
They bypass EDR by looking normal on each endpoint. The tell is in network behavior.
π How network signals expose what endpoints miss β https://thehackernews.com/2026/01/winning-against-ai-based-attacks.html
β‘15π4π3π€―3