🚨 Two popular VS Code AI assistant extensions were caught spying on developers.

They looked normal but quietly sent opened files and code edits to servers in 🇨🇳 China.

Koi Security says 1.5M installs were exposed without consent.

🔗Read → https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html

🚨 Weekly Cybersecurity Recap

⚠️ Old flaws, new attacks
🧠 AI writing malware
🧩 Trusted software abused
⏱️ Exploits moving fast

🔐 Read the full recap. Stay alert → https://thehackernews.com/2026/01/weekly-recap-firewall-flaws-ai-built.html

🚨 ALERT: Indian users are being hit by a cyber-espionage campaign posing as Income Tax emails.

Opening the attachment installs a stealth backdoor that disguises itself as Windows Explorer, bypasses UAC, and stays hidden.

🔗 Inside the attack chain and payloads → https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html

Google Project Zero revealed a working zero-click exploit chain against Pixel 9 phones.

A bug in the Dolby audio decoder let Google Messages process a malicious audio file in the background, gaining code execution, then a kernel bug completed the takeover. Pixel patches shipped in early Jan 2026.

🔗 Read → https://thehackernews.com/2026/01/threatsday-bulletin-pixel-zero-click.html#zero-click-chain-hits-pixel

🛑 URGENT: Microsoft rushed out out-of-band fixes for an actively exploited Office zero-day.

CVE-2026-21509 (CVSS 7.8) lets attackers bypass Office security using a malicious file that must be opened by the victim.

🔗 Details → https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html

⚠️ Most OT incidents don’t start in OT. They start with routine IT gaps reaching operations.

Sygnia found risk centered on remote access, management systems, identity, and recovery—not the process network. ~60% of OT access came via trusted management paths.

🔗 Why this pattern keeps repeating across industries → https://thehackernews.com/expert-insights/2026/01/ot-security-in-practice-4-crossindustry.html

🇨🇳 China-aligned APTs are using PeckBirdy, a JScript-based C2 framework active since 2023, to move quietly across browsers, Windows tools, and servers.

🕵️‍♂️ It relies on LOLBins to deliver modular backdoors and steal data, leaving little trace on disk.

🔗 See how PeckBirdy works → https://thehackernews.com/2026/01/china-linked-hackers-have-used.html

⚠️ A single spreadsheet formula can now lead to full server takeover in Grist-Core.

The flaw, CVE-2026-24002 (CVSS 9.1), breaks out of the Pyodide sandbox, letting attackers run OS commands and access files and secrets.

🔗 Read → https://thehackernews.com/2026/01/critical-grist-core-vulnerability.html

⚠️ Update: Alma Security calls CVE-2026-1245 ParserPoison.

binary-parser drops unvalidated field names and encodings into new Function(). Untrusted schemas = JavaScript execution.

🔗 How ParserPoison works under the hood → https://thehackernews.com/2026/01/certcc-warns-binary-parser-bug-allows.html

🚨 ClickFix attacks are evolving fast.

🧩 Fake CAPTCHAs trick users into running commands that abuse signed Windows App-V scripts to proxy PowerShell.

☁️ Malware like Amatera Stealer is staged via trusted services, runs in memory, and mainly hits enterprise systems—staying under EDR radar.

🔗 Inside the new ClickFix playbook → https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

🇮🇳 Indian government networks were targeted in two cyber campaigns linked to a Pakistan-based actor.

Tracked by Zscaler as Gopher Strike and Sheet Attack, the key tactic was India-only malware delivery, filtered by IP and Windows systems to evade analysis.

🔗 Attack chain and tools explained → https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html

🔒 WhatsApp is adding a lockdown-style security mode for high-risk users, including journalists and public figures.

It blocks media from unknown senders, silences unknown calls, and locks risky settings to reduce spyware exposure.

🔗 How it works → https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html

⚡ WEBINAR ALERT — AI is redefining how MSSPs scale in 2026.

This session breaks down how one MSSP cut manual work, delivered CISO-grade services, and grew recurring revenue -- without adding headcount. The advantage came from automation, not expansion.

🔗 Register now to see how it works → https://thehacker.news/ai-security-management

🔧 Fortinet issues patch update for actively exploited FortiOS SSO flaw.

The fix addresses CVE-2026-24858 (CVSS 9.4), an SSO authentication bypass that can allow cross-tenant device access when FortiCloud SSO is enabled. CISA has added the issue to its KEV list, setting a Jan 30 remediation deadline.

🔗 Details → https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html

🛑 A WinRAR bug fixed in July 2025 is still being exploited.

Researchers at Google ties CVE-2025-8088 to Russia- and China-linked actors, plus cybercrime groups deploying RATs and stealers, showing how quickly n-days get reused.

🔗 Read → https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html