This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn't need novel tricks. They used what was already exposed and moved in without resistance.

Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior. Different victims, same playbook: look normal, move quickly, spread before alarms go off.

For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle. Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward.

⚡ Threat of the Week

Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability in the n8n workflow automation platform permits unauthenticated remote code execution and potential full system compromise. The flaw, referred to as Ni8mare and tracked as CVE‑2026‑21858, affects locally deployed instances running versions prior to 1.121.0. The issue stems from how n8n handles incoming data, offering a direct path from an external, unauthenticated request to compromise the automation environment. The disclosure of CVE‑2026‑21858 follows several other high‑impact vulnerabilities publicized over the past two weeks, including CVE‑2026‑21877, CVE‑2025‑68613, and CVE‑2025‑68668. The problem appears in Form-based workflows where file-handling functions are executed without first validating that the request was actually processed as "multipart/form-data." This loophole allows an attacker to send a specially crafted request using a non-file content type while crafting the request body to mimic the internal structure expected for uploaded files. Because the parsing logic does not verify the format of the incoming data, it enables an attacker to access arbitrary file paths on the n8n host and even escalate it to code execution. "The impact extends to any organization using n8n to automate workflows that interact with sensitive systems," Field Effect said. "The worst‑case scenario involves full system compromise and unauthorized access to connected services." However, Horizon3.ai noted that successful exploitation requires a combination of pre-requisites that are unlikely to be found in most real-world deployments: An n8n form component workflow that's publicly accessible without authentication and a mechanism to retrieve the local files from the n8n server. As of January 11, 2026, there are about 59,500 internet-exposed hosts that are still vulnerable to CVE-2026-21858. More than 27,000 IP addresses are located in the U.S. and over 21,200 in Europe.

🔔 Top News

Kimwolf Botnet Infects 2M Android Devices — The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks. Kimwolf's rapid growth is largely fueled by its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client. Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222. The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices. When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices. When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution.

— Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed more than a year before a set of three flaws it relied on were made public. The attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process. The attackers disabled VMware's own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have allowed the attackers to hit a broad range of environments. Huntress, which observed the activity in December 2025, said there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner. China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. The campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors.

— A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. The campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors. Two Malicious Chrome Extensions Caught Prompt Poaching — Two new malicious extensions on the Chrome Web Store, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, and AI Sidebar with DeepSeek, ChatGPT, Claude, and more, were found to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers' control. The technique of browser extensions to stealthily capture AI conversations has been codenamed Prompt Poaching. The extensions, which were collectively installed 900,000 times, have since been removed by Google.

— Two new malicious extensions on the Chrome Web Store, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, and AI Sidebar with DeepSeek, ChatGPT, Claude, and more, were found to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers' control. The technique of browser extensions to stealthily capture AI conversations has been codenamed Prompt Poaching. The extensions, which were collectively installed 900,000 times, have since been removed by Google. PHALT#BLYX Targets Hospitality Sector in Europe — A new multi-stage malware campaign targeting hospitality organizations in Europe using social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death (BSoD) errors to trick users into manually executing malicious code under the guise of reservation-cancellation lures. Dubbed PHALT#BLYX, the campaign represents an evolution from earlier, less evasive techniques. Previous versions relied on HTML Application files and mshta.exe. The latest iteration, detected in late December 2025, instead abuses MSBuild.exe, a trusted Microsoft utility, to compile and execute a malicious project file. This living-off-the-land (LotL) approach enables the malware to bypass many endpoint security controls and deliver a heavily obfuscated variant of DCRat. The activity is assessed to be the work of Russian-speaking threat actors. The attacks leverage a social engineering tactic called ClickFix, where users are tricked into manually executing seemingly harmless commands that actually install malware. It operates by deceiving users into taking an action to "fix" a non-existent issue by either automatically or manually copying and pasting a malicious command into their terminal or Run dialog.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week's most serious security flaws. Check them, fix what matters first, and stay protected.

This week's list includes — CVE-2026-21858, CVE-2026-21877, CVE-2025-68668 (n8n), CVE-2025-69258, CVE-2025-69259, CVE-2025-69260 (Trend Micro Apex Central), CVE-2026-20029 (Cisco Identity Services Engine), CVE-2025-66209, CVE-2025-66210, CVE-2025-66211, CVE-2025-66212, CVE-2025-66213, CVE-2025-64419, CVE-2025-64420, CVE-2025-64424, CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 (Coolify), CVE-2025-59470 (Veeam Backup & Replication), CVE-2026-0625 (D-Link DSL gateway routers), CVE-2025-65606 (TOTOLINK EX200), CVE-2026-21440 (@adonisjs/bodyparser), CVE-2025-68428 (jsPDF), CVE-2025-69194 (GNU Wget2), CVE-2025-43530 (Apple macOS Tahoe), CVE-2025-54957 (Google Android), CVE-2025-14026 (Forcepoint One DLP Client), CVE-2025-66398 (Signal K Server), CVE-2026-21483 (listmonk), CVE-2025-34468 (libcoap), CVE-2026-0628 (Google Chrome), CVE-2025-67859 (Linux TLP), CVE-2025-9222, CVE-2025-13761, CVE-2025-13772 (GitLab CE/EE), CVE-2025-12543 (Undertow HTTP server core), CVE-2025-14598 (BeeS Examination Tool), CVE-2026-21876 (OWASP Core Rule Set), CVE-2026-22688 (Tencent WeKnora), CVE-2025-61686 (@react-router/node, @remix-run/node, and @remix-run/deno), and CVE-2025-54322 (Xspeeder SXZOS).

📰 Around the Cyber World

India Denies it Plans to Demand Smartphone Source Code — India's Press Information Bureau (PIB) has refuted a report from Reuters that said the Indian government has proposed rules requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures to tackle online fraud and data breaches. Some of the key requirements mentioned in the report included preventing apps from accessing cameras, microphones or location services in the background when phones are inactive, periodically displaying warnings prompting users to review all app permissions, storing security audit logs, including app installations and login attempts, for 12 months, periodically scanning for malware and identify potentially harmful applications, making all pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, deletable, notifying a government organization before releasing any major updates or security patches, detecting if a device has been rooted or jailbroken, and blocking installation of older software versions. The PIB said, "The Government of India has NOT proposed any measure to force smartphone manufacturers to share their source code," adding, "The Ministry of Electronics and Information Technology has started the process of stakeholders' consultations to devise the most appropriate regulatory framework for mobile security. This is a part of regular and routine consultations with the industry for any safety or security standards. Once a stakeholder consultation is done, then various aspects of security standards are discussed with the industry." It also said no final regulations have been framed, adding the government has been engaging with the industry to better understand technical and compliance burden and best international practices, which are adopted by the smartphone manufacturers.

🔧 Cybersecurity Tools

ProKZee — It is a cross-platform desktop tool for capturing, inspecting, and modifying HTTP/HTTPS traffic. Built with Go and React, it's fast, clean, and runs on Windows, macOS, and Linux. It includes a built-in fuzzer, request replay, Interactsh support for out-of-band testing, and AI-assisted analysis via ChatGPT. Full Docker support keeps setup and development simple for security researchers and developers.

Portmaster — It is a free, open-source firewall and privacy tool for Windows and Linux that shows and controls all system network connections. Built by Safing in Austria, it blocks trackers, malware, and unwanted traffic at the packet level, routes DNS securely via DoH/DoT, and offers per-app rules, privacy filtering, and an optional multi-hop Safing Privacy Network, without relying on third-party clouds.

STRIDE GPT — It is an open-source AI-based threat modeling framework that automates the STRIDE method to identify risks and attack paths in modern systems. It supports GenAI and agent-based applications, aligns with the OWASP LLM and Agentic Top 10, detects RAG and multi-agent architectures, and produces clear attack trees with mitigation guidance—connecting traditional threat modeling with AI-era security risks.

Disclaimer: These tools are for learning and research only. They haven't been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

Seen together, these updates show how quickly familiar systems turn risky when trust isn't questioned. Most of the damage didn't begin with clever exploits. It began with ordinary tools quietly doing more than anyone expected.

It rarely takes a dramatic failure. A missed patch. An exposed service. A routine click that slips through. Multiply those small lapses, and the impact spreads faster than teams can contain it.

The lesson is straightforward. Today's threats grow out of normal operations, moving at speed and scale. The advantage comes from spotting where that strain is building before it breaks.