The curl project is ending its HackerOne bug bounty program by the end of January 2026 due to an overwhelming number of low-quality, AI-generated vulnerability reports. The project will no longer offer rewards for reported bugs and will shift to an internal submission process via GitHub. The decision was made to reduce the strain on the curl security team and to discourage low-effort submissions. Daniel Stenberg, the founder and lead developer of curl, cited a significant increase in invalid reports, many of which appear to be AI-generated, as the primary reason for this change.

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. The issue stems from the "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword" function, which permits unauthenticated access and leverages a boolean flag "IsSysAdmin" to execute privileged operations. Attackers can exploit this to gain SYSTEM-level shell access by executing OS commands through a built-in functionality. The vulnerability was reported by watchTowr researchers on January 8, 2026, and affects only admin-level accounts.

A new ransomware family called Osiris has emerged, targeting a major food service franchisee operator in Southeast Asia in November 2025. The attack utilized a malicious driver named POORTRY as part of a bring your own vulnerable driver (BYOVD) technique to disable security software. Osiris employs a hybrid encryption scheme and is assessed to be a new strain with no links to the 2016 Locky ransomware variant of the same name. The attackers exfiltrated data to Wasabi cloud storage and used dual-use tools like Netscan, Netexec, and MeshAgent, along with a custom version of Rustdesk remote desktop software. The attack also involved enabling RDP for remote access and deploying the KillAV tool to terminate security processes.

A critical authentication bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, affecting versions 1.9.3 to 2.7, allows remote attackers to gain root access by exploiting the USER environment variable. The flaw, introduced in 2015, enables bypassing normal authentication if the client supplies a crafted USER value. Mitigations include patching and restricting network access to the telnet port. GreyNoise observed 21 unique IP addresses exploiting this flaw in the past 24 hours.

Microsoft is rolling out a new security feature called Brand Impersonation Protection for Teams calls. This feature will warn users about potential social engineering attacks from external callers impersonating trusted organizations. The update will begin in mid-February and is enabled by default. The feature checks incoming VoIP calls for signs of brand impersonation and displays high-risk call warnings before suspicious calls are answered. Users can accept, block, or end flagged calls, with alerts persisting during conversations if suspicious signals continue. Microsoft advises IT departments to prepare support staff for questions about the new warnings and to update internal training materials.

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies. An operational security failure by the INC ransomware gang allowed researchers to recover data stolen from a dozen U.S. organizations. The investigation, conducted by Cyber Centaurs, revealed artifacts from the legitimate backup tool Restic, which exposed attacker infrastructure. The researchers developed a controlled enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations.

Latin American organizations report low confidence in their nations' cyber defenses, with only 13% confident in their country's ability to protect critical infrastructure. The region faces a significant cybersecurity skills gap, with 69% lacking critical personnel and capabilities. Cyberattacks have surged by 53% year-over-year, driven by cybercrime syndicates from Southeast Asia and China. The lack of skilled professionals and investment in cyber resilience infrastructure hampers the region's digital progress, making it vulnerable to systemic risks.

A critical authentication vulnerability (CVE-2026-22794) in Appsmith's low-code platform allows attackers to manipulate password reset links by abusing the HTTP Origin header. This flaw enables full account takeovers by redirecting reset tokens to attacker-controlled domains. The vulnerability affects Appsmith versions 1.x, with 1666 publicly accessible instances identified as vulnerable. The flaw occurs during the password reset process, where the platform uses the client-supplied Origin header to build the reset link without proper validation. Attackers can exploit this to intercept reset tokens and set new passwords, gaining unauthorized access to victim accounts. The vulnerable endpoint's consistent success responses help conceal the abuse. Given Appsmith's use in building internal tools connected to sensitive databases and APIs, the impact of this vulnerability is particularly severe.

A security flaw in the RealHomes CRM plugin, bundled with a WordPress theme, affected over 30,000 websites. The vulnerability allowed low-privileged users to upload malicious files and potentially take control of affected sites. The flaw, assigned CVE-2025-67968, was discovered and reported by Patchstack Alliance community member wackydawg. The developers released a patch in version 1.0.1, which includes access control checks and file validation. The vulnerability was located in an AJAX function responsible for handling CSV file uploads. The flaw allowed any logged-in user with Subscriber-level access or higher to upload arbitrary files, potentially leading to a full site takeover. The patch introduces a current_user_can capability check and file type validation using WordPress's wp_check_filetype function.

The shift to hybrid work has significantly increased Active Directory password resets, causing productivity losses and higher IT costs. Remote employees face more lockouts due to cached credentials and frequent password changes, leading to a surge in helpdesk tickets. Self-service password reset tools are emerging as a solution to mitigate these issues.

The ThreatsDay Bulletin highlights evolving cyber threat tactics, including infrastructure shifts and sophisticated social engineering lures. Attackers are rapidly adapting, with minimal gaps between vulnerability discovery and exploitation. The report underscores the fluid nature of the threat landscape and emphasizes the importance of continuous monitoring and adaptation. Recent incidents show how attackers leverage familiar systems and trusted workflows to gain control through scale, patience, and misplaced trust, with exposure accumulating quietly and surfacing all at once.

Microsoft has added AI-powered text summarization, rewriting, and generation features to Notepad for users with Copilot+ PCs running Windows 11. This update is currently rolling out to Windows 11 Insiders in the Canary and Dev Channels. The features are available in English and can be toggled between local and cloud AI models for Microsoft 365 subscribers. Users can disable or uninstall the new Notepad app if they prefer the original notepad.exe program. Notepad version 11.2512.10.0 now streams AI-generated results for Write, Rewrite, and Summarize features, displaying previews faster rather than waiting for complete responses. Users must sign in with their Microsoft accounts to access these AI tools. The text editor also expands its lightweight formatting support with additional Markdown syntax features, including nested lists and strikethrough text. Notepad users can use these new formatting options via keyboard shortcuts, the formatting toolbar, or Markdown syntax in their documents. Notepad now also comes with a welcome screen designed to help users discover the app's newest features. Paint version 11.2512.191.0 has added a Coloring Book feature that uses AI to generate coloring pages from custom text prompts. Paint now also comes with a fill tolerance slider, allowing users to control how the Fill tool adds color to the canvas. Microsoft encouraged users to submit feedback through the Windows Feedback Hub, under the Apps category, to help weed out bugs.

In 2025, 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day of public disclosure, up from 23.6% in 2024. VulnCheck identified 884 new vulnerabilities with evidence of exploitation, a 15% increase from 2024. Network edge devices, content management systems, and open-source software were the most targeted technologies. Time-to-exploitation patterns remained consistent with 2024, with operating systems being the most affected by zero-day and one-day exploits. Ransomware attribution continued to lag behind initial exploitation disclosure.

Security researchers have successfully exploited 66 zero-day vulnerabilities in various automotive systems during the first two days of the Pwn2Own Automotive 2026 competition. The hacked systems include the Tesla Infotainment System, Sony XAV-9500ES, Alpitronic HYC50 Charging Station, Autel charger, Kenwood DNR1007XR, Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and Grizzl-E Smart 40A. The vulnerabilities were demonstrated in Tokyo, Japan, during the Automotive World auto conference, from January 21 to January 23, 2026. The researchers earned significant cash rewards for their exploits, with the Synacktiv Team earning $35,000 for hacking the Tesla Infotainment System and $20,000 for the Sony XAV-9500ES. Other teams also earned substantial rewards for exploiting vulnerabilities in various charging stations and navigation systems. Vendors have 90 days to develop and release security fixes before TrendMicro's Zero Day Initiative publicly discloses the flaws.

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. FortiOS version 7.4.10 does not fully address the authentication bypass vulnerability, and Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully patch the security flaw. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd. A new cluster of automated malicious activity began on January 15, 2026, involving unauthorized firewall configuration changes on FortiGate devices. The activity includes the creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. Malicious SSO logins were carried out against a malicious account '[email protected]' from four different IP addresses: 104.28.244.115, 104.28.212.114, 217.119.139.50, and 37.1.209.19. Threat actors created secondary accounts such as 'secadmin', 'itadmin', 'support', 'backup', 'remoteadmin', and 'audit' for persistence. All events took place within seconds of each other, indicating the possibility of automated activity. Arctic Wolf reported that the campaign started on January 15, 2026, with attackers exploiting an unknown vulnerability in the SSO feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity. Arctic Wolf noted that the current campaign bears similarity to incidents documented in December following the disclosure of CVE-2025-59718. Affected admins reported that Fortinet confirmed the latest FortiOS version (7.4.10) does not fully address the authentication bypass flaw, which should have been patched since early December with the release of FortiOS 7.4.9. Fortinet is planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully address the CVE-2025-59718 security flaw. Affected Fortinet customers shared logs showing that the attackers created admin users after an SSO login from [email protected] on IP address 104.28.244.114, which matches indicators of compromise detected by Arctic Wolf. Internet security watchdog Shadowserver is currently tracking nearly 11,000 Fortinet devices that are exposed online and have FortiCloud SSO enabled.

LastPass has identified an active phishing campaign impersonating the service to trick users into revealing their master passwords. The campaign, which began around January 19, 2026, uses phishing emails with urgent subject lines to direct users to a fake phishing site. LastPass emphasizes it will never ask for master passwords and is working to take down the malicious infrastructure. The phishing emails claim upcoming maintenance and urge users to create a local backup of their password vaults within 24 hours. The emails originate from several fraudulent email addresses and direct users to a phishing site that redirects to a domain mimicking LastPass. The campaign was launched during a holiday weekend in the United States to catch LastPass understaffed and less prepared for a prompt response. This campaign follows a previous information-stealing campaign targeting macOS users through fake GitHub repositories and another phishing campaign in October 2025 that used fake death claims to trigger a legacy inheritance process. LastPass has 33 million users and over 100,000 business customers. A cyber-attack in 2022 saw attackers steal parts of LastPass source code, along with proprietary technical information.

Claroty, a cyber-physical systems security company, has raised $150 million in a Series F funding round, bringing its total funding to approximately $900 million. The round was led by Golub Growth, with existing investors participating up to an additional $50 million. Claroty's platform provides asset visibility, exposure management, network protection, secure access, and threat detection for xIoT systems, including operational technology like ICS, IoT, and IIoT. The company's valuation has reportedly increased by 80% since March 2024, reaching an estimated $3 billion, though previous reports suggested a $2.5 billion valuation. Claroty is preparing for a potential IPO as early as 2027, pending market conditions.

Google Workspace environments, built for collaboration, often have permissive settings and integrations that can be exploited by attackers. Security teams, especially lean ones, must properly configure and maintain Google Workspace to defend against modern cloud threats. Key practices include enforcing Multi-Factor Authentication (MFA), hardening admin access, securing sharing defaults, controlling OAuth app access, fortifying against email threats, detecting and containing account takeovers, understanding and protecting data, and balancing collaboration with control. Material Security extends Google Workspace security by providing advanced email security, automated account takeover detection and response, data discovery and protection, and unified visibility across the cloud office. The latest insights highlight the importance of securing email, the primary attack vector, and addressing gaps in native protection such as Business Email Compromise (BEC) attacks and legacy protocols. Material Security offers advanced solutions to enhance Google Workspace's security capabilities.

A Vodafone survey reveals that 89% of UK executives are more aware of cyber threats due to recent high-profile breaches, but 10% believe their organizations would not survive a similar incident. The survey highlights poor cybersecurity practices, including password reuse and lack of staff training, while the UK government is taking steps to combat fraud and cybercrime through a new Fraud Sector Charter for telecommunications.

The number of organizations notifying GDPR regulators of data breaches increased by 22% in 2025, reaching a daily average of 443 notifications. This marks the first time since 2018 that daily notifications have exceeded 400. Germany, the Netherlands, and Poland reported the highest number of breaches. Geopolitical unrest and AI-enabled threats are suspected contributors to the rise in breaches of personally identifiable information (PII). Despite the increase in breach notifications, GDPR fines remained steady at €1.2 billion, with the Irish Data Protection Commission issuing the highest fine of €530 million against TikTok for transferring user data to China.

A malicious Python Package Index (PyPI) package named sympy-dev impersonates the legitimate SymPy library to deploy an XMRig cryptocurrency miner on Linux hosts. The package, which has been downloaded over 1,100 times since its publication on January 17, 2026, includes backdoored functions that trigger only when specific polynomial routines are called. The malicious payload is fetched from a remote server and executed in memory to avoid leaving disk artifacts. The campaign has been linked to techniques previously used by cryptojacking groups like FritzFrog and Mimo. The package remains available for download as of the report's publication.

Cisco has patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling products, which has been actively exploited in attacks. The flaw, with a CVSS score of 8.2, allows attackers to gain user-level access and escalate privileges to root on affected systems. Cisco has released patches for various versions of the impacted products and urged customers to update immediately. The U.S. CISA has added the vulnerability to its KEV Catalog, requiring federal agencies to patch by February 11, 2026.

Cybercriminals have exploited lax authentication settings in Zendesk to flood targeted email inboxes with spam messages. The attacks use hundreds of Zendesk corporate customers simultaneously, sending notifications from customer domain names. Zendesk acknowledged the issue and is investigating additional preventive measures. The abuse involves sending ticket creation notifications from customer accounts that allow anonymous submissions. This allows attackers to create support tickets with any chosen subject line, including menacing or insulting messages. The notifications appear to come from legitimate customer domains, making them harder to filter out. The spam wave started on January 18th, 2026, with victims reporting receiving hundreds of emails. Companies impacted include Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime. Zendesk has introduced new safety features to detect and stop this type of spam in the future.

Two high-severity vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025, and patched on December 24, 2025, with the release of Chainlit version 2.9.4. Chainlit, widely used for building conversational AI applications, has seen significant adoption with over 7.3 million downloads to date, including 220,000 in the past week alone. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments, particularly in enterprise deployments and academic institutions.

A new family of Android click-fraud trojans leverages TensorFlow machine learning models to detect and interact with advertisement elements. The malware operates in 'phantom' and 'signalling' modes, using hidden WebView browsers and WebRTC for real-time actions. Distributed via Xiaomi’s GetApps and third-party APK sites, the malware affects multiple games and modified apps, with over 165,000 downloads. The malware drains battery life and increases data usage, posing a financial impact on users.

North Korean threat actors have **expanded the Contagious Interview campaign** with a **new JavaScript-based backdoor** delivered via **malicious VS Code repositories**, marking the latest evolution in their multi-stage infection chain. When victims clone and open these repositories—framed as technical assignments or code reviews—they are prompted to trust the repository author. Upon granting trust, VS Code automatically executes a hidden **Node.js command** in the background, deploying the backdoor with **remote code execution capabilities**. The payload persists even after VS Code is closed, produces no visible output, and remains undetected while exfiltrating credentials and sensitive data. This tactic builds on earlier methods, such as **abusing `tasks.json` files** and **malicious npm dependencies (e.g., 'grayavatar')**, but introduces a **fully JavaScript-based payload** tailored for developers familiar with Node.js. The campaign, active since late 2023, continues to target **software developers, particularly in blockchain, cryptocurrency, and Web3 sectors**, blending **social engineering with technical deception**. Previous milestones include the **December 2025 deployment of EtherRAT**, which exploited **React2Shell (CVE-2025-55182)** and **Ethereum smart contracts for C2**, and the **January 2026 wave** using **BeaverTail and InvisibleFerret malware** via GitHub/GitLab/Bitbucket lures. The group collaborates with **North Korea’s fraudulent IT workers (WageMole)** to amplify credential theft and financial fraud, while consolidating hosting on **Vercel domains** and refining **AI-generated artifacts** to evade detection. The latest backdoor underscores the campaign’s **rapid adaptation**, combining **espionage-driven data theft** with **financial motives** through persistent, multi-layered infections.

PcComponentes, a major Spanish online retailer, denies claims of a data breach impacting 16 million customers but confirms a credential stuffing attack. The threat actor 'daghetiaw' claimed to have stolen 16.3 million records, leaking 500,000 and offering the rest for sale. PcComponentes investigated and found no unauthorized access to its databases or internal systems, but confirmed a credential stuffing attack. The exposed data includes personal details but no financial information or passwords. The company has implemented additional security measures, including mandatory 2FA and CAPTCHA on login pages.

Phishing and spoofed websites are identified as the primary entry points for cyber-attacks targeting the Milano-Cortina 2026 Winter Games. The Palo Alto Networks report highlights how criminal groups, state-backed actors, and hacktivists exploit the event's digital infrastructure, drawing on historical patterns from previous Olympic Games. The assessment underscores the dominance of business email compromise (BEC) in phishing campaigns, with 76% of observed cases leveraging this tactic. Attackers blend speed and deception, targeting ticketing platforms, event websites, and payment systems for financial gain, espionage, or disruption.

Zoom and GitLab have released security updates to address critical vulnerabilities. Zoom patched a critical command injection flaw (CVE-2026-22844) in its Node Multimedia Routers (MMRs) that could allow remote code execution. GitLab fixed multiple high-severity flaws, including DoS and 2FA bypass vulnerabilities. The updates are recommended for affected systems to mitigate potential threats.

Microsoft is investigating reports that the January Windows 11 security update KB5074109 causes the classic Outlook desktop client to freeze and hang for users with POP email accounts. The issue affects users who have installed the update on Windows 11 25H2 and 24H2, preventing Outlook from exiting properly and restarting after being closed. The problem also impacts Windows 10 users and multiple Windows Server platforms. Users can temporarily resolve the issue by uninstalling the KB5074109 update or accessing their email accounts via webmail or moving their Outlook PST files out of OneDrive.