Two VSCode extensions with 1.5 million installs are stealing source code right now, not last month. Researchers published their findings on January 22. Three days later, both extensions are still live on Microsoft’s official marketplace. Still collecting downloads. Still harvesting files. 🧐

The extensions are ChatGPT - 中文版 with 1.34 million installs and ChatMoss with 150,000 installs. Both marketed as AI coding assistants. Both work as advertised. Both contain identical spyware that sends everything to servers in China. Researchers named the campaign MaliciousCorgi.

It’s 2026 and attackers are still getting root shells via Telnet with a single command that requires no password whatsoever. 😏

SSH has existed for 31 years. Yet 221,000 telnet servers are still running online, and a bug hidden in the code since 2015 just handed attackers the keys to the kingdom. CVE-2026-24061. CVSS 9.8. Critical.

The vulnerability sat in GNU InetUtils telnetd for almost 11 years before anyone noticed. Security researcher Kyu Neushwaistein found it on January 20, 2026, and by January 21, attackers were already exploiting it in the wild.

Attackers found a way to hijack legitimate apps in the Snap Store. 7000 packages. Millions of Linux users. One victim already lost 9 Bitcoin. That was $490,000. 🧐

The Snap Store is the official app store for Ubuntu and other Linux distributions, run by Canonical. When developers publish apps, they sign up with an email on their own domain. Something like dev@mycoolproject.tech. But domains expire. People forget to renew, move on to other things, and that domain goes back on the market for anyone to grab.

A fake SymPy package deploys XMRig cryptominers on Linux machines. The malware hides inside polynomial functions. It only activates when you do math. Over 1,000 downloads in day one. Still live on PyPI. The real SymPy has 85 million downloads per month. That is the target size. 🧐

Socket’s Threat Research Team found this on January 21, 2026. The attacker copied SymPy’s entire project description and branding, then uploaded it under a name that looks like a development build. Developers searching for SymPy or copy-pasting requirements might grab the wrong package without noticing.

One developer just built 88,000 lines of advanced malware in six days using AI. A single person with an AI coding assistant created a framework sophisticated enough to target AWS, Azure, Google Cloud, Alibaba, Tencent, Kubernetes pods, and Docker containers. 🧐

Check Point revealed VoidLink on January 20, 2026. A Linux malware framework designed to compromise cloud infrastructure. The malware detects where it runs and changes its behavior based on what it finds.

Cracking Windows domain admin passwords just got simple. A massive set of rainbow tables just went public, a $600 laptop is enough, and it takes 12 hours max. This flaw has existed since 1999. Microsoft ignored it for 25 years. So Google decided to force the conversation. 🔓

The flaw is in NTLMv1. That’s an authentication protocol from 1993. When a Windows machine logs in over a network, it sends an encrypted response based on the user’s password. The problem? That encryption uses 56-bit DES. Cryptographers declared that dead decades ago.

Your browser extension logo just became malware. Not the code. The actual image file. A PNG icon sitting in your toolbar, looking normal, hiding JavaScript that takes over your browser. Over 1 million victims through GhostPoster. Part of a larger operation hitting 8.8 million. Seven years undetected. 🧐

Last week, researchers revealed the full scope of a campaign they call GhostPoster. Koi Security published the first findings in December 2025. LayerX followed up with additional discoveries on January 15, 2026. And it is worse than anyone thought.

GootLoader is back. This week, researchers discovered their newest trick: a way to make security tools completely blind. Your antivirus scans the ZIP file. Nothing found. WinRAR tries to open it. Fails. 7-Zip tries. Also fails. Corrupted file, right? But when you double-click it, Windows opens it just fine. And now you’re infected. 🧐

The trick is simple but brilliant. They take 500 to 1000 ZIP files and glue them together into one massive file. Most analysis tools read ZIP files from the beginning. They hit the first archive, see garbage, and crash. But here is the thing about ZIP files. They are actually read from the END. The “End of Central Directory” record tells the reader where to find the actual content. Windows knows this. It skips all the junk, finds the last valid archive, and happily extracts the malware.

Netflix. Twitch. iCloud. The servers of the CIA and NSA. 30% of all cloud infrastructure worldwide runs on Amazon Web Services. Two missing characters in a regex filter nearly compromised all of it. 😬

A ^ at the start and a $ at the end. That’s what was missing from a security filter, and that’s all it would have taken for attackers to inject malicious code into the AWS JavaScript SDK.

Someone sends you an audio message. You don’t open it, you don’t play it, you don’t even look at your phone. And you’re already hacked. 😏 Google Project Zero just published a three-part series this week showing exactly how they built a working exploit chain for the Pixel 9. No clicks required and no interaction at all. Just receive a message and your phone is compromised.

CVE-2025-54957

The vulnerability sits in Dolby’s audio decoder, a component that ships on almost every Android phone sold today. Pixel, Samsung, and dozens of other brands all use it. When someone sends you an audio message through SMS or RCS (the default messaging on most Android phones), your phone automatically decodes it for transcription. Before you even see the notification, the malicious code is already running.

January 13, 2026. Microsoft patches a vulnerability in Copilot that let attackers steal personal data with a single click. The security bypass that worked for five months? Tell the AI to do everything twice. Microsoft has spent $80 billion on AI infrastructure and plans $120 billion more for 2026, but the safeguards protecting your data failed against a one-line prompt. 🤔

Varonis Threat Labs discovered a way to steal personal data from Microsoft Copilot using nothing more than a single click on a link, with no plugins required and no further user interaction needed. The attack continues running even after the victim closes the browser tab.

In January 2026, Microsoft had already patched 114 vulnerabilities! Four modem drivers deleted since October. Companies that wrote them: gone. Source code: inaccessible. Microsoft’s only option: remove them entirely. Meanwhile, ransomware groups are loading over 900 other vulnerable drivers that still ship with Windows. 😱 Hackers discovered they could use a 20-year-old telephone code to take over any Windows machine. No hardware required.

One vulnerability stood out: CVE-2023-31096. A CVE number from 2023. Fixed in 2026. Three years later.

SAP just patched four critical vulnerabilities

SAP just patched four critical vulnerabilities. CVSS scores up to 9.9. One lets attackers run code with nothing but a malicious link. 425,000 companies run SAP. Over 85% of Fortune 500. The patches dropped today, January 13, 2026. 🧐

SAP Patch Tuesday just landed with seventeen security notes. Four are HotNews - SAP’s term for patch immediately or accept the consequences.

The most severe vulnerability lets someone with a basic user account run arbitrary SQL queries against the entire financial database.

Your iPhone can be compromised by loading a webpage. No click. No download. Just visit the wrong site. Apple patched this a month ago. Only 16% of users have updated. 🤔

StatCounter data from January 2026:

→ iOS 26 (all versions): 16% of iPhones

→ iOS 18 (unpatched): over 60% of iPhones

For comparison, iOS 18 reached 63% adoption by January 2025. iOS 26 is at less than one quarter of that rate. The lowest adoption Apple has seen in years.

A 52-year-old tape just revealed a buffer overflow that looks exactly like the bugs we’re still finding today. 😏

In July 2025, someone found a magnetic tape from 1973 in a storage room at the University of Utah. Handwritten on the label: “UNIX Original From Bell Labs V4”. This turned out to be the only surviving copy of Unix v4, the 1973 version where Ken Thompson and Dennis Ritchie rewrote the entire operating system from assembly into C.

100,000 servers. One HTTP header change. Full admin access. No password required. They call it “Ni8mare.” CVSS 10.0. The patch existed for 7 weeks. The release notes mentioned nothing. 😏

CVE-2026-21858. “Ni8mare” The name says it all.

n8n is a workflow automation platform. Think Zapier, but open source and self-hosted. Over 100 million Docker pulls. Used by Vodafone, Delivery Hero, StepStone. Thousands of enterprises run their entire automation infrastructure on it, with 400+ integrations connecting everything in one central hub.

Your headphones just became a backdoor to your phone. No pairing. No popup. Just Bluetooth range. 70 million chips. Sony. Bose. Marshall. JBL. A debug protocol active on production devices. Attackers can dump your Bluetooth keys, impersonate your headphones, and hijack your phone. 🤔

Three CVEs. Zero authentication required. Full technical disclosure: December 27, 2025 at 39C3.

The vulnerabilities

→ CVE-2025-20700: No authentication on Bluetooth Low Energy → CVE-2025-20701: No authentication on Bluetooth Classic → CVE-2025-20702: Debug protocol exposed that should never be accessible

RondoDox added React2Shell to its arsenal. 90,000+ servers. 56 vulnerabilities. 30+ vendors. They call it the “exploit-shotgun” approach. Fire everything, see what hits. 😱

Once inside, RondoDox doesn’t just sit there. It launches DDoS attacks. Mines Monero. Turns infected devices into proxies to hide other attacks. And it breaks the tools needed to fight back.

The botnet has been running for 9 months. Three distinct phases. March to April 2025 was reconnaissance. April to June was daily probing of WordPress, Drupal, Struts2, and IoT devices. July onward became hourly automated attacks at scale.

The crypto library behind Discord, WordPress, and Zcash just got its first CVE. After 13 years. 😏 libsodium. You’ve probably never heard of it. But it’s everywhere.

libsodium is one of the most trusted cryptographic libraries in the world. Discord secures voice chat with it. WordPress validates updates with it. Zcash processes transactions with it. Stellar powers financial apps with it.

13,300+ GitHub stars. Bindings in every programming language you can think of. From PHP to Rust to Python to Go.

WIRED magazine got hacked. 2.3 million subscriber records leaked. And this is just the beginning. 😏 A hacker called “Lovely” dumped the database on Christmas Day. Called it a “Christmas Lump of Coal.”

The vulnerability? IDOR. Insecure Direct Object Reference. That’s OWASP Top 10. Basic web security. A flaw that’s been documented since 2007. Companies still get it wrong.

IDOR happens when a website uses a number to identify your data, but doesn’t check if you’re actually allowed to see it. Your profile lives at /api/user/12345. Change that to /api/user/12346? You see someone else’s profile. No password needed. The server just hands it over.