ALL POSTS

Key Findings The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) The compromise occurred at the hosting provider level, not due to vulnerabil

Key Findings Microsoft's latest cumulative updates for Windows 11 have caused technical issues, including devices failing to enter sleep mode or shutdown correctly, often resulting in involuntary reboots. The problems have also extended to Windows 10 systems with Virtualization-Based Security (VBS/VSM) enabled. Microsoft has acknowledged the defects and is working on a comprehensive resolution for both Windows 10 and 11. As an interim mitigation, affected users are advised to

Key Findings China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025. The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities. The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users. The attackers exploited "insufficient upda

Key Findings The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers. The attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. The incident is assessed to

Key Findings The $100 billion investment initiative between NVIDIA and OpenAI has reached an impasse, with the partnership being placed "on ice" NVIDIA CEO Jensen Huang has privately voiced skepticism about the viability of the original pact The two entities are currently recalibrating their alliance, potentially pivoting from a complex hardware-leasing and construction framework to a more straightforward equity investment Background The ambitious scope of the original partne

Key Findings An FBI informant claimed in 2017 that Jeffrey Epstein had a "personal hacker" who was an Italian born in Calabria. The hacker, whose name was redacted, reportedly sold zero-day exploits and offensive cyber tools to several countries, including the U.S. and the U.K. He allegedly created a zero-day exploit and sold it to Hezbollah in exchange for a trunk of cash. The hacker was known for finding vulnerabilities in iOS, BlackBerry, and Firefox. He surrounded himself

Key Findings Researchers at Point Wild have discovered a new Windows malware campaign using the Pulsar RAT and Stealerv37. The malware hides in the computer's memory to steal passwords, cryptocurrency, gaming accounts, and other sensitive data. Attackers are able to interact with victims through a live chat window while the malware operates in the background. The malware uses living-off-the-land techniques to bypass detection by most antivirus programs. Background The Lat61 T

Key Findings Mandiant has identified an "expansion in threat activity" using tactics consistent with extortion-themed attacks orchestrated by the ShinyHunters hacking group The attacks leverage advanced voice phishing (vishing) and fake credential harvesting sites to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes The end goal is to target cloud-based software-as-a-service (SaaS) applications

Background The RedKitten cyber campaign is suspected to be linked to Iranian state interests and is targeting non-governmental organizations (NGOs) and individuals involved in documenting recent human rights abuses in Iran. The campaign was observed by the French cybersecurity company HarfangLab in January 2026, coinciding with the nationwide unrest in Iran that began towards the end of 2025. The unrest in Iran was sparked by soaring inflation, rising food prices, and currenc

Key Findings: The U.S. government has seized over $400 million in assets linked to the notorious darknet cryptocurrency mixer Helix. The assets include cryptocurrencies, real estate, and other monetary holdings previously owned by Helix's Ohio-based operator, Larry Dean Harmon. Helix processed an estimated 354,468 bitcoins, worth around $311 million at the time, through over 1.2 million transactions between 2014 and 2017. The service was popular among darknet drug dealers and

Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries Key Findings Arsink is a dangerous Android Trojan that impersonates over 50 popular brands, including WhatsApp, YouTube, Instagram, and TikTok The malware has infected over 45,000 devices across 143 countries, with major clusters in Egypt, Indonesia, and Iraq Arsink grants hackers complete remote control, allowing them to record audio, read text messages, and wipe devices Background A massive new

Key Findings: Cybersecurity researchers have discovered a cluster of 29 malicious Google Chrome extensions that target e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The extensions, including "Amazon Ads Blocker," automatically inject the developer's affiliate tags into product links, replacing existing affiliate codes from content creators. The extensions violate Chrome Web Store policies by misrepresenting their functionality, combining

Key Findings: Former Google software engineer Linwei Ding (also known as Leon Ding) was convicted by a federal jury on 7 counts of economic espionage and 7 counts of theft of trade secrets. Ding stole over 2,000 confidential documents containing Google's trade secrets related to artificial intelligence (AI) technology. The stolen information included details about Google's custom Tensor Processing Unit (TPU) chips, Graphics Processing Unit (GPU) systems, software orchestratin

Key Findings Johnson Controls' Metasys building automation system contains a critical vulnerability (CVE-2025-26385) with a CVSS score of 10. The flaw allows remote SQL injection, potentially enabling attackers to execute commands and take control of building environments. The vulnerability affects multiple Metasys components, including the Application and Data Server (ADS), Extended ADX, and various configuration tools. Successful exploitation could result in data alteration

Here is an article with concise key findings in bullet point format, with separate headers for each major point, and background information as the first point after the key findings. The headers are formatted using ## in markdown format, and the bullet points are formatted without any special formatting. Key Findings A new LLMjacking campaign named "Operation Bizarre Bazaar" was active between December 2025 and January 2026. Around 35,000 attack sessions were recorded during

Key Findings Kyverno, a popular Kubernetes-native policy engine, has released an urgent security update to address a critical vulnerability (CVE-2026-22039) with a maximum CVSS score of 10. The flaw allows any user with policy creation rights to effectively become a cluster admin, shattering Kyverno's isolation boundaries. The update also fixes a high-severity Denial of Service (DoS) vulnerability (CVE-2026-23881) with a CVSS score of 7.7. Background Kyverno is a Kubernetes-n

Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo

Key Findings SolarWinds has released security updates to address six vulnerabilities in their Web Help Desk product, including four critical flaws. The four critical vulnerabilities could be exploited without authentication to achieve remote code execution (RCE) or bypass authentication: CVE-2025-40551 (CVSS 9.8) - Unauthenticated RCE via deserialization of untrusted data CVE-2025-40552 (CVSS 9.8) - Authentication bypass to execute actions and methods CVE-2025-40553 (CVSS 9.8

Key Findings Google and partners disrupted IPIDEA, one of the world's largest residential proxy networks, through legal domain takedowns, intelligence sharing, and ecosystem-wide enforcement. IPIDEA's proxy infrastructure was heavily abused by cybercrime groups, espionage actors, and botnets like BADBOX 2.0, Aisuru, and Kimwolf. Over 550 tracked threat groups used IPIDEA's exit nodes in a single week, exposing users' devices and networks to compromise and abuse. Google's acti

Key Findings A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" has been discovered on the official Extension Marketplace. The extension claims to be a free artificial intelligence (AI) coding assistant for the popular open-source project Moltbot, but it stealthily drops a malicious payload on compromised hosts. The extension was published by a user named "clawdbot" on January 27, 2026 and has since been taken down by Mic