Cybercrime
-
Odido cyberattack exposes personal data of 6.2 million customers
A Dutch telecom provider detected a cyberattack that exposed personal data for about 6.2 million customers. The provider blocked access, notified the data regulator, and is emailing affected customers with details.
-
Abandoned Outlook add-in hijacked to phish about 4,000 Microsoft accounts
An abandoned Outlook add-in listed in Microsoft’s store was hijacked to host phishing pages that stole credentials from about 4,000 users, a technical analysis found. Users should remove the add-in and reset passwords.
-
Lazarus supply chain campaign plants malicious packages on npm and PyPI
Researchers found malicious npm and PyPI packages tied to the Lazarus Group in a recruitment themed campaign active since May 2025. One npm package exceeded 10,000 downloads before a malicious update was published.
-
30 fake AI Chrome extensions with 300,000 installs steal credentials and email content
Thirty malicious Chrome extensions with more than 300,000 installs posed as AI assistants to steal credentials, Gmail content, and voice transcripts according to a technical analysis by LayerX. Users should remove suspicious extensions and reset passwords if compromised.
-
Cross platform RAT campaigns target Indian defense and government aligned organisations
Multiple campaigns used Geta RAT, Ares RAT and DeskRAT to compromise Windows and Linux systems at Indian defense and government aligned organizations in late 2025 and early 2026.
-
Crazy ransomware gang abuses employee monitoring and SimpleHelp to maintain access
A technical analysis by Huntress found Crazy gang operators abused Net Monitor and SimpleHelp to keep access, move files, execute commands, and prepare ransomware. Initial access used compromised SSL VPN credentials and defenders should enforce multifactor authentication.
-
New Linux botnet SSHStalker uses IRC C2 and scanned nearly 7,000 hosts
SSHStalker is a Linux botnet that uses IRC for command and control and performed nearly 7,000 SSH scans in January. It compiles C bots on infected hosts and persists via one minute cron jobs. Operators should monitor compilers and block IRC outbound traffic.
-
North Korean operatives apply to remote jobs using real LinkedIn accounts, security post says
North Korean operatives are applying for remote jobs using real LinkedIn accounts they impersonate, using verified workplace details to appear legitimate. Employers are advised to validate candidate email control and confirm account ownership before hiring.
-
Reynolds ransomware bundles vulnerable driver to disable EDR tools
Researchers disclosed Reynolds ransomware that bundles a vulnerable NsecSoft NSecKrnl driver used to disable endpoint security. The driver is linked to CVE-2025-68947 with a CVSS score of 5.7.
-
Warlock ransomware breaches network through unpatched SmarterMail instance
A SmarterTools community advisory says the Warlock gang breached an unpatched SmarterMail instance on January 29, 2026, affecting about 12 Windows servers and a secondary data center. Updates and isolation were recommended to limit spread.
