News
-
NationStates confirms data breach after player gained server access
NationStates took its site offline on January 27, 2026 after an unauthorized user gained remote code execution on the production server and copied user data. Exposed items include email addresses and MD5 password hashes.
-
State actors hijacked Notepad++ updater to redirect users to malicious servers
Notepad++’s maintainer said attackers compromised hosting infrastructure to hijack the updater and redirect some users to malicious servers. The activity began in June 2025 and credentials persisted until December 2 2025.
-
eScan update servers used to deliver persistent downloader in supply chain attack
Unknown attackers distributed a malicious eScan update on January 20, 2026 that replaced reload.exe and deployed a downloader. The vendor isolated servers for over eight hours and published a patch to revert the changes.
-
Threat actor compromises about 1,400 exposed MongoDB servers in low-value extortion campaign
A technical analysis found a threat actor compromised about 1,400 exposed MongoDB servers, leaving ransom notes demanding about 0.005 BTC per victim. Researchers identified roughly 208,500 exposed servers and many running outdated versions.
-
Iran-linked RedKitten campaign uses AI-generated macros to deploy SloppyMIO backdoor
A HarfangLab technical analysis links a January 2026 campaign to an Iran-aligned actor using macro-laced Excel files to deploy the SloppyMIO backdoor that retrieves configuration via GitHub and exfiltrates via Telegram.
-
TriZetto breach may have exposed PHI for more than 700,000, Oregon providers to notify patients
An intrusion into TriZetto Provider Solutions discovered in October 2025 may have exposed protected health information for more than 700,000 people. Local Oregon providers will notify thousands of patients about exposed records.
-
Researchers find Chrome extensions that hijack affiliate links and scrape data
Security researchers uncovered Chrome extensions that rewrite affiliate links and scrape product data. A Socket technical analysis links the behavior to a cluster of 29 add ons that target major e commerce sites and exfiltrate information.
-
China-linked UAT-8099 targets IIS servers in Asia with BadIIS SEO fraud
Researchers found a late 2025 to early 2026 campaign by UAT-8099 that used web shells and BadIIS malware to run SEO fraud on IIS servers, concentrating attacks in Thailand and Vietnam.
-
SmarterMail patched critical unauthenticated RCE and path coercion flaws
SmarterMail fixes address a critical unauthenticated remote code execution flaw CVE-2026-24423 rated 9.3 and a medium severity path coercion issue that can enable NTLM relay. Administrators should install the updated builds immediately.
-
Ivanti issues fixes for two critical EPMM code injection zero day flaws
Ivanti released updates for two critical EPMM code injection vulnerabilities that allow unauthenticated remote code execution. One was added to the CISA KEV catalog. Patches, detection steps and remediation guidance are published in the vendor advisory.
