Another week, another wave of vulnerabilities keeping us on our toes!

From nation-state hackers conducting global credential harvesting campaigns to fake AI Chrome extensions stealing nearly a million users’ data, this week proved cybersecurity professionals earn every bit of their coffee budget. Critical n8n vulnerabilities reached CVSS scores that made even hardened defenders nervous, while Chinese Salt Typhoon intrusions keep expanding in scope. Meanwhile, Disney learned that YouTube privacy violations cost $10M—turns out COPPA compliance isn’t optional.

The hospitality sector got hammered by sophisticated ClickFix campaigns, Android botnets grew to 2 million devices, and WhatsApp became an unlikely malware distribution vector in Brazil. On the defensive side, researchers turned the tables with a honeypot that successfully snared Scattered Lapsus$ operators, proving that sometimes the best defense is a really convincing fake dataset.

Patch your systems, enable that MFA, and maybe check if those Chrome extensions are actually legitimate. Your Friday reminder that threat actors never take the weekend off—so neither should your security posture.

#ThreatIntelligence #InfoSec #CyberSecurity #Malware #DataBreach #Ransomware #FWU #FridayWrapUp

Major Cyberattacks & Incidents

This week’s breach landscape spans VPN services, hospitality targets, and gas station operations.

• 🛡️ NordVPN denied breach allegations after attackers claimed access to internal Salesforce servers, stating cybercriminals obtained dummy data from a third-party testing platform trial account. (Published on 5-Jan-2026, BleepingComputer). Read More

• 🎯 Sophisticated ClickFix campaign targets hospitality sector with fake Booking.com reservation cancellations and fake BSODs, tricking victims into executing malicious code that delivers RAT infections. (Published on 6-Jan-2026, SecurityWeek). Read More

• 🏨 Multi-stage PHALT#BLYX ClickFix malware campaign hits hospitality organizations using social engineering tactics and MSBuild.exe abuse to compromise systems and deploy remote access trojans. (Published on 6-Jan-2026, Infosecurity). Read More

• 🔐 ownCloud urgently recommends enabling multi-factor authentication after receiving reports of credential theft, warning users that compromised credentials could enable unauthorized data access by attackers. (Published on 7-Jan-2026, BleepingComputer). Read More

• ⛽ Texas-based Gulshan Management Services, operating Handi Plus and Handi Stop gas stations, disclosed a ransomware-triggered data breach impacting over 377,000 individuals’ personal information. (Published on 7-Jan-2026, Hackread). Read More

• ⛽ Gulshan Management Services reported a ransomware attack led to data breach affecting 377,000 people associated with their Texas gas station operations across 150 locations. (Published on 9-Jan-2026, SecurityWeek). Read More

Malware & Vulnerabilities

Critical flaws and emerging threats dominated patching priorities this week.

• 🐍 VVS Stealer, a Python-based information stealer sold on Telegram since April 2025, harvests Discord credentials and tokens using Pyarmor-obfuscated code to evade detection. (Published on 5-Jan-2026, The Hacker News). Read More

• 📱 Kimwolf Android botnet grows to 2 million compromised devices, monetizing through DDoS attacks, fraudulent app installations, and selling proxy bandwidth via residential proxy networks. (Published on 5-Jan-2026, SecurityWeek). Read More

• 🌐 RondoDox botnet expands operations by exploiting React2Shell vulnerability, targeting Next.js servers with cryptomining payloads, botnet infections, and other malicious activity threatening IoT and enterprises. (Published on 5-Jan-2026, Dark Reading). Read More

• 🤖 High-severity flaw in Open WebUI Direct Connections (used for AI integrations) creates risk for account takeover and server compromises requiring immediate attention. (Published on 6-Jan-2026, Infosecurity). Read More

• ⚠️ Critical n8n vulnerability (CVE-2025-68668, CVSS 9.9) enables authenticated attackers to execute arbitrary system commands on the underlying host in the workflow automation platform. (Published on 6-Jan-2026, The Hacker News). Read More

• 🌐 Legacy D-Link DSL gateway routers face active exploitation of newly discovered command injection vulnerability, affecting multiple out-of-support models with no patches available. (Published on 6-Jan-2026, BleepingComputer). Read More

• 💾 Veeam patched critical remote code execution vulnerability allowing operator-level users to execute commands with database administrator privileges in Backup & Replication software. (Published on 7-Jan-2026, CyberScoop). Read More

• 🔌 Malicious Chrome extensions with 900,000 combined downloads caught impersonating legitimate AITOPIA extension, exfiltrating users’ AI chat conversations and browser activity to attacker infrastructure. (Published on 7-Jan-2026, SecurityWeek). Read More

• 💳 Ghost Tap Android malware enables remote NFC payment fraud, allowing unauthorized tap-to-pay transactions without physical access to victims’ bank cards or devices. (Published on 7-Jan-2026, Infosecurity). Read More

• 💬 WhatsApp worm spreads Astaroth banking trojan across Brazil by retrieving victims’ contact lists and automatically sending malicious messages to propagate the Windows malware. (Published on 8-Jan-2026, The Hacker News). Read More

• 🚨 CISA added Microsoft Office (CVE-2009-0556) and HPE OneView vulnerabilities to Known Exploited Vulnerabilities catalog after detecting active exploitation in the wild. (Published on 8-Jan-2026, The Hacker News). Read More

• ⚠️ Second critical n8n vulnerability (CVE-2026-21877, CVSS 10.0) discovered by Upwind enables full system takeover, requiring immediate update to version 1.121.3 to prevent exploitation. (Published on 8-Jan-2026, Hackread). Read More

• 🌐 Fake AI-powered Chrome extensions mimicked legitimate tools to steal 900K users’ ChatGPT and DeepSeek data before sending harvested information to command-and-control servers. (Published on 8-Jan-2026, Dark Reading). Read More

• 🤖 GoBruteforcer botnet actively targets exposed Linux servers, conducting brute-force attacks against FTP, MySQL, and other services to compromise systems and expand operations. (Published on 8-Jan-2026, Infosecurity). Read More

• ðŸ›¡ï¸ Trend Micro patched critical remote code execution vulnerability in Apex Central on-premise console, allowing attackers to execute arbitrary code with SYSTEM-level privileges. (Published on 9-Jan-2026, BleepingComputer). Read More

• 🔧 Cisco ISE vulnerability (CVE-2026-20029, CVSS 4.9) enables authenticated administrators to exploit improper XML parsing in licensing features, gaining unauthorized read access to sensitive files. (Published on 9-Jan-2026, CSO Online). Read More

AI & Policy

Regulatory actions and AI security concerns continue shaping the landscape.

• 🎬 Disney settles with DOJ and FTC for $10 million over YouTube privacy violations under COPPA, implementing new measures to protect children’s data collection practices. (Published on 5-Jan-2026, Hackread). Read More

• 🤖 Employees using personal LLM accounts for work tasks create shadow AI risks, with lack of governance and visibility resulting in increased data security exposures. (Published on 7-Jan-2026, Infosecurity). Read More

• 🔧 Gmail launches AI Inbox powered by Gemini to summarize emails, with Google explicitly stating it will not train AI models on user email content. (Published on 8-Jan-2026, BleepingComputer). Read More

• 🧟 Radware researchers demonstrated ZombieAgent attack, successfully bypassing ChatGPT protections to exfiltrate user data and implant persistent logic into the agent’s long-term memory. (Published on 9-Jan-2026, SecurityWeek). Read More

Espionage & Data Extraction

Nation-state actors remain persistently active across global targets.

• 🎯 Russian APT28 (BlueDelta) conducted credential harvesting campaign targeting Turkish energy and nuclear research personnel, European think tanks, and organizations in North Macedonia and Uzbekistan. (Published on 9-Jan-2026, The Hacker News). Read More

• 🇨🇳 Salt Typhoon Chinese hack scope expands as investigations reveal Chinese state hackers spent over a year undetected inside major U.S. telecom networks, spying on officials. (Published on 9-Jan-2026, Techdirt). Read More

Vulnerability Research & Industry Analysis

Researchers spotlight metadata leaks and novel attack techniques.

• 📱 WhatsApp metadata leak enables device fingerprinting useful for sophisticated spyware delivery, though impact remains limited without zero-day exploits; Meta rolling out fixes. (Published on 5-Jan-2026, SecurityWeek). Read More

Cybersecurity Tools & Techniques

Defenders demonstrate creative approaches to identifying threat actors.

• 🪤 Security researchers successfully trapped Scattered Lapsus$ Hunters (ShinyHunters) using a honeypot with realistic but mostly fake datasets, drawing in the notorious threat actors. (Published on 6-Jan-2026, Dark Reading). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!