End-of-Day report
Timeframe: Freitag 23-01-2026 18:00 - Montag 26-01-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Hackers can bypass npm-s Shai-Hulud defenses via Git dependencies
The defense mechanisms that NPM introduced after the Shai-Hulud supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. [..] the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM. [..] They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior "works as expected."
https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies/
Nearly 800,000 Telnet servers exposed to remote attacks
Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server.
https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/
Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers
As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT. [..] The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that's designed to execute an AutoIt script disguised as a PDF document.
https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html
Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code
Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants [..] The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below - ChatGPT - *** [..] ChatGPT - ChatMoss
https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html
BitLocker: Microsoft gibt Schlüssel an Strafverfolger heraus
Wer seine Festplatte oder SSD verschlüsselt, darf eigentlich davon ausgehen, dass nur er diese auch wieder entschlüsseln kann. Bei der Verschlüsselungstechnologie BitLocker von Microsoft scheint dies aber nicht unbedingt der Fall zu sein, weil das Unternehmen den Schlüssel in der Home-Edition von Windows automatisch im Online-Account des Nutzers abspeichert.
https://www.heise.de/news/Microsoft-gibt-BitLocker-Schluessel-an-Strafverfolgungsbehoerden-11152988.html
Microsoft SharePoint/OneDrive: IDCRL-Authentication endet ab 31. Jan. 2026 - OpenID Connect und OAuth kommt (MC1184649)
Microsoft lässt bei den Online-Versionen das IDCRL-Authentication Protocol zum 31. Januar 2026 auslaufen. Die Authentifizierung erfolgt dann über OpenID Connect und OAuth - lässt sich aber noch einige Wochen wieder umstellen. Microsoft hat die Änderung bereits im November 2025 angekündigt, das Ganze aber als Erinnerung nochmals zum 20. Januar 2026 im Microsoft 365 Message Center unter MC1184649 - Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols eingestellt.
https://borncity.com/blog/2026/01/25/microsoft-sharepoint-onedrive-idcrl-authentication-endet-ab-31-jan-2026-openid-connect-und-oauth-kommt-mc1184649/
$6,000 -Stanley- Toolkit Sold on Russian Forums Fakes Secure URLs in Chrome
Varonis researchers discovered that Stanley uses a clever trick of disguising itself as a simple note-taking tool called Notely. Once a person installs it, the app can display a fake login page directly over a real website. [..] What is most concerning for the average user is that this toolkit isn-t just a piece of software but a full-featured service. The most expensive version comes with a guarantee that the malicious app will pass the official security checks of the Chrome Web Store.
https://hackread.com/stanley-toolkit-russia-forum-fakes-chrome-urls/
New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer
Blackpoint Cyber discovered a new Fake CAPTCHA campaign that tricks users into installing Amatera Stealer. By abusing legitimate Microsoft scripts and hiding malicious code in Google Calendar and PNG images, this attack bypasses standard security to harvest private passwords and browser data.
https://hackread.com/fake-captcha-scam-microsoft-tools-amatera-stealer/
F5: K000159681: Credential harvesting campaign targeting F5 VPN users
On January 13, 2026, researchers identified a large-scale credential harvesting campaign targeting several VPN providers, including F5. The threat actors behind the campaign registered numerous doppelgänger domains designed to mimic legitimate F5 domains. These domains are used to deceive victims into downloading counterfeit BIG-IP VPN client installers. [..] IOCs, C2 servers, and the malicious script hash value
https://my.f5.com/manage/s/article/K000159681
Screeps: How a game about programming exposed thousands of players to remote code execution
In Screeps (short for "Scripting Creeps"), you cannot click on a unit ("creep") and tell it what to do. If you place a building on the map, your builders will stand next to it and do nothing. There are no buttons to give your creeps instructions. Instead, you must write code to define their behavior. [..] In Multiplayer Screeps worlds, all of the code to progress the game runs on the server, including the AI for your units. [..] Screeps is on Steam, and the native client reuses the browser code but with no sandboxing. nw.require('child_process').exec('your command here') will get you full command line access to the target machine. [..] It is fixed now, which was the primary goal of my writing this.
https://outsidetheasylum.blog/screeps/
The end of the curl bug-bounty
There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. [..] We saw an explosion in AI slop reports combined with a lower quality even in the reports that were not obvious slop - presumably because they too were actually misled by AI but with that fact just hidden better. [..] The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk.
https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/
Vulnerabilities
Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba-s Physical Access Control System
In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba-s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators.
https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnerabilities-in-dormakabas-physical-access-control-system/
Security updates for Monday
Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson).
https://lwn.net/Articles/1055958/
Beckhoff Security Advisory 2025-003: Vulnerabilities in Beckhoff Device Manager
https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2025-003.pdf