End-of-Day report
Timeframe: Mittwoch 07-01-2026 18:00 - Donnerstag 08-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
New GoBruteforcer attack wave targets crypto, blockchain projects
A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.
https://www.bleepingcomputer.com/news/security/new-gobruteforcer-attack-wave-targets-crypto-blockchain-projects/
Cisco warns of Identity Service Engine flaw with exploit code
Cisco has patched an ISE vulnerability with public proof-of-concept exploit code that can be abused by attackers with admin privileges.
https://www.bleepingcomputer.com/news/security/cisco-warns-of-identity-service-engine-flaw-with-exploit-code/
Dringend MFA aktivieren: Massenhaft Daten aus Cloud-Instanzen abgeflossen
Betroffen sind self-hosted Instanzen von Owncloud, Nextcloud und Sharefile. Daten von 50 Organisationen stehen zum Verkauf, weil die MFA nicht aktiv war.
https://www.golem.de/news/dringend-mfa-aktivieren-massenhaft-daten-aus-cloud-instanzen-abgeflossen-2601-203932.html
NIS-2-Umsetzung: BSI schaltet Meldeportal auf Amazon-Servern frei
Fast 30.000 Firmen und Behörden der kritischen Infrastruktur müssen sich beim BSI registrieren. Das Portal läuft auf Clouddiensten von AWS.
https://www.golem.de/news/nis-2-umsetzung-bsi-schaltet-meldeportal-auf-amazon-servern-frei-2601-203957.html
BSI warnt: 40 Prozent der deutschen Zimbra-Server sind angreifbar
Ein Großteil aller Zimbra-Server in Deutschland basiert noch auf einer veralteten Version, die anfällig für gefährliche Sicherheitslücken ist.
https://www.golem.de/news/bsi-warnt-40-prozent-der-deutschen-zimbra-server-sind-angreifbar-2601-203959.html
Fake Browser Updates Targeting WordPress Administrators via Malicious Plugin
We recently investigated a case involving a WordPress website where a customer reported persistent fake pop-up notifications appearing on their site. The warnings were urging them to update their browser (Chrome or Firefox), even though their software was already fully up-to-date.
https://blog.sucuri.net/2026/01/fake-browser-updates-targeting-wordpress-administrators-via-malicious-plugin.html
CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages
Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT.
https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.html
IBMs AI agent Bob easily duped to run malware, researchers show
Prompt injection lets risky commands slip past guardrails IBM describes its coding agent thus: "Bob is your AI software development partner that understands your intent, repo, and security standards." Unfortunately, Bob doesnt always follow those security standards.
https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/
Gemeinsam gegen Cyber-Kriminalität: Info-Offensive zum ESC-Ticketkauf
Vor dem Start der ersten Ticket-Verkaufswelle am 13. Jänner sensibilisieren ORF, EBU, BMI, Stadt Wien, Polizei und -Watchlist Internet- für Cyber-Gefahren und richten eine zentrale Meldestelle für Betrugsversuche ein.
https://www.watchlist-internet.at/news/gemeinsam-gegen-cyber-kriminalitaet-info-offensive-zum-esc-ticketkauf/
Stalkerware operator pleads guilty in rare prosecution
The owner of a Michigan-based stalkerware company pleaded guilty to federal charges for selling a product designed to spy on people without their consent.
https://therecord.media/stalkerware-guilty-plea-fleming
Fake ChatGPT and DeepSeek Extensions Spied on Over 1 Million Chrome Users
Security researchers have identified two malicious Chrome extensions recording AI chats. Learn how to identify and remove these tools to protect your privacy.
https://hackread.com/fake-chatgpt-deepseek-extensions-spy-chrome-users/
Discord Controlled NodeCordRAT Steals Chrome Data via NPM Packages
Zscaler ThreatLabz identifies three malicious NPM packages mimicking Bitcoin libraries. The NodeCordRAT virus uses Discord commands to exfiltrate MetaMask data and Chrome passwords.
https://hackread.com/discord-nodecordrat-steal-chrome-data-npm-packages/
The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks
Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.
https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks
Decoding the GitHub recommendations for npm maintainers
This blog post explores the rationale and implementation behind GitHubs security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem.
https://securitylabs.datadoghq.com/articles/decoding-the-recommendations-for-npm-maintainers/
Abusing ROPC to Bypass MFA - and How I Built a Detection for It in Microsoft Sentinel
Among all the OAuth2 grant types available in Azure AD (now Microsoft Entra ID), the Resource Owner Password Credential (ROPC) flow remains one of the most misunderstood - and most abused.
https://detect.fyi/abusing-ropc-to-bypass-mfa-and-how-i-built-a-detection-for-it-in-microsoft-sentinel-135e46aeb7c9
Preparing for Post-Quantum Cryptography
Learn what you can do today to prepare for Q-Day.
https://www.wiz.io/blog/preparing-for-post-quantum-cryptography
npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens
The JavaScript ecosystem spent much of 2025 responding to a sustained run of supply chain attacks, but it was the multi-wave Shai-Hulud campaign that ultimately reset expectations for what large-scale, automated compromise looks like. By the end of the year, organizations with JavaScript-heavy infrastructure were no longer treating supply chain malware as an edge case, but as an operational risk that could spread faster than human review. Now, npm says it is preparing its next major response.
https://socket.dev/blog/npm-to-implement-staged-publishing
Crimson Collective Claims to Disconnect Brightspeed Internet Users After Hack
The hacking group Crimson Collective claims to have access to Brightspeed-s infrastructure and is disconnecting users from the company-s home internet services. The group made its latest claims in a post on Telegram yesterday. -Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,- the Telegram post says.
https://thecyberexpress.com/crimson-collective-disconnects-brightspeed/
Trump Orders US Exit from Global Cyber and Hybrid Threat Coalitions
President Donald Trump has ordered the immediate withdrawal of the United States from several premier international bodies dedicated to cybersecurity, digital human rights, and countering hybrid warfare, as part of a major restructuring of American defense and diplomatic posture.
https://thecyberexpress.com/trump-orders-us-exit-from-cyber-coalitions/
UK Moves to Close Public Sector Cyber Gaps With Government Cyber Action Plan
The UK government has revealed the Government Cyber Action Plan as a renewed effort to close the growing gap between escalating cyber threats and the public sector-s ability to respond effectively. The move comes amid a series of cyberattacks targeting UK retail and manufacturing sectors, incidents that have underscored broader vulnerabilities affecting critical services and government operations.
https://thecyberexpress.com/uk-government-cyber-action-plan/
Vulnerabilities
Max severity Ni8mare flaw lets hackers hijack n8n servers
A maximum severity vulnerability dubbed "Ni8mare" allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
Critical jsPDF flaw lets hackers steal secrets via generated PDFs
The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.
https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/
The installers for multiple PIONEER products may insecurely load Dynamic Link Libraries
The installers for multiple products provided by PIONEER CORPORATION may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the privileges of the running installer.
https://jvn.jp/en/jp/JVN17956874/
zlib: Kritische Sicherheitslücke ermöglicht Codeschmuggel - noch kein Update
In einem Werkzeug der Kompressionsbibliothek zlib, die in zahlreichen Programmen und Betriebssystemen enthalten ist, haben IT-Forscher eine kritische Sicherheitslücke entdeckt. Sie ermöglicht unter Umständen das Einschleusen und Ausführen von Schadcode. Ein Update zum Stopfen des Sicherheitslecks gibt es bislang noch nicht.
https://www.heise.de/news/zlib-Kritische-Sicherheitsluecke-ermoeglicht-Codeschmuggel-noch-kein-Update-11133774.html
Sieben kritische Sicherheitslücken mit Höchstwertung bedrohen Coolify
Admins von Platform-as-a-Service-Umgebungen auf der Basis von Coolify sollten ihre Instanzen zügig auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem an sieben -kritischen- Sicherheitslücken mit Höchstwertung (CVSS Score 10 von 10) ansetzen, um Server vollständig zu kompromittieren.
https://www.heise.de/news/Sieben-kritische-Sicherheitsluecken-mit-Hoechstwertung-bedrohen-Coolify-11134510.html
Kanboard-Sicherheitslücke ermöglicht Anmeldung als beliebiger User
Das Open-Source-Kanban Kanboard ist von drei Schwachstellen betroffen. Eine davon gilt den Entwicklern als kritisches Risiko und ermöglicht die Anmeldung als beliebiger User - sofern eine bestimmte Konfigurationsoption gesetzt ist.
https://www.heise.de/news/Kanboard-Sicherheitsluecke-ermoeglicht-Anmeldung-als-beliebiger-User-11134247.html
Security updates for Thursday
Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).
https://lwn.net/Articles/1053277/
[R1] Nessus Agent Versions 11.0.3 and 10.9.3 Fix One Vulnerability
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. Tenable has released Nessus Agent 11.0.3 and Nessus Agent 10.9.3 to address these issues.
https://www.tenable.com/security/tns-2026-01
CVE-2025-42877: Memory Corruption in SAP Web Dispatcher
SAP Web Dispatcher and Internet Communication Manager (ICM) contain a critical memory corruption vulnerability in the HTTP header parsing function. The vulnerability allows an unauthenticated attacker to cause heap corruption and lead to Denial of Service through specially crafted HTTP requests.
https://redrays.io/blog/cve-2025-42877-sap-web-dispatcher-memory-corruption-analysis/
Case opened: DIVD-2025-00011 - Severe vulnerabilities in Growatt portal
https://csirt.divd.nl/cases/DIVD-2025-00011/