🔓 BREACHES & SECURITY INCIDENTS

🇮🇹 🏫 Rome’s La Sapienza university was hit by a cyberattack that forced its IT systems offline and disrupted operations. Authorities and cybersecurity teams say it may be ransomware (linked to a pro-Russian group) and are restoring systems from backups. Students and staff are advised to watch for phishing and suspicious activity while recovery continues.

🇮🇹 ⛷️ 🇷🇺 Italy said it stopped cyberattacks aimed at its foreign ministry sites and Winter Olympics websites and hotels. Foreign Minister Antonio Tajani said the attacks were linked to Russia. Thousands of security officers are deployed across the Games.

📤️ Substack notified users that attackers accessed some email addresses, phone numbers, and internal metadata from an October 2025 breach. The company says passwords, credit card numbers, and financial data were not accessed and it has fixed the vulnerability. Substack warned users to watch for phishing and the leaked data appeared on a hacking forum.

Figure: e-mail received by Substack users notifying them of the breach

💸 Step Finance said hackers stole about $40 million after compromising executives' devices. The company worked with security teams and recovered roughly $4.7 million so far. Operations are paused, users told not to trade STEP while investigations continue.

Twitter tweet

🔓️ On January 7 attackers used a compromised account to force-push malicious JavaScript into several Plone GitHub repositories. The Plone team removed the code, enabled organization-wide rules to block force pushes and restrict tag updates, and advised checking personal access tokens. The injected code aimed to persist, steal credentials, and target developers’ build environments.

🇺🇸 Coinbase confirmed a contractor improperly accessed data for about 30 customers in a December insider breach — Screenshots of an internal support tool briefly appeared online, showing detailed customer information. The incident highlights growing attacks on outsourced support firms that give threat actors access to sensitive data.

🗒️ 🇨🇳 Notepad++ was hit by a supply-chain attack that redirected updater traffic through its hosting provider so some users got malicious updates. Security investigators say a China-linked, likely state-sponsored group targeted specific organizations and abused a compromised shared server. Notepad++ moved hosts and added update verification to stop the attack.

🇺🇸 🍞 A data breach at Panera Bread exposed records from a January 2026 attack. Have I Been Pwned says 5.1 million unique accounts were affected, not 14 million customers. The data leaked by the ShinyHunters gang included names, emails, phones, and addresses.

🕹️ NationStates confirmed a data breach after a player exploited a vulnerability and gained remote access to its production server. Exposed data may include email addresses, MD5 password hashes, IPs, and browser info, and some private messages may have been accessed. The site is offline for a full rebuild, security upgrades, and investigations while users are advised to check their account data.

→ More breaches:

• ShinyHunters publish personal information stolen during Harvard, UPenn data breaches

• Data breach at fintech firm Betterment exposes 1.4 million accounts

• Data breach at govtech giant Conduent balloons, affecting millions more Americans

• Flickr discloses potential data breach exposing users' names, emails

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

The Shadow Campaigns: Uncovering Global Espionage

In 2025 a threat group compromised government and critical infrastructure in 37 countries, with reconnaissance in 155.

unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage

🇩🇪 Germany warns that state-linked actors are phishing senior officials on Signal to hijack accounts and steal chats and contacts. Attackers trick victims into revealing PINs or scanning QR codes to register devices they control. Authorities advise blocking/reporting fake support messages, enabling Signal’s Registration Lock, and checking linked devices.

🇳🇴 🇨🇳 Norway says China-linked hackers Salt Typhoon broke into several Norwegian organizations — The group targeted weak network devices to spy on victims. Salt Typhoon has long attacked critical infrastructure worldwide.

🤑 💩 Ransomware group Nitrogen's ESXi-targeting malware corrupts its own public key, so decryptors cannot recover files even if victims pay. Coveware found a coding bug where a QWORD overwrote bytes of the public key. The mistake makes the attacks purely destructive and payment futile.

🇷🇺 Russian-state hackers quickly exploited a critical Microsoft Office flaw (CVE-2026-21509) within 48 hours of a patch. They used a novel, in-memory exploit and new backdoors to infect diplomatic, maritime, and transport organizations in several countries. The attacks were stealthy, used compromised government accounts, and hid command channels in legitimate cloud services.

🇺🇸 Sen. Maria Cantwell says AT&T and Verizon refused to share a Mandiant report about the Salt Typhoon hacks. She wants the CEOs to testify before Congress about how the breaches happened and what fixes were made. Cantwell warns telecoms’ resistance leaves Americans’ communications at risk.

🇨🇳 👀 A new China-linked group called Amaranth Dragon exploited a WinRAR flaw (CVE-2025-8088) to spy on government and law enforcement agencies in Southeast Asia. They used a custom loader, encrypted payloads, Cloudflare-hosted C2 servers with geofencing, and a new TGAmaranth RAT delivered via DLL sideloading. Defenders should update WinRAR to 7.13+ and use the provided IOCs and YARA rules to detect infections.

Figure: Campains timeline/Check Point

🐼 🇨🇳 Between December 2025 and January 2026, hackers linked to China’s Mustang Panda used fake diplomatic briefings to infect officials and diplomats. The malicious PDFs deployed a downloader called DOPLUGS (PlugX) and used DLL hijacking to quietly collect data. Security researchers warn to be cautious with unexpected summary or briefing documents, even if they look official.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

‘Hot mess’: Former Trump cyber leader slams DHS leadership void

Bridget Bean, the former acting director of the Cybersecurity and Infrastructure Security Agency, said in an exclusive interview that without permanent leadership, agencies under DHS are “not working.”

www.politico.com/news/2026/02/02/bridget-bean-dhs-interview-00758528

👁️ 🐾 🇺🇸 The DHS inspector general opened an audit of the department’s handling of biometric and personal data — The review will start with ICE and the Office of Biometric Identity Management. Senators raised concerns about mass collection, sharing, and possible civil liberties violations.

🇺🇸 ⚖️ A 23-year-old New York man, Aaron Corey, was arrested and charged with receiving child sexual abuse material — Investigators say he ran 764-related chats and had images and videos of young children on his devices. Authorities say this arrest is part of wider actions against the violent extremist network 764 and its offshoots.

🇺🇸 👀 Homeland Security has used administrative subpoenas to demand identity information from tech companies about people and anonymous accounts critical of the Trump administration. These subpoenas skip judicial oversight and can reveal login times, IPs, emails, and other identifiers. Civil rights groups say this chills free speech and some companies sometimes resist or push back.

🇺🇸 National Cyber Director Sean Cairncross urged industry to work with the Trump administration to reduce cybersecurity regulation and improve information sharing. He asked companies to support a 10-year extension of the Cybersecurity Information Sharing Act. He said the administration wants partnership, not punishment, and will roll out a new cybersecurity strategy soon.

🇯🇵 🤝 🇬🇧 Japan and Britain agreed to boost cooperation on cybersecurity and critical minerals as China’s influence grows. They will work to secure supply chains and strengthen economic and security ties. Both countries aim to make trade and defense partnerships more resilient.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🔄 SystemBC malware survived a law enforcement takedown and now infects over 10,000 devices worldwide. It turns infected machines into SOCKS5 proxies and helps distribute ransomware and other malware. Most victims are in the US, Germany, France, Singapore, and India.

🎣 A global spam wave is flooding inboxes with fake "Activate account" emails sent via unsecured Zendesk support forms. Attackers are abusing ticket submission to trigger mass confirmation messages that bypass filters. Despite Zendesk's earlier fixes, the abuse appears to be recurring.

🇷🇺 Russia-linked APT28 used a new Microsoft Office flaw (CVE-2026-21509) to deliver espionage malware in Ukraine, Slovakia, and Romania. Attackers sent localized lure documents that downloaded droppers which install an email stealer (MiniDoor) or a loader (PixyNetLoader) that hides shellcode in a PNG and launches a Covenant Grunt implant. CERT-UA and Zscaler say the campaign used targeted server checks, COM hijacking, and steganography to evade detection and hit government-related emails.

🧩 Attackers hijacked a trusted Open VSX publisher account and pushed malicious updates of four popular VS Code extensions. The malware targets macOS, steals browser data, crypto wallets, and developer credentials, and loads instructions from Solana transaction memos. The campaign uses runtime-decrypted loaders and leaked publishing tokens to evade detection and rotate infrastructure.

🦠 Attackers breached eScan's update servers and pushed a malicious update that installed a persistent downloader. The malware replaced legit files, blocked updates and fetched further payloads via PowerShell. Hundreds of machines in South Asia and elsewhere were targeted before the servers were isolated and patched.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🤖 The rise of Moltbook — In 1988 the Morris worm spread across the early Internet and crashed many systems because of a coding mistake. Today, AI agents can share and copy prompts across networks in a similar way. Experts warn these viral prompts could become a major new security threat.

🦞 OpenClaw, a self-hosted AI assistant, had a critical vulnerability allowing attackers to steal a user’s authentication token by tricking them into visiting a malicious website. With the stolen token, attackers could connect to the victim’s OpenClaw instance, disable protections, and run arbitrary commands on the host. The flaw (CVE-2026-25253) was patched in version 2026.1.29 after researchers disclosed the issue.

ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting

We audited all 2,632 skills on ClawHub and found 341 were malicious - 335 from a single campaign we're calling ClawHavoc. The attack exploits the trust between AI bots and their users, tricking them into installing infostealers disguised as legitimate tools.

www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting

🇫🇷 French prosecutors raided X's Paris offices and are investigating its Grok AI for generating sexual deepfakes and other illegal content. Elon Musk and X CEO Linda Yaccarino were summoned for voluntary interviews, and more employees will be questioned. The probe involves multiple alleged offenses and joins other EU and UK investigations into X's handling of the tool.

→ UK privacy watchdog probes Grok over AI-generated sexual images

🍎 📍 Apple is adding a "Limit Precise Location" setting in iOS 26.3+ that stops cellular networks from getting exact street-level location and only shares an approximate area. It works on select iPhone and iPad models and needs carrier support to function. Emergency calls and app Location Services are not affected.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco and F5 Patch High-Severity Vulnerabilities

• Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

• Two Google Looker flaws found - Google patched cloud instances in Sept 2025; self-hosted users must update

New survey reveals how security researchers and journalists experience legal and criminal threats

Over 100 security researchers and journalists answered our survey and told us how they experienced threats for doing their work. Here are some of the top takeaways.

this.weekinsecurity.com/new-survey-reveals-how-security-researchers-and-journalists-experience-legal-and-criminal-threats

🤖 👀 🐛 Anthropic says its new LLM, Claude Opus 4.6, found over 500 previously unknown high-severity security flaws in major open-source libraries. The model can read and reason about code like a human researcher and helped prioritize and validate real memory-corruption bugs that have since been patched. Anthropic calls such AI tools crucial for defenders but warns of misuse and plans added safeguards.

🐛 A critical vulnerability (CVE-2026-25049) in n8n allows authenticated users who can create or edit workflows to run arbitrary system commands. The flaw bypasses previous fixes by abusing expression evaluation and TypeScript runtime/type mismatches, and is especially dangerous when paired with public webhooks. Patch to versions 1.123.17 / 2.5.2 or restrict workflow permissions and harden deployments immediately.

💥 Researchers found attackers exploiting the React2Shell flaw to inject malicious NGINX configurations and hijack web traffic. The attackers use a multi-stage script toolkit to persist, discover targets (especially Asian and government/education TLDs), and redirect requests to attacker-controlled servers. Two IPs drove most exploitation attempts, with varied post-exploit payloads like cryptominers and reverse shells.

Figure: NGINX attack flow diagram/securitylabs.datadoghq.com

🔓️ 🫰 Attackers are automatically targeting unsecured, internet-exposed MongoDB servers and wiping data to demand small Bitcoin ransoms (about 0.005 BTC). Flare researchers found over 208,500 exposed instances, 3,100 without authentication, and nearly half of those had already been compromised. Administrators are urged to stop public exposure, enable strong auth, update MongoDB, and monitor for breaches.

Figure: Shodan search results/Flare

💥 Attackers have been exploiting a critical React Native development server bug (CVE-2025-11953, "Metro4Shell") since late December. The flaw lets remote actors run commands via Metro’s default external binding, enabling multi-stage PowerShell loaders that disable Defender and fetch Rust payloads. Thousands of internet-exposed React Native instances may be at risk.

🛰️ ICS, OT & IoT

Privileged File System Vulnerability Present in a SCADA System

We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack.

unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921

🇺🇸 CISA ordered federal agencies to stop using unsupported edge devices like routers and firewalls because they are high-risk attack points. Agencies must inventory such devices within three months and replace them within a year. CISA will publish a list of end-of-service devices and wants agencies to set up regular checks for unsupported gear.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.