Security failures, often subtle, are increasingly emerging through compromised trusted tools and long-unquestioned habits, according to this week’s cybersecurity news recap. Attackers are demonstrating agility, blending established tactics with novel exploitation vectors, rendering “patched” a less definitive state of security while software continues to serve as a primary entry point.
This dynamic landscape underscores a swift shift in digital risk, where attention to granular details is paramount. The following updates offer insight into these evolving threats and the ongoing cybersecurity challenges organizations face in early 2026.
⚡ Threat of the Week: Fortinet Firewall Vulnerabilities Exploited
Fortinet has acknowledged ongoing exploitation of a FortiCloud SSO authentication bypass vulnerability, even on reportedly fully patched firewalls. This suggests a new attack path targeting an incomplete fix for previously identified vulnerabilities, CVE-2025-59718 and CVE-2025-59719. The flaw allows unauthenticated attackers to bypass Single Sign-On (SSO) authentication using crafted SAML messages if the FortiCloud SSO feature is active.
Fortinet stated that the identified exploitation instances involved devices that were updated to the latest release at the time of the attack, indicating the exploit’s sophistication or a novel method of bypassing existing defenses. In response, users are advised to restrict administrative access to edge network devices and disable the “admin-forticloud-sso-login” setting as a temporary mitigation until a complete fix is deployed.
🔔 Top News in Cybersecurity
TikTok Establishes U.S. Joint Venture Amid Federal Ban Concerns
TikTok has announced the formation of a new U.S. entity, TikTok USDS Joint Venture LLC, to continue its operations within the United States. This move complies with an executive order signed by U.S. President Donald Trump in September 2025. Under the agreement, TikTok’s Chinese parent company, ByteDance, will divest a majority stake to American investors, retaining a 19.9% share. This development concludes years of regulatory uncertainty stemming from national security concerns raised in August 2020.
AI-Generated Malware, VoidLink, Highlights Evolving Threat Landscape
The recently discovered Linux malware, VoidLink, which targets cloud servers, is believed to have been largely generated by artificial intelligence (AI). Researchers identified an exposed development plan that detailed AI usage and checkpoints to ensure code functionality. This indicates a significant advancement in AI’s role in creating sophisticated and feature-rich malware. The sophisticated nature of VoidLink, as described by researchers, shifts the baseline for AI-driven malicious activity, amplifying both the speed and scale of offensive capabilities, while also complicating attribution efforts.
Critical GNU InetUtils Telnetd Flaw Disclosed After Nearly a Decade
A critical vulnerability, CVE-2026-24061, has been disclosed in the GNU InetUtils telnet daemon (telnetd), remaining unaddressed for approximately 11 years. This flaw, introduced in March 2015, allows attackers to establish unauthenticated Telnet sessions, granting them unauthorized root access to affected systems. SafeBreach Labs, which analyzed the vulnerability, highlighted its ease of exploitation and released a proof-of-concept. The CVSS score for this vulnerability is 9.8, underscoring its severity.
Vishing Attacks Increasingly Target Identity Providers with Sophisticated Kits
Voice phishing (vishing) threat actors are now employing advanced phishing kits capable of intercepting user credentials and manipulating authentication flows in real-time within a target’s browser. Okta reports that instead of generic kits, a new generation of fraudsters is selling specialized panels tailored to specific targeted services, including major identity providers like Google, Microsoft Entra, and Okta, as well as cryptocurrency platforms. The ShinyHunters gang has been linked to some of these emerging attacks.
CrashFix Malvertising Campaign Leverages Fake Extensions to Deliver Malware
A malvertising campaign is utilizing a fake Chrome and Edge extension called NexShield as a precursor to ClickFix attacks. This malicious extension intentionally crashes the user’s browser, then presents a fraudulent fix upon restart. The pop-up displays fake warnings and prompts users to scan their system, leading to the execution of malicious commands via the Windows Run prompt. The ultimate payload of this campaign is a Python-based remote access tool known as ModeloRAT, highlighting browser extensions as a high-risk attack vector.
Contagious Interview Campaign Distributes New Backdoor via VS Code
North Korean threat actors behind the Contagious Interview campaign are now using Microsoft Visual Studio Code (VS Code) to deliver a new backdoor enabling remote code execution on developer systems. The attack chain involves tricking targets into cloning and opening malicious code repositories hosted on platforms like GitHub, disguised as part of a recruitment process. The exploitation relies on VS Code’s `runOptions` property within `tasks.json` files, which can automatically execute tasks when a workspace is opened, leading to malware installation.
884 New Vulnerabilities Exploited for the First Time in 2025
Vulnerability management company VulnCheck reported that 884 previously unexploited vulnerabilities were weaponized for the first time in 2025, an increase from 768 in the previous year. Notably, 28.96% of these “Known Exploited Vulnerabilities” (KEVs) were leveraged on or before their CVE publication date. Network edge devices, including firewalls and VPNs, were the most frequently targeted technologies, followed by content management systems and open-source software. This data emphasizes the urgency in addressing newly disclosed threats while managing existing vulnerability backlogs.
️🔥 Trending CVEs in Cybersecurity
The rapid pace at which hackers exploit newly discovered vulnerabilities continues to pose a significant risk. A single unaddressed update can lead to a substantial data breach. Organizations are advised to prioritize remediation efforts based on the severity of these emerging security flaws.
This week’s list of trending CVEs includes significant vulnerabilities affecting GNU InetUtils telnetd (CVE-2026-24061), SmarterMail (CVE-2026-23760), Cisco Unified Communications and Webex Calling Dedicated Instance (CVE-2026-20045), Chainlit (CVE-2026-22218, CVE-2026-22219), and various other software and hardware components including Apache bRPC, GitLab, Microsoft products, and Zoom, among others.
📰 Around the Cyber World
1Password Introduces Phishing Site Warnings for Users
Password manager 1Password has implemented a new feature designed to warn users when they navigate to potentially phishing or spoofed websites. The tool will prevent automatic credential filling if the URL does not match a saved login. Additionally, when a user attempts to paste credentials onto a suspicious site, a warning pop-up will appear, prompting caution.
Malicious Chrome Extensions Compromise OpenAI API Keys and User Data
A Google Chrome extension named H-Chat Assistant, with over 10,000 users, has been discovered stealing OpenAI API keys and user prompts. Obsidian Security reports that the extension exfiltrates API keys and chat data to an attacker-controlled Telegram channel, potentially enabling unauthorized access to users’ OpenAI instances. Dozens of other Chrome extensions are also reportedly sending user prompts and data to third-party servers, often impersonating legitimate services like ChatGPT.
Microsoft Provides BitLocker Encryption Keys Under Legal Order in Fraud Case
Microsoft has reportedly complied with a court order to provide BitLocker encryption keys to the FBI, enabling access to encrypted data on laptops of individuals indicted in a fraud case. This marks a significant, publicly known instance of Microsoft supplying these keys, which are backed up to its servers when users link them to their Microsoft accounts. The company confirmed that it provides BitLocker recovery keys when served with a valid legal order for data stored on its servers.
Ilya Lichtenstein Seeks Cybersecurity Role After Bitfinex Hack Conviction
Ilya Lichtenstein, convicted in connection with the 2016 Bitfinex hack, has expressed a desire to transition into a cybersecurity career. Lichtenstein, who was recently released to home confinement after serving nearly four years in prison, stated on LinkedIn that he believes his experience as an adversary can be valuable in preventing future cybercrimes. He aims to leverage his unique perspective to enhance defensive security measures.
Anthropic Details “Assistant Axis” Governing LLM Behavior
AI company Anthropic has outlined the “Assistant Axis,” a pattern of neural activity that influences the default identity and helpfulness of large language models (LLMs). This axis is believed to form during post-training phases when models are instructed to act as assistants. Anthropic suggests monitoring and “activation capping” along this axis can stabilize model behavior and prevent harmful outputs by constraining neural activity to prevent deviation from the intended assistant persona.
China Attributes Thousands of Cyber Attacks to Taiwan
The Chinese government has reported investigating nearly 4,000 cyber attacks originating from Taiwan in 2025, a 25% increase year-over-year. These attacks allegedly targeted critical mainland sectors including transportation, finance, science, and energy with the intent of stealing classified information. Some operations were reportedly conducted by the Taiwanese military, according to Chinese authorities.
Romania Dismantles Murder-for-Hire Operation Website
Romanian authorities have dismantled an organized criminal group that operated a website facilitating murder-for-hire services. The group enabled anonymous users to pay for assassinations using cryptocurrencies and an escrow system. During investigations, authorities seized over $750,000 in digital assets and cash. This operation highlights the growing use of online platforms for illicit activities.
Ireland Proposes Legislation for Lawful Use of Spyware by Police
The Irish government is moving forward with legislative proposals to legalize the use of spyware by law enforcement agencies. The Minister for Justice, Home Affairs and Migration stated that the framework will include robust legal safeguards to ensure the powers are used necessarily and proportionately, addressing the need to combat serious crime and security threats in the digital age.
Microsoft Most Impersonated Brand in Q4 2025 Phishing Attacks
Microsoft emerged as the most frequently impersonated brand in phishing attacks during the fourth quarter of 2025, followed by brands such as Facebook, Roblox, and McAfee. Cybersecurity firm Guardio noted that scammers amplified brand impersonation campaigns during this period, exploiting consumer activity around shopping, subscriptions, and job searches by leveraging the trust associated with well-known brands to bypass skepticism.
Germany Expels Russian Diplomat Suspected of Espionage
Germany has expelled a Russian diplomat accused of espionage, further intensifying geopolitical tensions between the two nations. The German Foreign Office stated that espionage will not be tolerated in Germany, particularly under diplomatic cover. The expelled diplomat has been identified as Andrei Mayorov, Russia’s deputy military attache, who is alleged to have handled a dual Ukrainian-German citizen arrested on suspicion of spying for Russia.
Legitimate Snap Publisher Domains Hijacked for Malware Delivery
Attackers are hijacking legitimate Canonical Snap Store publisher accounts by registering expired domains associated with them to trigger password reset processes. Once control is gained, these accounts are used to push malicious updates to established applications, deploying malware designed to steal cryptocurrency. This domain resurrection technique has impacted at least two Linux packages, indicating a sophisticated supply chain attack vector.
Iranian Hacktivist Group Handala Utilizing Starlink for Attacks
The Iranian hacktivist group Handala has been observed conducting cyber attacks using Starlink internet connections. According to Check Point, the group’s activity, which had ceased during nationwide internet blackouts in Iran, has resumed from Starlink IP ranges, targeting entities across the Middle East. This signifies an adaptation by the group to maintain operational capabilities.
Conclusion
This week’s cybersecurity updates collectively highlight a pervasive trend: risk is increasingly rooted in everyday tools and routine user decisions, with even minor vulnerabilities posing significant threats. The speed at which threats evolve means that delays in addressing security gaps can lead to substantial damage.
While the specific details of these threats will continue to shift, the underlying pressure on organizations to maintain robust cybersecurity postures will remain constant. Vigilance and prompt action are crucial in navigating this persistently challenging landscape.