The Hacker News

🇨🇳 A China-linked threat actor has targeted North American critical infrastructure. Tracked as UAT-8837, the group seeks initial access to high-value networks, then maps Active Directory and steals credentials using mostly open-source tools. Talos says a Sitecore zero-day was recently exploited to gain entry. 🔗 Read → https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html

🚨 Cisco fixed a CVSS 10.0 RCE in AsyncOS after it was exploited as a zero-day by the China-nexus APT UAT-9686. The flaw enables root-level command execution through the Spam Quarantine feature when it is exposed to the internet. 🔗 Read details → https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html

🔐⚙️ AWS fixed a CI misconfiguration in some AWS-managed GitHub repos, including the AWS JavaScript SDK. The flaw, CodeBreach, involved broken webhook regex filters that could let untrusted users trigger privileged builds and expose admin tokens. 🔗 Read here → https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html

🧠🔐 AI security isn’t a model problem. It’s a workflow problem. As AI connects apps, data, and actions, attackers target context—inputs, outputs, extensions, and permissions—not algorithms 🔗 Why AI workflow control now defines real security → https://thehackernews.com/2026/01/model-security-is-wrong-frame-real-risk.html

🚨 A WordPress plugin with 40,000+ active installs is being actively exploited. CVE-2026-23550 (CVSS 10.0) in Modular DS allows unauthenticated attackers to gain admin access by bypassing authentication through a flawed routing mechanism. 🔗 Details → https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html

⚠️ Researchers disclosed a one-click Copilot attack that enables silent data exfiltration. A legitimate Copilot URL injects hidden instructions, bypasses safeguards, and can keep exfiltrating data even after the chat is closed. 🔗 Learn more → https://thehackernews.com/2026/01/researchers-reveal-reprompt-attack.html

🚨 This week’s ThreatsDay Bulletin! Hackers are hiding in everyday systems — cloning voices, faking invoices, breaking controllers, and stealing $26M in crypto. Each story shows how attacks now look normal until it’s too late. 🔗 Full report: https://thehackernews.com/2026/01/threatsday-bulletin-ai-voice-cloning.html

🚨 50 CISOs surveyed. 1 clear AI priority for 2026. As AI agents access source code, cloud infrastructure & customer data, security leaders are making tough budget decisions. New survey data reveals: ✓ The #1 AI risk driving 2026 budgets ✓ Where current AI security falls short ✓ Which controls get funded first ✓ Budget allocation figures Beyond Identity is sharing the complete findings in their next webinar: 📅 Tuesday, Jan 27 | 12pm ET 🔗Register here: https://thn.news/ciso-ai-insights

🛑 Palo Alto Networks patched a high-severity DoS flaw in GlobalProtect. CVE-2026-0227 (CVSS 7.7) lets unauthenticated attackers repeatedly crash firewalls into maintenance mode. 🛡️ PoC exists; no active exploitation seen. 🔗 Read → https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html

🛑 Microsoft says it disrupted RedVDS, a crimeware-as-a-service platform tied to phishing and financial fraud. For $24/month, criminals rented disposable, no-log Windows RDP servers to run scams at scale. Microsoft links RedVDS activity to ~$40M in reported U.S. fraud losses since March 2025. 🔗 Details here → https://thehackernews.com/2026/01/microsoft-legal-action-disrupts-redvds.html

⏱️🔍 Many SOCs in 2026 still rely on manual malware review, which slows investigations as alert volumes rise. Automation-first workflows reduce tool switching and manual correlation, shifting analyst time toward response. In enterprise SOCs using automated sandboxing, MTTR dropped by ~21 minutes per incident. 🔗 Learn how automation reduces response friction → https://thehackernews.com/2026/01/4-outdated-habits-destroying-your-socs.html

🚨 Researchers null-routed traffic to 550+ AISURU/Kimwolf C2 nodes since early Oct 2025. Kimwolf has compromised 2M+ Android devices—mostly unsanctioned TV boxes via exposed ADB—and resold them as residential proxies. 🔗 Learn more → https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html