Cyber OSINT Overview, Jan 5 - Jan 11, 2026 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

The workflow automation tool n8n is facing intense scrutiny following the disclosure of two maximum-severity vulnerabilities, CVE-2026-21858 and CVE-2026-21877. These flaws allow unauthenticated remote code execution and full server takeover, affecting approximately 100,000 servers globally. Defenders are urged to update to version 1.121.3 immediately, as proof-of-concept exploits are publicly available.

gov advisories.ncsc.nl: NCSC-2026-0002 [1.00] [M/H] Kwetsbaarheid verholpen in n8n
gov cyber.gc.ca: n8n security advisory (AV26-004)
news cyberscoop.com: Researchers rush to warn defenders of max-severity defect in n8n
vendor arcticwolf.com: CVE-2026-21858: Critical Unauthenticated File Access Vulnerability in n8n “Ni8mare”

The security of AI deployments has become a central concern, with researchers highlighting risks like ‘Shadow AI’ and prompt injection attacks. Threat actors are systematically mapping LLM model endpoints and using malicious browser extensions to steal ChatGPT and DeepSeek session data. Organizations are struggling to balance productivity gains from ‘vibe coding’ with the lack of inherent security controls in AI-generated code.

vendor socradar.io: Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats
vendor unit42.paloaltonetworks.com: Securing Vibe Coding Tools: Scaling Productivity Without Scaling Risk
vendor greynoise.io: Threat Actors Actively Targeting LLMs
vendor security.com: The Crisis of the Unknown: Shadow AI and Corporate Data Risk

The React2Shell vulnerability (CVE-2025-55182) continues to see elevated opportunistic exploitation attempts, reaching daily volumes of up to 400,000 scans. Next.js servers and other React-based infrastructures are primary targets for botnet payloads and cryptomining. Vercel and major cloud providers have coordinated an industry-wide response, including million-dollar bug bounties to find WAF bypasses.

news cyberscoop.com: Inside Vercel’s sleep-deprived race to contain React2Shell
news darkreading.com: RondoDox Botnet Expands Scope With React2Shell Exploitation
vendor sysdig.com: Security briefing: December 2025

Critical Vulnerabilities #

CISA added a brand new RCE flaw in HPE OneView (CVE-2025-37164) and a 16-year-old Microsoft PowerPoint flaw (CVE-2009-0556) to its KEV catalog. The HPE vulnerability carries a CVSS 10.0 score and allows unauthenticated attackers to gain large-scale control over data center infrastructure. The re-emergence of the 2009 PowerPoint bug suggests attackers are still finding success against legacy Office installations in enterprise environments.

gov cisa.gov: CISA Adds Two Known Exploited Vulnerabilities to Catalog
vendor malwarebytes.com: CISA warns of active attacks on HPE OneView and legacy PowerPoint

The ‘MongoBleed’ vulnerability (CVE-2025-14847) allows unauthenticated remote attackers to leak sensitive data from MongoDB server memory. The flaw involves improper buffer handling during zlib decompression of network traffic. Proof-of-concept code was released in late December, and CISA has confirmed active exploitation in the wild.

news darkreading.com: Critical 'MongoBleed' Bug Under Attack, Patch Now
vendor fortiguard.fortinet.com: MongoBleed Unauthenticated Memory Leak

Critical vulnerabilities were identified in industrial control systems, including Moxa Ethernet switches (CVE-2023-38408) and Hitachi Energy Asset Suite (CVE-2025-10492). The Hitachi flaw involves Java deserialization of untrusted data in the Jasper Report component, enabling remote code execution. Security engineers are advised to isolate these devices from the public internet and restrict custom report loading.

gov cyber.gc.ca: [Control Systems] Moxa security advisory (AV26-013)
gov cisa.gov: Hitachi Energy Asset Suite

Major Incidents #

A major ‘doxxing kit’ involving 17.5 million Instagram user records was posted on BreachForums. Investigation reveals this is likely a repackaged version of a 2022 scrape rather than a new system breach. However, the data includes physical home addresses linked to digital IDs, which increases risks of stalking and swatting.

news hackread.com: Instagram’s “17 Million User Data Leak” Was Just Scraped Records from 2022
personal securityaffairs.com: A massive breach exposed data of 17.5M Instagram users

Brightspeed, a major US fiber provider, is investigating claims by the Crimson Collective that data for 1 million residential customers was stolen. The leaked data reportedly includes full PII, payment history, and latitude/longitude coordinates. The group also claims to have disconnected service for a large number of users, though service disruptions are not yet fully corroborated.

vendor malwarebytes.com: One million customers on alert as extortion group claims massive Brightspeed data haul

The Romanian energy sector was targeted by the ‘Gentlemen’ ransomware group, hitting the Oltenia Energy Complex. While power generation remained stable, internal ERP systems, email, and websites were disrupted. Separately, the Romanian Water Authority faced a similar attack that knocked out over 1,000 servers and workstations.

gov ria.ee: Jõulurahu detsembris küberruumi ei jõudnud
vendor research.checkpoint.com: 5th January – Threat Intelligence Report

Emerging Threats #

Kimsuky, a North Korean APT, is using ‘Quishing’ (QR code phishing) to target foreign policy experts. The codes are embedded in HTML tables or images to bypass URL inspection and sandboxing. Once scanned, they force victims to pivot from managed corporate endpoints to personal mobile devices, where credentials for Microsoft 365 or Okta are harvested.

personal isc.sans.edu: A phishing campaign with QR codes rendered using an HTML table
personal securityaffairs.com: North Korea–linked APT Kimsuky behind quishing attacks, FBI warns

Ransomware groups are evolving tactics to compensate for declining payment rates. New methods include ‘bundled’ DDoS-as-a-Service to increase pressure on victims and the recruitment of gig workers or English-speaking corporate insiders. Recorded Future predicts 2026 will be the first year where non-Russian ransomware actors outnumber those based in Russia.

vendor blog.barracuda.com: Recent trends in initial access techniques: Vulnerability exploits top the list
vendor recordedfuture.com: New ransomware tactics to watch out for in 2026

A new Chinese-linked malware campaign, ‘Ghost Tapped’, is targeting Android NFC capabilities. It examines tap-to-pay schemes to remotely steal money from mobile wallets and bank cards. Additionally, the ‘Kimwolf’ botnet has rapidly compromised over two million unofficial Android TV streaming boxes to facilitate DDoS attacks and residential proxy services.

personal krebsonsecurity.com: Who Benefited from the Aisuru and Kimwolf Botnets?
vendor group-ib.com: Ghost Tapped: Tracking the Rise of Chinese Tap-to-pay Android Malware

Regulatory and Policy Updates #

The Trump administration has withdrawn the United States from 66 international organizations, including the Global Forum on Cyber Expertise and the Online Freedom Coalition. Officials cited ‘redundant scope’ and ‘mismanagement’ as reasons for the pullback. Experts warn this could create a leadership vacuum in international network security coordination.

news cyberscoop.com: Trump pulls US out of international cyber orgs
news politico.com: Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes

The EU Council sanctioned 12 individuals and two entities over Russian hybrid threats, including members of GRU Unit 29155. These actors were linked to cyberattacks targeting EU member states, NATO allies, and Ukraine. Concurrently, the EU fined X (Twitter) 120 million euros for Digital Services Act violations related to paid verification and ad transparency.

gov cert.europa.eu: Cyber Brief 26-01 - December 2025

Disney agreed to a $10 million settlement with the FTC for mislabeling child-focused YouTube videos, which allowed unlawful data collection under COPPA. The agreement requires Disney to implement stricter age-verification and notice policies. This follows similar regulatory actions against YouTube and mobile app developers for mishandling children’s data.

vendor malwarebytes.com: Disney fined $10m for mislabeling kids’ YouTube videos and violating privacy law

Security Operations #

Maturity in Threat Intelligence programs is shifting from data volume toward automation and high-fidelity indicators. Mature teams are integrating AI to synthesize context across silos, turning intelligence into strategic business value for executives. This approach focuses on reduction of alert fatigue and moving toward ‘proactive’ hunting rather than reactive firefighting.

vendor elastic.co: From Hypothesis to Action: Proactive Threat Hunting with Elastic Security
vendor recordedfuture.com: Practitioners Reveal What Makes Threat Intelligence Programs Mature

Consolidation of security agents is becoming a priority for enterprise resilience. Single-agent architectures that unify Endpoint Security and Secure Web Gateway (SWG) are being adopted to eliminate policy gaps and reduce overhead. Vendors like Symantec and CrowdStrike are positioning these platforms to secure complex environments including AI agents and machine identities.

news cyberscoop.com: CrowdStrike to buy identity startup SGNL for nearly $740M
vendor security.com: All the Single Agents

Security researchers have released ‘Tailsnitch,’ a new open-source tool for auditing Tailscale configurations. The tool identifies common misconfigurations such as non-expiring keys, missing ACL tests, and outdated software versions. It aims to help administrators harden Wireguard-based overlay networks against unintentional exposure.

community reddit.com: tailsnitch: A security auditor and configuration checklist for Tailscale configurations
personal isc.sans.edu: Tool Review: Tailsnitch

Wins #

International authorities arrested 34 members of the West African ‘Black Axe’ crime ring in Spain. The coordinated operation with Europol and German police froze over 119,000 euros in bank accounts. The group was responsible for an estimated 6 million euros in losses through romance scams and Business Email Compromise (BEC).

news hackread.com: Europol Raids Disrupt Black Axe Cybercrime Ring in Spain

Bryan Fleming, the founder of stalkerware maker pcTattletale, pleaded guilty to computer hacking and unlawfully selling spyware. This marks the second federal stalkerware prosecution in a decade. Amazon had previously disabled the company’s AWS infrastructure after researchers discovered a vulnerability that leaked victim screenshots.

vendor malwarebytes.com: pcTattletale founder pleads guilty as US cracks down on stalkerware

Two US citizens pleaded guilty to acting as affiliates for the ALPHV/BlackCat ransomware group. Both individuals were previously employed by prominent security firms, highlighting the rising risk of skilled insiders in the ransomware ecosystem. Law enforcement cited this as a key success in disrupting the financial motivations of RaaS affiliates.

news darkreading.com: US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.

January 11, 2026