Critical RCEs in n8n, Microsoft Warns of Phishing Surge, and Lapsus$ Group Resurfaces

Threat Actor 'Zestix' Breaches 50 Global Companies by Exploiting Stolen Credentials on Cloud Portals Lacking MFA

A threat actor identified as 'Zestix' (or 'Sentap') has successfully compromised approximately 50 global enterprises by simply logging into their corporate file-sharing portals with valid credentials. According to research from Hudson Rock, the attacks were not sophisticated zero-day exploits but a direct result of a fundamental security failure: the absence of multi-factor authentication (MFA). The actor acquired credentials harvested by infostealer malware like RedLine and Lumma from infected employee devices. They then used these credentials to access sensitive data stored on platforms such as Progress ShareFile, Nextcloud, and OwnCloud. High-profile victims include Iberia Airlines and Sekisui House, highlighting a 'global epidemic of cloud exposure' and the critical, non-negotiable need for MFA across all enterprise applications.

ZestixData BreachMFACredential StuffingInfostealer +5 more

No MFA, No Problem: "Zestix" Actor Breaches 50 Firms Using Stolen Credentials

Data Breach

Threat Actor

Cloud Security

Ni8mare: Critical Unauthenticated RCE Flaw (CVSS 10.0) Hits n8n Automation Platform

CRITICAL

Critical RCE Vulnerability 'Ni8mare' (CVE-2026-21858) in n8n Allows Full Server Takeover Without Authentication

A critical, unauthenticated remote code execution (RCE) vulnerability, codenamed 'Ni8mare' and tracked as CVE-2026-21858, has been disclosed in the popular n8n workflow automation platform. The flaw, which carries the maximum possible CVSS score of 10.0, allows a remote attacker to gain complete control over a vulnerable, self-hosted n8n instance without any credentials. Discovered by Cyera Research Labs, the vulnerability stems from a Content-Type confusion issue where a file-handling function can be improperly invoked. A successful exploit could lead to the theft of sensitive credentials stored in workflows, full server compromise, and lateral movement into connected corporate systems. All self-hosted n8n versions prior to 1.121.0 are affected, and administrators are urged to patch immediately as proof-of-concept details are now public.

n8nCVE-2026-21858RCEVulnerabilityCVSS 10 +3 more

Ni8mare: Critical Unauthenticated RCE Flaw (CVSS 10.0) Hits n8n Automation Platform

TridentLocker Ransomware Strikes Claims Giant Sedgwick in Breach-then-Encrypt Attack

Sedgwick Becomes Latest Victim of TridentLocker Ransomware, Highlighting Modern Data Exfiltration and Extortion Tactics

Global claims management leader Sedgwick has reportedly been targeted by the TridentLocker ransomware group. The attack follows the increasingly common 'breach-then-encrypt' model, where threat actors first exfiltrate sensitive data before deploying ransomware to encrypt systems. TridentLocker claims to have stolen data from systems supporting Sedgwick's government services operations, a move designed to maximize pressure for a ransom payment. This incident underscores the evolution of ransomware from a simple availability attack to a complex data breach and extortion scheme. For service providers like Sedgwick, which manage vast amounts of third-party regulated data, such an attack poses significant operational, financial, and reputational risks.

RansomwareTridentLockerSedgwickData BreachDouble Extortion +2 more

Ransomware

Data Breach

CISA Adds Two New Actively Exploited Vulnerabilities to KEV Catalog

CRITICAL

CISA Mandates Patching for Two New, Undisclosed Vulnerabilities Added to Known Exploited Vulnerabilities (KEV) Catalog

On January 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The specific details of the flaws have not been disclosed, but their inclusion confirms they are under active exploitation by malicious actors. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now required to identify and remediate these vulnerabilities by a specified deadline. CISA strongly urges all public and private sector organizations to review the KEV catalog and prioritize patching these vulnerabilities to defend against active threats.

CISAKEVVulnerabilityPatch ManagementZero-Day +2 more

CISA Adds Two New Actively Exploited Vulnerabilities to KEV Catalog

Patch Management

Regulatory

Second CVSS 10.0 RCE Hits n8n, Allows Authenticated Takeover

CRITICAL

Authenticated RCE Flaw (CVE-2026-21877) with CVSS 10.0 Score Disclosed in n8n Automation Platform

A second maximum-severity vulnerability, CVE-2026-21877, has been disclosed in the n8n workflow automation platform, also rated CVSS 10.0. Unlike the recently revealed unauthenticated flaw, this vulnerability requires an attacker to be an authenticated user. A low-privileged user can exploit the flaw to achieve remote code execution (RCE), leading to a full takeover of the n8n instance. This could allow an attacker to steal credentials, disrupt workflows, and pivot into connected internal systems. The vulnerability affects both self-hosted and cloud versions of n8n. A patch was released in version 1.121.3 in November 2025, but organizations running older versions remain at high risk. This string of critical flaws puts immense pressure on n8n administrators to patch and secure their instances.

n8nCVE-2026-21877RCEVulnerabilityCVSS 10 +3 more

Second CVSS 10.0 RCE Hits n8n, Allows Authenticated Takeover

Cloud Security

NIST Releases Draft Cybersecurity Framework Profile for AI

INFORMATIONAL

NIST Publishes Draft CSF Profile for AI to Help Manage Unique Cybersecurity Risks of Artificial Intelligence Systems

The U.S. National Institute of Standards and Technology (NIST) has released a preliminary draft of a Cybersecurity Framework (CSF) Profile for Artificial Intelligence. This new guidance, intended to be used with CSF 2.0 and the AI Risk Management Framework (AI RMF), aims to help organizations manage the unique cybersecurity risks associated with developing, deploying, and using AI. The draft profile is structured around three focus areas: 'Secure,' 'Defend/Thwart,' and 'Respond,' providing guidance on topics like AI agent identity, preventing arbitrary code execution by AI, and responding to AI-related security incidents. NIST is seeking public comment on the draft until January 30, 2026.

NISTAIArtificial IntelligenceCybersecurity FrameworkCSF +3 more

Policy and Compliance

Regulatory

ownCloud Urges Users to Enable MFA as Credential Stuffing Attacks Surge

MEDIUM

ownCloud Issues Security Advisory, Strongly Recommending MFA to Counter Attacks Using Stolen Credentials

In a proactive security move, the developers of the ownCloud file-sharing platform have issued a warning to all users, strongly advising them to enable multi-factor authentication (MFA). The advisory, released on January 7, 2026, is a direct response to recent reports of the 'Zestix' threat actor successfully breaching dozens of organizations by using credentials stolen by infostealer malware on cloud portals without MFA. While ownCloud was not named as a victim in that specific campaign, it is a known target for such attacks. The company is emphasizing that strong passwords alone are insufficient and that MFA is an indispensable layer of defense against credential stuffing and password reuse attacks.

ownCloudMFACredential StuffingSecurity AdvisoryInfostealer +1 more

ownCloud Urges Users to Enable MFA as Credential Stuffing Attacks Surge

Security Operations

Cloud Security

Data Breach

Qualcomm Issues January Security Bulletin Addressing Multiple Vulnerabilities

Qualcomm Releases January 2026 Security Bulletin for Multiple Chipsets and Products

Qualcomm has published its January 2026 security bulletin, addressing multiple vulnerabilities of varying severities across a wide range of its products. The bulletin was highlighted by an advisory from the Canadian Centre for Cyber Security on January 7, 2026. Given the ubiquitous nature of Qualcomm chipsets in mobile phones, IoT devices, and automotive systems, these vulnerabilities could have a widespread impact. The specific CVEs and affected products are detailed in the bulletin itself. Users and administrators are urged to review the bulletin and apply necessary firmware or software updates from their device manufacturers as they become available to mitigate potential risks.

QualcommVulnerabilityPatch ManagementSecurity BulletinAndroid +2 more

Qualcomm Issues January Security Bulletin Addressing Multiple Vulnerabilities

Patch Management

Mobile Security

Lapsus$ Hacking Group Is Back with Evolved Extortion Tactics

Resurgent Lapsus$ Group Reportedly Reforms, Integrating New Techniques and Focusing on Identity-Based Extortion

The notorious Lapsus$ extortion group, known for its high-profile breaches of major tech companies, has reportedly resurfaced. According to a threat intelligence report from January 7, 2026, remnants of the group have reformed and evolved, integrating tactics from other cybercriminal operations. The new iteration of Lapsus$ is said to be shifting its focus towards more nuanced identity-based extortion schemes, moving beyond simple data theft. This evolution suggests a more complex and harder-to-detect threat, leveraging compromised identities for persistent and subtle attacks. Security teams are warned to be on high alert for sophisticated social engineering and extortion attempts targeting employee identities.

Lapsus$Threat ActorExtortionData BreachIdentity +2 more

Lapsus$ Hacking Group Is Back with Evolved Extortion Tactics

Threat Actor