CISA Warns of Actively Exploited Flaws; North Korean Hackers Target Developers; Ransomware Hits Apple Supplier

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Sets February Patch Deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws affect a diverse range of products, including Synacor Zimbra Collaboration Suite (CVE-2025-68645), the Vite frontend framework (CVE-2025-31125), Versa Concerto SD-WAN (CVE-2025-34026), and the 'eslint-config-prettier' NPM package (CVE-2025-54313). Due to evidence of ongoing exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply patches or mitigations by February 12, 2026. CISA strongly urges all organizations to prioritize remediation to defend against these immediate threats.

KEVBOD 22-01Federal AgenciesLFIAuthentication Bypass +2 more

5 min read

CISA Mandates Patching for Four Actively Exploited Flaws in Zimbra, Vite, and More

Vulnerability

Patch Management

Supply Chain Attack

North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

North Korea's 'Contagious Interview' Campaign Weaponizes Malicious VS Code Projects on GitHub

State-sponsored threat actors from North Korea, including the Lazarus Group, are targeting software developers in a sophisticated campaign dubbed 'Contagious Interview.' According to Jamf Threat Labs, the attackers use fake job offers to entice developers, particularly in the crypto and fintech sectors, into cloning malicious repositories from GitHub and GitLab. The attack abuses a feature in Microsoft's Visual Studio Code (VS Code), where trusting a repository can automatically execute a hidden `tasks.json` file. This triggers a backdoor on macOS systems, establishing persistence, collecting system data, and opening a C2 channel for remote code execution.

Social EngineeringmacOSVS CodeDeveloper TargetingCryptocurrency +1 more

North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

Supply Chain Attack

Phishing

PcComponentes Denies Data Breach, Blames Credential Stuffing for Account Takeovers

MEDIUM

Spanish Retailer PcComponentes Refutes Breach Claims, Confirms Large-Scale Credential Stuffing Attack

Spanish electronics retailer PcComponentes has denied claims of a massive data breach affecting 16 million customers, stating its internal systems were not compromised. The announcement came after a threat actor, 'daghetiaw,' attempted to sell a large customer database on a hacking forum. The company's investigation concluded the incident was a large-scale credential stuffing attack, where attackers used credentials stolen from other breaches to access user accounts. While denying the breach, PcComponentes confirmed that customer data such as names, addresses, and phone numbers were exposed for accounts with reused passwords. In response, the company has mandated two-factor authentication (2FA) for all users and invalidated all active sessions.

Credential StuffingAccount Takeover2FAPassword ReuseE-commerce

5 min read

Data Breach

Phishing

Cyberattack

New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV

Osiris Ransomware Emerges with Advanced TTPs, Including Custom-Signed Driver for Defense Evasion

A new ransomware strain named Osiris is demonstrating a high level of sophistication by combining tactics from established ransomware groups like Medusa and Inc. The attackers use Rclone for data exfiltration to Wasabi cloud storage and deploy a version of Mimikatz named `kaz.exe`, both TTPs linked to the Inc group. More significantly, Osiris uses a custom-developed and signed malicious driver, 'Abyssworker' (aka Poortry), in a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack to terminate security software. This driver and its loader, 'Stonestop,' have been previously associated with the Medusa ransomware gang. The use of these advanced, borrowed TTPs suggests Osiris is operated by experienced actors, possibly former affiliates of other groups.

RansomwareBYOVDKernel DriverDefense EvasionDouble Extortion +2 more

Malware

INC Ransomware OPSEC Fail: Reused Infrastructure Leads to Data Recovery for 12 U.S. Victims

MEDIUM

INC Ransomware's Poor Operational Security Allows Security Firm to Recover Data for 12 U.S. Companies

A significant operational security (OPSEC) failure by the INC ransomware group has allowed cybersecurity firm Cyber Centaurs to recover stolen data for twelve U.S. organizations. The discovery was made after analyzing an attack involving the RainINC ransomware variant. Researchers found artifacts from the open-source backup tool, Restic, including hardcoded S3 access keys and passwords. By pivoting to this attacker-controlled infrastructure, Cyber Centaurs found that the gang had been reusing the same cloud storage repositories across multiple attacks, leaving the encrypted data of a dozen unrelated victims accessible. This rare win for defenders highlights how even sophisticated groups can make critical mistakes.

OPSECResticData RecoveryIncident ResponseForensics +1 more

5 min read

Incident Response

Anubis RaaS Ups the Ante with Destructive 'Wipe Mode' to Maximize Extortion

New Anubis Ransomware-as-a-Service Includes Optional 'Wipe Mode' for Permanent Data Destruction

A new Ransomware-as-a-Service (RaaS) operation named Anubis is gaining attention for its destructive capabilities. Evolving from a prototype called 'Sphinx,' Anubis offers its affiliates a dual-execution model. In addition to standard encryption, the malware can be run with a `/WIPEMODE` parameter that irreversibly overwrites and destroys victim files, rendering them unrecoverable. This tactic fundamentally changes the extortion negotiation, as paying a ransom cannot restore the data. It indicates a strategy where attackers rely solely on the threat of leaking exfiltrated data for payment, using permanent data destruction as additional leverage. The group is targeting organizations opportunistically across the globe.

RaaSWiper MalwareData DestructionExtortionDouble Extortion

Anubis RaaS Ups the Ante with Destructive 'Wipe Mode' to Maximize Extortion

Malware

Updated Articles (3)

New Zealand's 'Manage My Health' Portal Breached; Data of 120,000 Patients Held for Ransom

Updated: January 23, 2026

Manage My Health Patient Portal in New Zealand Suffers Data Breach, Attacker Demands Ransom for 126,000 Users' Data

Update:

Following the late 2025 data breach, Manage My Health is now alerting over 120,000 affected patients to active secondary attacks. Malicious actors are launching sophisticated phishing and spam campaigns, impersonating Manage My Health to exploit the previously stolen sensitive medical information. These highly convincing lures aim to trick victims into revealing further personal or financial details, or to deploy malware. This development significantly increases the immediate threat and potential harm to individuals whose data was compromised, moving beyond the initial data theft to active exploitation. New Zealand's Privacy Commissioner has launched an official inquiry into the incident.

January 13, 2026

4 min read

HealthcarePatient DataPHIRansomwareNew Zealand

New Zealand's 'Manage My Health' Portal Breached; Data of 120,000 Patients Held for Ransom

Data Breach

Cyberattack

China-Linked APT 'UAT-8837' Targets North American Critical Infrastructure

Updated: January 23, 2026

Cisco Talos Uncovers Chinese APT Group UAT-8837 Actively Targeting Critical Infrastructure in North America

Update:

New analysis reveals CVE-2025-53690 is a critical ViewState deserialization vulnerability with a CVSS score of 9.0, allowing remote code execution, and has been added to CISA's KEV catalog. Beyond Earthworm, UAT-8837 now uses Sharphound for Active Directory reconnaissance, Certipy for certificate abuse, and deploys the WeepSteel backdoor. A significant development is the observation of attackers exfiltrating victims' proprietary DLLs, raising concerns about future supply chain attacks. Mitigation now explicitly includes rotating ASP.NET machine keys.

January 16, 2026

APTUAT-8837ChinaCisco TalosCritical Infrastructure +2 more

China-Linked APT 'UAT-8837' Targets North American Critical Infrastructure

Industrial Control Systems

Cyberattack

Oracle's January 2026 Patch Update Fixes 337 Flaws, Including Critical Remote Exploits