QuantumLeap Ransomware Halts Global Logistics; Critical Zero-Days in NexusFlow and Mobile OSes Actively Exploited

QuantumLeap Ransomware Hits Logistics Giant NaviGistics, Disrupting Global Supply Chain with $50 Million Demand

The global logistics firm NaviGistics has suffered a catastrophic cyberattack from a new ransomware strain dubbed 'QuantumLeap'. The attack, orchestrated by a group calling itself 'Entropy Collective', has encrypted critical systems and brought the company's worldwide shipping and freight operations to a standstill. The threat actors gained initial access via a compromised VPN account lacking multi-factor authentication, demonstrating a sophisticated lateral movement campaign before deploying the payload. The group is demanding a $50 million ransom and has threatened to leak over 2 terabytes of exfiltrated data, including sensitive customer and financial records. This incident highlights the extreme vulnerability of the global supply chain to targeted cyber-extortion and the devastating operational and financial impact of modern ransomware attacks.

ransomwaredouble extortionsupply chainlogisticscyber extortion +1 more

Ransomware

Data Breach

Urgent Patch Required: Critical RCE Zero-Day (CVE-2026-12345) in NexusFlow API Gateway Under Active Attack

CRITICAL

Actively Exploited RCE Zero-Day in NexusFlow API Gateway (CVE-2026-12345) Allows Full Server Takeover

A critical pre-authentication remote code execution (RCE) zero-day vulnerability, CVE-2026-12345, is being actively exploited in the wild against the popular NexusFlow API Gateway. The flaw, which carries the maximum CVSS score of 10.0, allows unauthenticated attackers to gain complete control of vulnerable servers by sending a single, specially crafted HTTP request. Security firm Horizon Security Labs discovered the exploitation during a breach investigation. The vulnerability is wormable, creating a risk of rapid, widespread compromise. NexusFlow's parent company, Voltara, has released an emergency patch (version 3.8.1) and is urging all customers to update immediately. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 9, 2026.

zero-dayRCEAPI securitybuffer overflowCISA KEV +2 more

Urgent Patch Required: Critical RCE Zero-Day (CVE-2026-12345) in NexusFlow API Gateway Under Active Attack

Vulnerability

Medusa Ransomware Exploits Cybersecurity Gaps, Escalating Attacks Across Africa

Ransomware Gangs like Medusa Thrive in Africa's Cybersecurity Vacuum, Employing Double Extortion Tactics

Ransomware attacks are a pervasive and highly damaging threat across the African continent, where a significant cybersecurity skills and resources gap creates a fertile ground for cybercriminals. Notorious ransomware groups, including Medusa, are increasingly targeting organizations in the region, leveraging double extortion tactics to maximize pressure on their victims. These attacks involve not only encrypting critical data but also stealing it and threatening public release if the ransom is not paid. Key sectors such as healthcare, finance, and critical infrastructure are prime targets. According to reports, a high percentage of African organizations hit by ransomware end up paying the ransom, perpetuating the cycle of attacks. The situation underscores an urgent need for increased investment in cybersecurity infrastructure, skills development, and awareness across the continent.

ransomwareMedusaAfricacybersecurity gapdouble extortion +1 more

5 min read

Ransomware

Nation-State Actor 'SteelHydra' (APT47) Deploys 'GeoShifter' ICS Malware to Spy on Geothermal Energy Firms

SteelHydra (APT47) Targets Geothermal Energy Sector in North America and Iceland with Novel 'GeoShifter' ICS Malware

The nation-state threat actor 'SteelHydra' (also tracked as APT47) is behind a sophisticated cyber-espionage campaign targeting the geothermal energy sector. According to research from Mandiant, the campaign has impacted firms in the United States, Canada, and Iceland. The attackers are using a novel, custom-built malware framework called 'GeoShifter', which is specifically designed to operate in Industrial Control System (ICS) environments and interface with SCADA/PLC systems from vendors like Siemens and Schneider Electric. The initial infection vector is a spear-phishing campaign that deploys a backdoor named 'PipeDreamer'. The ultimate goal of the campaign appears to be the theft of intellectual property and operational data related to geothermal technology, which could be used for economic advantage or to plan future disruptive attacks.

APTnation-stateICSSCADAcyber espionage +2 more

7 min read

Nation-State Actor 'SteelHydra' (APT47) Deploys 'GeoShifter' ICS Malware to Spy on Geothermal Energy Firms

Industrial Control Systems

Apple & Google Issue Emergency Patches for 'GhostTouch' Zero-Click RCE Flaw (CVE-2026-23456)

CRITICAL

Billions of Devices at Risk: Apple and Google Release Out-of-Band Patches for Actively Exploited 'GhostTouch' Zero-Click Vulnerability

Apple and Google have released coordinated, emergency security updates to fix a critical zero-click remote code execution (RCE) vulnerability, dubbed 'GhostTouch' and tracked as CVE-2026-23456. The flaw exists in a core open-source graphics rendering library used by both iOS and Android, affecting billions of smartphones and tablets worldwide. The vulnerability can be exploited by sending a victim a specially crafted image file via messaging apps or email, requiring no user interaction to achieve code execution. Researchers at The Citizen Lab discovered the flaw being actively used by a commercial surveillance vendor to deploy spyware against high-risk individuals. CISA has added the CVE to its KEV catalog, and all users are urged to update to iOS 19.2.1, iPadOS 19.2.1, or the latest Android security patch immediately.

zero-clickRCEvulnerabilityiOSAndroid +3 more

Apple & Google Issue Emergency Patches for 'GhostTouch' Zero-Click RCE Flaw (CVE-2026-23456)

Vulnerability

Mobile Security

'SilentVoice' Phishing Campaign Weaponizes AI Deepfake Audio to Bypass MFA

Sophisticated 'SilentVoice' Phishing Campaign Uses AI-Generated Deepfake Audio to Trick Employees into Approving Malicious Logins

A sophisticated social engineering campaign named 'SilentVoice' is successfully bypassing multi-factor authentication (MFA) by using AI-generated deepfake audio of corporate executives. According to researchers at Proofpoint, attackers clone an executive's voice from public audio samples and then use it in a vishing (voice phishing) call to a subordinate employee. The deepfake voice creates a sense of urgency, tricking the employee into entering their credentials on a fake site and then approving the subsequent MFA push notification sent to their device. This highly convincing technique circumvents the protection offered by many common MFA methods, leading to full account takeover. The campaign has already resulted in successful breaches and financial fraud, highlighting the emerging threat of AI-weaponized social engineering.

phishingvishingdeepfakeAIsocial engineering +2 more

Phishing

NPM Package 'js-utility-kit' Hijacked in Supply Chain Attack to Steal Crypto Keys and Credentials

Popular NPM Package 'js-utility-kit' with 5M+ Weekly Downloads Compromised to Distribute Info-Stealing Malware

A significant software supply chain attack has compromised the popular NPM package 'js-utility-kit', which is downloaded over 5 million times per week. Security firm Snyk discovered that malicious versions (2.1.8, 2.1.9, and 2.2.1) were published after the maintainer's account was hijacked via a credential stuffing attack. The compromised packages contained a post-install script that downloaded and executed a sophisticated information stealer. The malware was designed to steal cryptocurrency private keys, browser extension data for crypto wallets, and sensitive credentials such as environment variables and cloud provider CLI configurations from developers' machines and CI/CD pipelines. The NPM security team has removed the malicious versions, but any project that installed them between January 24 and 26 is considered compromised and requires immediate auditing and credential rotation.

supply chain attackNPMinfostealermalwarecryptocurrency +2 more

Supply Chain Attack

Malware

Data Breach

Fintech Startup VoltPay Leaks 5 Million Customer Records via Misconfigured Cloud Database

VoltPay Data Breach: Misconfigured Elasticsearch Database Exposes PII and Financial Data of 5 Million Users

The financial technology startup VoltPay has confirmed a massive data breach affecting approximately 5 million users. The leak was caused by a misconfigured Elasticsearch database that was left publicly accessible on the internet without a password for over three months. A security researcher discovered and reported the exposure. The leaked data includes highly sensitive information: full names, email addresses, phone numbers, physical addresses, dates of birth, hashed passwords, and full transaction histories. The last four digits of credit card and bank account numbers were also exposed. This incident, attributed to 'human error during a server migration', places millions of users at significant risk of identity theft and targeted phishing attacks, and has reportedly triggered investigations by U.S. and European regulators.

data breachcloud securitymisconfigurationElasticsearchfintech +3 more

Fintech Startup VoltPay Leaks 5 Million Customer Records via Misconfigured Cloud Database

Data Breach

Cloud Security

Regulatory

International Operation 'Echidna' Dismantles 'Crimson Market' Dark Web Hub, 50+ Arrested

INFORMATIONAL

'Crimson Market' Dark Web Hub Seized in Global 'Echidna' Law Enforcement Operation

A coordinated international law enforcement action, codenamed 'Operation Echidna', has successfully dismantled 'Crimson Market', one of the largest dark web marketplaces for cybercrime tools and stolen data. The operation, involving the FBI, Europol, and the UK's NCA, resulted in the seizure of the market's server infrastructure and the arrest of over 50 individuals worldwide, including its alleged administrator. Crimson Market was a key hub for selling billions of stolen credentials, malware-as-a-service (including ransomware and info-stealers), and phishing kits. The 18-month investigation involved undercover operations to trace cryptocurrency transactions. The takedown represents a major disruption to the cybercrime economy, and data from the seized servers is expected to lead to further arrests.

dark webtakedownlaw enforcementcybercrimeEuropol +1 more

4 min read

International Operation 'Echidna' Dismantles 'Crimson Market' Dark Web Hub, 50+ Arrested

Threat Intelligence

Policy and Compliance

Volt Typhoon Linked to Breach at U.S. Water Utility, Exfiltrating Operational Documents

Chinese State-Sponsored Actor Volt Typhoon Breaches U.S. Water Utility via Edge Device Vulnerability

The Chinese state-sponsored group Volt Typhoon has been attributed to a data breach at the Park County Water District in Colorado. According to a joint advisory from CISA, the FBI, and the NSA, the hackers exploited a known vulnerability in an internet-facing network appliance to gain initial access. Consistent with their known TTPs, Volt Typhoon then used 'living off the land' techniques, leveraging built-in network administration tools to blend in and evade detection. The attackers moved laterally within the IT network and exfiltrated sensitive operational documents, including engineering schematics and maintenance schedules. While officials stated that the operational technology (OT) network and water supply were not affected, the incident highlights the group's continued focus on reconnaissance against U.S. critical infrastructure.

Volt TyphoonAPTnation-statecritical infrastructureliving off the land +2 more

Volt Typhoon Linked to Breach at U.S. Water Utility, Exfiltrating Operational Documents

Industrial Control Systems

Researchers Detail 'ChronoStealer', a New Modular Info-Stealing Malware-as-a-Service

MEDIUM

Check Point Research Uncovers 'ChronoStealer', a Modular Malware-as-a-Service Lowering the Bar for Cybercrime

Security researchers at Check Point have published a deep-dive analysis of 'ChronoStealer', a new and highly modular information-stealing malware sold on a subscription basis in underground forums. This Malware-as-a-Service (MaaS) model allows low-skilled criminals to rent the sophisticated tool and its infrastructure for as little as $200 per month. ChronoStealer's core function is to steal credentials from over 50 web browsers and other applications. Its capabilities can be expanded with add-on modules for stealing cryptocurrency wallets, logging keystrokes, and capturing session cookies. The malware uses the Telegram API for C2 communications to better blend in with legitimate traffic. The rise of such user-friendly, powerful MaaS platforms represents a significant force multiplier for the cybercrime ecosystem.