Daily Digest

Microsoft and Fortinet Race to Patch Actively Exploited Zero-Days as ShinyHunters Claims Massive Match Group Breach

Microsoft and Fortinet Race to Patch Actively Exploited Zero-Days as ShinyHunters Claims Massive Match Group Breach

January 28, 2026
10 articles (7 new, 3 updated)
30 min read

Summary

This 24-hour period saw urgent, out-of-band patches from major vendors to combat actively exploited zero-day vulnerabilities. Microsoft issued an emergency fix for a critical Office security bypass (CVE-2026-21509), while Fortinet scrambled to address a critical SSO authentication bypass (CVE-2026-24858), both of which were added to CISA's KEV catalog. In the data breach landscape, the ShinyHunters group claimed a massive breach of Match Group, allegedly compromising 10 million user records from Hinge and OkCupid. Additionally, SolarWinds disclosed five critical RCE and auth bypass flaws in its Web Help Desk, and the Illinois Department of Human Services confirmed a breach affecting 700,000 individuals.

Filter by Category

New Articles (7)

SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk

CRITICAL

SolarWinds Reveals Multiple Critical Vulnerabilities in Web Help Desk Platform, Including RCE and Auth Bypass

SolarWinds has disclosed a set of five critical vulnerabilities in its Web Help Desk (WHD) platform, a tool used by over 300,000 organizations. The flaws include two unauthenticated remote code execution (RCE) vulnerabilities and two authentication bypasses, each with a CVSS score of 9.8. This incident highlights a troubling pattern of recurring patch failures, as one of the new flaws, CVE-2025-40553, is the second bypass of an original deserialization vulnerability (CVE-2024-28986) first patched in 2024. Given the critical nature of the flaws, organizations with internet-facing WHD instances are at extreme risk and must patch immediately.

January 28, 2026
5 min read
SolarWindsWeb Help DeskRCEauthentication bypassCVE-2025-40553 +2 more
SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk
Vulnerability
Patch Management
Cyberattack

ShinyHunters Claims Breach of 10M Match Group Users from Hinge & OkCupid

HIGH

ShinyHunters Threat Group Claims Major Data Breach of Match Group, Affecting 10 Million Dating App Users

The notorious cybercrime group ShinyHunters has claimed responsibility for a major data breach impacting Match Group, the parent company of popular dating apps like Hinge, OkCupid, and Match.com. The group posted on a dark web forum that it has stolen over 10 million user records, and released a 1.7GB sample as proof. The data allegedly includes sensitive user information such as names, phone numbers, IP addresses, and match logs, as well as internal corporate documents. ShinyHunters asserts the data was exfiltrated from a third-party analytics provider, AppsFlyer, highlighting a potential supply chain attack vector.

January 28, 2026
5 min read
ShinyHuntersMatch Groupdata breachHingeOkCupid +2 more
ShinyHunters Claims Breach of 10M Match Group Users from Hinge & OkCupid
Data Breach
Threat Actor
Supply Chain Attack

Critical RCE Flaws in n8n Workflow Platform Put Thousands of Instances at Risk

CRITICAL

High-Severity Vulnerabilities (CVE-2026-1470, CVE-2026-0863) in n8n Platform Allow Remote Code Execution

Two new high-severity vulnerabilities have been discovered in the n8n workflow automation platform, a tool that often holds credentials to critical corporate systems. The most severe flaw, CVE-2026-1470, is a critical eval injection vulnerability (CVSS 9.9) that allows an authenticated attacker to bypass the expression sandbox and achieve full remote code execution. A second flaw, CVE-2026-0863 (CVSS 8.5), allows for a similar sandbox escape in the Python execution environment. A compromise could provide an attacker with a 'skeleton key' to an organization's infrastructure. This news is compounded by data showing over 39,000 n8n instances remain unpatched for a previous critical flaw.

January 28, 2026
4 min read
n8nRCEsandbox escapeCVE-2026-1470CVE-2026-0863 +2 more
Critical RCE Flaws in n8n Workflow Platform Put Thousands of Instances at Risk
Vulnerability
Cloud Security
Patch Management

Malicious PyPI Packages `spellcheckerpy` & `spellcheckpy` Deliver RAT via Hidden Payload

HIGH

Malicious Python Packages on PyPI Deliver Remote Access Trojan via Hidden Payload

A software supply chain attack has been uncovered on the Python Package Index (PyPI), involving two malicious packages named `spellcheckerpy` and `spellcheckpy`. Downloaded over 1,000 times, the packages contained a hidden, dormant payload. A later version update activated the malware, which was designed to fingerprint the compromised developer's system and deploy a Remote Access Trojan (RAT). The attack was cleverly concealed, with the malicious code base64-encoded and hidden inside a Basque language dictionary file. The C2 domain used has been linked to a hosting provider known to service nation-state actors, suggesting a potentially sophisticated adversary.

January 28, 2026
5 min read
PyPIPythonsupply chain attackmalwareRAT +1 more
Malicious PyPI Packages `spellcheckerpy` & `spellcheckpy` Deliver RAT via Hidden Payload
Supply Chain Attack
Malware
Threat Intelligence

US Indicts 31 More in ATM Jackpotting Ring Linked to Tren de Aragua Gang

MEDIUM

U.S. Indicts 31 Additional Individuals in International 'ATM Jackpotting' Conspiracy

A U.S. federal grand jury has indicted an additional 31 individuals for their participation in a widespread 'ATM jackpotting' conspiracy, bringing the total number of defendants to 87. The sophisticated scheme involved using malware to force ATMs to dispense large sums of cash. Many of the newly charged individuals are Venezuelan and Colombian nationals, including several identified members of the transnational criminal gang Tren de Aragua (TdA) who are in the U.S. illegally. The case highlights the growing convergence of organized crime and specialized cybercrime tactics.

January 28, 2026
4 min read
ATM jackpottingTren de Araguabank fraudcybercrimeindictment +1 more
US Indicts 31 More in ATM Jackpotting Ring Linked to Tren de Aragua Gang
Threat Actor
Cyberattack
Malware

Nova Ransomware Group Claims Cyberattack on KPMG Netherlands, Sets 10-Day Deadline

HIGH

Nova Ransomware Group Claims Attack on KPMG Netherlands, Threatens Data Leak

The Nova ransomware group has claimed responsibility for a cyberattack against the Netherlands division of global professional services firm KPMG. The claim, which appeared on ransomware monitoring services on January 23, 2026, alleges that the group successfully breached KPMG's systems and exfiltrated sensitive data. In a classic double-extortion tactic, the Nova group has reportedly set a ten-day deadline for KPMG Netherlands to enter into ransom negotiations before they potentially leak the stolen data. KPMG has not yet publicly confirmed the attack.

January 28, 2026
4 min read
ransomwareNova ransomwareKPMGdata breachdouble extortion
Nova Ransomware Group Claims Cyberattack on KPMG Netherlands, Sets 10-Day Deadline
Ransomware
Threat Actor
Data Breach

'Stanley' MaaS Sells Malicious Chrome Extensions Guaranteed for Web Store Publication

MEDIUM

'Stanley' Malware-as-a-Service for Malicious Chrome Extensions Emerges on Cybercrime Forums

A new Malware-as-a-Service (MaaS) platform named 'Stanley' has appeared on Russian-language cybercrime forums, specializing in the sale of malicious Google Chrome extensions. A key feature of the service is a guarantee that the malicious extensions will be successfully published to the official Chrome Web Store, lending them an air of legitimacy. The primary purpose of these extensions is to facilitate phishing and credential theft by spoofing legitimate websites. The emergence of 'as-a-service' models like Stanley significantly lowers the barrier to entry for less sophisticated cybercriminals to launch effective attacks.

January 28, 2026
4 min read
Malware-as-a-ServiceMaaSStanleyChrome extensionphishing +1 more
'Stanley' MaaS Sells Malicious Chrome Extensions Guaranteed for Web Store Publication
Malware
Phishing
Threat Intelligence

Updated Articles (3)

Mustang Panda APT Deploys Signed Kernel-Mode Rootkit to Hide Backdoor

HIGH

Chinese-Linked APT Mustang Panda Uses Signed Kernel-Mode Rootkit to Stealthily Deploy TONESHELL Backdoor

Update:

The China-aligned Mustang Panda (HoneyMyte) APT group has expanded its cyber-espionage campaign targeting government, military, and NGOs in Southeast and East Asia. The group is now deploying an updated version of its 'CoolClient' backdoor and multiple new browser data stealers to harvest credentials and sensitive information. While continuing to leverage kernel-mode rootkits for stealth and persistence, the campaign also utilizes spear-phishing and infected USB drives for initial access, followed by DLL side-loading for execution. This indicates an evolution in the group's toolset and TTPs for long-term intelligence gathering.

January 1, 2026
Updated: January 28, 2026
6 min read
Mustang PandaAPTRootkitKernel-modeTONESHELL +3 more
Mustang Panda APT Deploys Signed Kernel-Mode Rootkit to Hide Backdoor
Threat Actor
Malware
Cyberattack

Illinois DHS Exposes Data of 700,000 Residents in Massive Misconfiguration Breach

HIGH

Illinois Department of Human Services Exposes Personal and Health Information of 705,000 Residents via Public Website

Update:

The Illinois Department of Human Services (IDHS) data breach, previously attributed to a server misconfiguration, now has an undisclosed cause, with the new report implying potential malicious activity by cybercriminals. Crucially, the updated information states that full names were exposed for over 672,000 Medicaid recipients, directly contradicting earlier reports that individual names were not included for this group. This significantly increases the risk of identity theft and fraud for affected individuals. The total number of affected residents remains around 700,000. The incident highlights the vulnerability of social service agencies to sophisticated threats.

January 10, 2026
Updated: January 28, 2026
5 min read
Data BreachIllinoisIDHSMisconfigurationHIPAA +3 more
Illinois DHS Exposes Data of 700,000 Residents in Massive Misconfiguration Breach
Data Breach
Regulatory
Policy and Compliance

Fortinet Confirms Active Exploitation of FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

CRITICAL

Fortinet Warns of Active Exploitation of FortiCloud SSO Bypass (CVE-2025-59718, CVE-2025-59719)

Update:

A new critical authentication bypass, CVE-2026-24858, has been disclosed in FortiCloud SSO. This vulnerability allows attackers with any FortiCloud account to gain unauthorized access to other customers' devices, and crucially, it bypasses patches for the previously reported CVE-2025-59718 and CVE-2025-59719. The flaw affects a broader range of products including FortiOS, FortiManager, FortiAnalyzer, FortiWeb, and FortiProxy. CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation and severe risk. Fortinet temporarily disabled the SSO service for remediation and urges immediate patching and thorough investigation for compromise.

January 27, 2026
Updated: January 28, 2026
4 min read
FortinetFortiGateVulnerabilityAuthentication BypassSSO +2 more
Fortinet Confirms Active Exploitation of FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Vulnerability
Cyberattack
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats