Ukraine's Computer Emergency Response Team (CERT) says that Russian hackers are exploiting CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. [...]

More than 230 malicious packages for the personal AI assistant OpenClaw (formerly known as Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. [...]

Fake high-yield investment platforms are surging worldwide, promising "guaranteed" returns that mask classic Ponzi schemes.CTM360 explains how HYIP scams scale through social media, recycled templates, and referral abuse. [...]

Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today. [...]

A hacker published malicious versions of four established VS Code extensions to distribute a GlassWorm malware loader.

The post Open VSX Publisher Account Hijacked in Fresh GlassWorm Attack appeared first on SecurityWeek.

The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported. [...]

NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident. [...]

The likely state-sponsored threat actor had access to the hosting provider for months and targeted only certain Notepad++ customers.

The post Notepad++ Supply Chain Hack Conducted by China via Hosting Provider appeared first on SecurityWeek.

The rise in real estate tech means renters often hand over huge amounts of revealing information to digital third parties – at great risk

• Get our breaking news email, free app or daily news podcast

Would you trade your data privacy and security for housing? Thanks to the rise in real estate technologies, renters often have no choice but to hand over huge amounts of revealing information to digital third parties just to have somewhere to live. All the while we are told: trust us, we take your privacy seriously.

But recent Guardian reporting has revealed that seven popular “rent-tech” platforms have serious security vulnerabilities, leaving millions of documents containing personal information of renters exposed on the open web for years. When they were alerted to the risk, only two of the seven companies responded to say they would put additional security measures in place. Is this what taking renter privacy seriously looks like?

Continue reading...

© Photograph: Jacob Wackerhausen/Getty Images

© Photograph: Jacob Wackerhausen/Getty Images

© Photograph: Jacob Wackerhausen/Getty Images

A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data. [...]

Apple is introducing a new privacy feature that lets users limit the precision of location data shared with cellular networks on some iPhone and iPad models. [...]

Exclusive: ‘This is a blatant and disturbing disregard for the law and for people’s security,’ digital rights advocate says

• Follow our Australia news live blog for latest updates

• Get our breaking news email, free app or daily news podcast

Australian platforms used by real estate agents to upload documentation for renters and landlords are leaving people’s personal information exposed in hyperlinks accessible online.

An analysis of seven rent platforms provided to Guardian Australia by a researcher, who wished to remain anonymous, revealed millions of leasing documents could be accessed by threat actors.

Continue reading...

© Photograph: Carly Earl/The Guardian

© Photograph: Carly Earl/The Guardian

© Photograph: Carly Earl/The Guardian

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected.

Continue reading Vulnerability & Patch Roundup — January 2026 at Sucuri Blog.

A U.S. federal jury has convicted Linwei Ding, a former software engineer at Google, for stealing AI supercomputer data from his employer and secretly sharing it with Chinese tech firms. [...]

Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. [...]

Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. [...]

Hackers compromised a MicroWorld Technologies update server and fed a malicious file to eScan customers.

The post eScan Antivirus Delivers Malware in Supply Chain Attack appeared first on SecurityWeek.

A researcher has released detailed evidence showing some Instagram private accounts exposed photo links to unauthenticated visitors. The issue was later fixed, but Meta closed the report as not applicable and did not respond to multiple requests for comment. [...]