Summary5 min read

Cybersecurity Headlines: Key Stories from January 8, 2026

Podcast: Cybersecurity Headlines
Host: Sarah Lane, CISO Series
Episode: ESA confirms new data heist, Ni8mare lets hackers hijack n8n servers, Taiwan blames 'cyber army' for intrusion attempts
Date: January 8, 2026

Episode Overview

This episode delivers rapid-fire coverage of the day’s most pressing cybersecurity incidents and trends. Major stories include a massive European Space Agency breach, a severe vulnerability impacting automation tool n8n, intensifying Chinese cyber activity targeting Taiwan, updates on damaging malware loaders, legal action against stalkerware creators, cloud credential thefts facilitated by a lack of MFA, and a rising threat from mobile NFC payment fraud.

Key Discussion Points & Insights

1. ESA Data Heist: Major Space Industry Leak

Summary:
The European Space Agency (ESA) confirmed its second breach in two weeks with 500 GB of operational and contractor data stolen, including sensitive documents from partners like SpaceX, Airbus, and Thales Alenia.
Details:
- Attackers exploited a vulnerability in September 2025—still unpatched—to continue offering live system access.
- ESA has begun a criminal investigation but declined to confirm specific claims.
- Stolen data includes “spacecraft procedures, subsystem documentation and mission details.”
- Recent December leak involved another 200 GB of ESA data, underscoring a persistent security gap.
Memorable Moment:
Sarah Lane [00:12]:
“The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Timestamps:
- Story start: [00:06]
- Notable quote: [00:12]

2. ‘Nightmare’ Flaw Jeopardizes n8n Workflow Servers

Summary:
A critical vulnerability dubbed ‘Nightmare’ (with an ‘8’) affects n8n, a popular open-source workflow automation tool.
Details:
- Researchers estimate 100,000+ exposed instances.
- Flaw allows unauthenticated attackers to remotely hijack servers, read arbitrary files, access secrets, bypass authentication, and execute code (depending on configuration).
- n8n recommends updating to version 1.1.1.0 and restricting webhooks; no complete workaround yet.
- Disclosed with max 10.0 severity rating in November.
Quote:
Sarah Lane [00:43]:
“There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Timestamps:
- Story start: [00:38]

3. Taiwan Blames ‘Cyber Army’ for Spike in Intrusion Attempts

Summary:
Taiwan’s National Security Bureau reports a 6% rise in cyber intrusions in 2025, primarily targeting government and critical infrastructure.
Details:
- 2.63 million daily attempts—spikes coincide with PLA patrols and political events.
- Notable increases in energy and hospital sectors.
- Chinese attackers leveraging telecoms and supply chain for technology and intelligence theft.
Quote:
Sarah Lane [01:06]:
"Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Timestamps:
- Story start: [01:03]

4. PKR MTSI: Malvertising Campaigns & Evolving Malware Loader

Summary:
Malware loader PKR MTSI is deployed in large-scale malvertising and SEO poisoning schemes.
Details:
- Masquerades as legitimate installers (Putty, Rufus, Microsoft Teams).
- Delivers multiple payloads: Oyster, Voice, Vidar, Vanguard Stealer, Supper.
- Newer variants feature obfuscation and anti-analysis.
- DLLs can persist via REGSVR32EXE.
- Reversing Labs released updated Yara rules for detection.
Quote:
Sarah Lane [01:49]:
"DLL versions can run via REGSVR32EXE for persistence. Reversing Labs released updated Yara coverage noting recurring parsing flaws that give defenders consistent detection opportunities.”
Timestamps:
- Story start: [01:29]

5. Stalkerware Developer Pleads Guilty

Summary:
Brian Fleming, creator of PC Tattletale, pleads guilty to selling software for covert partner surveillance.
Details:
- Since 2017, software captured texts, emails, calls, GPS, and browsing by video recording.
- Company shuttered in 2024 after breach exposed 138,000+ victims and customers.
- Fleming faces up to 15 years in prison and forfeiture.
Quote:
Sarah Lane [02:33]:
“Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Timestamps:
- Story start: [02:24]

6. Classic Outlook Bug Blocks Encrypted Emails

Summary:
Microsoft confirms a bug in Classic Outlook blocks ‘Encrypt Only’ emails after a recent update.
Details:
- Impacted users see “v2rpmsg attachment” instead of message content.
- Temporary fixes: resaving encrypted messages before sending or rolling back to a prior build.
Quote:
Sarah Lane [02:51]:
“Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Timestamps:
- Story start: [02:49]

7. Ghosttap Malware Powers Remote NFC Payment Fraud

Summary:
Researchers report surging Android Ghosttap malware used for remote NFC payment fraud.
Details:
- Over 54 malicious APKs sold in Chinese-language Telegram channels.
- Malware hijacks card reader apps and relays data to criminal point-of-sale terminals.
- Victims targeted via smishing and vishing, with one group profiting $355,000+.
- Group IB warns technique is globalizing; calls for stronger KYC and fraud defenses.
Quote:
Sarah Lane [03:27]:
“One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Timestamps:
- Story start: [03:12]

8. Cloud Credential Heists Enabled by Weak MFA Practices

Summary:
Hudson Rock identifies “Zestix” using infostealers (Redline, Llama, Vidar) to harvest credentials from infected devices.
Details:
- Attackers logged into ShareFile, OwnCloud, NextCloud at approx. 50 companies—bypassing exploits due to missing MFA.
- Impacted industries: aviation, construction, legal, robotics, critical infrastructure (e.g., Iberia, Sekisui House).
- Warns of thousands of organizations similarly exposed; basic MFA would have blocked attacks.
Quote:
Sarah Lane [04:06]:
“Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”
Timestamps:
- Story start: [03:56]

Notable Quotes & Timestamps

Sarah Lane on ESA Breach [00:12]: “The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Sarah Lane on n8n Flaw [00:43]: “There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Sarah Lane on Taiwan Intrusions [01:06]: "Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Sarah Lane on Stalkerware Breach [02:33]: “Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Sarah Lane on Outlook Bug [02:51]: “Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Sarah Lane on Ghosttap Payments [03:27]: “One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Sarah Lane on MFA Lapses [04:06]: “Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”

Conclusion

This January 8, 2026 episode underscores the high-stakes nature of cybersecurity in government, critical infrastructure, and commercial sectors. The episode’s crisp format highlights the importance of timely patching, robust authentication practices, user awareness, and staying vigilant amidst evolving threats—from nation-state attacks to sophisticated malware distribution and credential theft.

For more details on these headlines and further analysis, visit CISOseries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, January 8, 2025. I'm Sarah Lane. ESA confirms 500 gigabytes stolen in data heist the European Space Agency, or ESA, confirmed to the Register the second major breach in two weeks, with the criminal group claiming to have stolen around 500 gigabytes of operational and contractor data, including spacecraft procedures, subsystem documentation and mission details from companies like SpaceX, Airbus and Talas Alenia. The group says the vulnerability used to gain access back in September still isn't patched and offers live system access. ESA says it's begun a criminal investigation and declined to address specific claims. This follows a separate December leak involving more than 200 gigs of ESA data. Nightmare flaw lets hackers hijack N8N servers A critical vulnerability called Nightmare with an 8 lets unauthenticated attackers hijack locally deployed N8N workflow automation servers, with security researchers at Sierra estimating more than 100,000 instances exposed. It stems from a parser flaw that allows arbitrary file reads and, depending on configuration, access to secrets, authentication bypass or remote code execution. N8N advises updating to version 1.1 to 1.0 and restricting public webhooks, but there's no full workaround. The flaw was disclosed to N8N in November with a maximum 10.0 severity. Taiwan blames Chinese cyber army for intrusion attempts Taiwan's National Security Bureau says Chinese cyber intrusions increased 6% in 2025, averaging 2.63 million attempts per day targeting government and critical infrastructure, with energy and hospital sectors seen the sharpest rise. Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events. Chinese operators reportedly leveraged telecom access and supply chain targeting across semiconductor and defense firms to steal technology and intelligence. PKR MTSI delivers diverse payloads Reversing Labs detailed a Windows packer dubbed PKR mtsi used as a versatile malware loader in large scale malvertising and SEO poisoning campaigns over the last nine months. The tool distributes Trojanized installers posing as Putty Rufus, Microsoft Teams and similar utilities, then loads varied payloads including Oyster, Voice, Vidar, Vanguard Stealer and Supper. Newer variants add obfuscation, hashed APIs and anti analysis tricks. DLL versions can run via REG SVR32EXE for persistence. Reversing Labs released updated Yara coverage noting recurring parsing flaws that give defenders consistent detection opportunities. Huge thanks to our sponsor Hawks Hunt. Traditional security training fails because it treats employees like the hawkshunt treats them like the solution. AI powered simulations mirror actual attacks hitting your inbox. Instant coaching turns mistakes into learning moments. Gamified rewards make security engaging. The result? Real behavior change that measurably reduces your risk. Thousands of companies trust Hoxhunt to transform human vulnerability into human defense. Visit hoxhunt.com c CISO series to learn more. Stalkerware creator pleads guilty PC Tattletale creator Brian Fleming pled guilty in US federal court to selling software built for covert partner surveillance, aka stalkerware, prosecutors said. Since 2017, PC Tattletale let buyers capture victims, texts, emails, calls, location and browsing via a video style screen recording on unlocked devices. Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims. Fleming faces up to 15 years in prison and forfeiture at sentencing. Classic Outlook bug Prevents opening encrypted emails Microsoft confirmed a bug in Classic Outlook that blocks recipients from opening Encrypt only emails after updating to Current channel version 2511. Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix. Temporary workarounds include resaving encrypted messages before sending or rolling back to a prior build. Ghosttap Aids remote NFC payment fraud group IB researchers have detailed a surge in Android Ghosttap malware allowing remote NFC payment fraud. More than 54 malicious APKs sold in Chinese language Telegram channels let criminals capture card data via reader apps on victims phones and then relay it to tapper apps tied to illicit point of sale terminals. Victims are targeted through smishing and vishing. One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025. Group IB says the technique is spreading globally and and urges stronger KYC wallet monitoring and fraud defenses. Lack of MFA Fuels Cloud Credential heists Cybersecurity firm Hudson Rock says a threat actor called Zestix used infostealers like Redline, Llama and Vidar to harvest cloud credentials from infected machines and Then log into ShareFile, OwnCloud and NextCloud instances at roughly 50 companies without needing software exploits. Industry targets include aviation, construction, legal services, robotics and critical infrastructure, including Iberia and Sekisui House. Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches. If you want more great content from the CISO series team. I have good news. If you haven't subscribed to our YouTube channel yet, it is a great resource and head on over to YouTube.com cisoseries for tons more. We'll see you there. And if you have some thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we really want to hear from you. I am Sarah Lane reporting for the CISO series and we will talk to you tomorrow.
[06:47]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
[06:55]
B
It.