Cybersecurity Headlines: Key Stories from January 8, 2026

Podcast: Cybersecurity Headlines
Host: Sarah Lane, CISO Series
Episode: ESA confirms new data heist, Ni8mare lets hackers hijack n8n servers, Taiwan blames 'cyber army' for intrusion attempts
Date: January 8, 2026

Episode Overview

This episode delivers rapid-fire coverage of the day’s most pressing cybersecurity incidents and trends. Major stories include a massive European Space Agency breach, a severe vulnerability impacting automation tool n8n, intensifying Chinese cyber activity targeting Taiwan, updates on damaging malware loaders, legal action against stalkerware creators, cloud credential thefts facilitated by a lack of MFA, and a rising threat from mobile NFC payment fraud.

Key Discussion Points & Insights

1. ESA Data Heist: Major Space Industry Leak

Summary:
The European Space Agency (ESA) confirmed its second breach in two weeks with 500 GB of operational and contractor data stolen, including sensitive documents from partners like SpaceX, Airbus, and Thales Alenia.
Details:
- Attackers exploited a vulnerability in September 2025—still unpatched—to continue offering live system access.
- ESA has begun a criminal investigation but declined to confirm specific claims.
- Stolen data includes “spacecraft procedures, subsystem documentation and mission details.”
- Recent December leak involved another 200 GB of ESA data, underscoring a persistent security gap.
Memorable Moment:
Sarah Lane [00:12]:
“The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Timestamps:
- Story start: [00:06]
- Notable quote: [00:12]

2. ‘Nightmare’ Flaw Jeopardizes n8n Workflow Servers

Summary:
A critical vulnerability dubbed ‘Nightmare’ (with an ‘8’) affects n8n, a popular open-source workflow automation tool.
Details:
- Researchers estimate 100,000+ exposed instances.
- Flaw allows unauthenticated attackers to remotely hijack servers, read arbitrary files, access secrets, bypass authentication, and execute code (depending on configuration).
- n8n recommends updating to version 1.1.1.0 and restricting webhooks; no complete workaround yet.
- Disclosed with max 10.0 severity rating in November.
Quote:
Sarah Lane [00:43]:
“There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Timestamps:
- Story start: [00:38]

3. Taiwan Blames ‘Cyber Army’ for Spike in Intrusion Attempts

Summary:
Taiwan’s National Security Bureau reports a 6% rise in cyber intrusions in 2025, primarily targeting government and critical infrastructure.
Details:
- 2.63 million daily attempts—spikes coincide with PLA patrols and political events.
- Notable increases in energy and hospital sectors.
- Chinese attackers leveraging telecoms and supply chain for technology and intelligence theft.
Quote:
Sarah Lane [01:06]:
"Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Timestamps:
- Story start: [01:03]

4. PKR MTSI: Malvertising Campaigns & Evolving Malware Loader

Summary:
Malware loader PKR MTSI is deployed in large-scale malvertising and SEO poisoning schemes.
Details:
- Masquerades as legitimate installers (Putty, Rufus, Microsoft Teams).
- Delivers multiple payloads: Oyster, Voice, Vidar, Vanguard Stealer, Supper.
- Newer variants feature obfuscation and anti-analysis.
- DLLs can persist via REGSVR32EXE.
- Reversing Labs released updated Yara rules for detection.
Quote:
Sarah Lane [01:49]:
"DLL versions can run via REGSVR32EXE for persistence. Reversing Labs released updated Yara coverage noting recurring parsing flaws that give defenders consistent detection opportunities.”
Timestamps:
- Story start: [01:29]

5. Stalkerware Developer Pleads Guilty

Summary:
Brian Fleming, creator of PC Tattletale, pleads guilty to selling software for covert partner surveillance.
Details:
- Since 2017, software captured texts, emails, calls, GPS, and browsing by video recording.
- Company shuttered in 2024 after breach exposed 138,000+ victims and customers.
- Fleming faces up to 15 years in prison and forfeiture.
Quote:
Sarah Lane [02:33]:
“Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Timestamps:
- Story start: [02:24]

6. Classic Outlook Bug Blocks Encrypted Emails

Summary:
Microsoft confirms a bug in Classic Outlook blocks ‘Encrypt Only’ emails after a recent update.
Details:
- Impacted users see “v2rpmsg attachment” instead of message content.
- Temporary fixes: resaving encrypted messages before sending or rolling back to a prior build.
Quote:
Sarah Lane [02:51]:
“Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Timestamps:
- Story start: [02:49]

7. Ghosttap Malware Powers Remote NFC Payment Fraud

Summary:
Researchers report surging Android Ghosttap malware used for remote NFC payment fraud.
Details:
- Over 54 malicious APKs sold in Chinese-language Telegram channels.
- Malware hijacks card reader apps and relays data to criminal point-of-sale terminals.
- Victims targeted via smishing and vishing, with one group profiting $355,000+.
- Group IB warns technique is globalizing; calls for stronger KYC and fraud defenses.
Quote:
Sarah Lane [03:27]:
“One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Timestamps:
- Story start: [03:12]

8. Cloud Credential Heists Enabled by Weak MFA Practices

Summary:
Hudson Rock identifies “Zestix” using infostealers (Redline, Llama, Vidar) to harvest credentials from infected devices.
Details:
- Attackers logged into ShareFile, OwnCloud, NextCloud at approx. 50 companies—bypassing exploits due to missing MFA.
- Impacted industries: aviation, construction, legal, robotics, critical infrastructure (e.g., Iberia, Sekisui House).
- Warns of thousands of organizations similarly exposed; basic MFA would have blocked attacks.
Quote:
Sarah Lane [04:06]:
“Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”
Timestamps:
- Story start: [03:56]

Notable Quotes & Timestamps

Sarah Lane on ESA Breach [00:12]: “The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Sarah Lane on n8n Flaw [00:43]: “There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Sarah Lane on Taiwan Intrusions [01:06]: "Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Sarah Lane on Stalkerware Breach [02:33]: “Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Sarah Lane on Outlook Bug [02:51]: “Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Sarah Lane on Ghosttap Payments [03:27]: “One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Sarah Lane on MFA Lapses [04:06]: “Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”

Conclusion

This January 8, 2026 episode underscores the high-stakes nature of cybersecurity in government, critical infrastructure, and commercial sectors. The episode’s crisp format highlights the importance of timely patching, robust authentication practices, user awareness, and staying vigilant amidst evolving threats—from nation-state attacks to sophisticated malware distribution and credential theft.

For more details on these headlines and further analysis, visit CISOseries.com.

Cybersecurity Headlines: Key Stories from January 8, 2026

Episode Overview

Key Discussion Points & Insights

1. ESA Data Heist: Major Space Industry Leak

Summary:
The European Space Agency (ESA) confirmed its second breach in two weeks with 500 GB of operational and contractor data stolen, including sensitive documents from partners like SpaceX, Airbus, and Thales Alenia.
Details:
- Attackers exploited a vulnerability in September 2025—still unpatched—to continue offering live system access.
- ESA has begun a criminal investigation but declined to confirm specific claims.
- Stolen data includes “spacecraft procedures, subsystem documentation and mission details.”
- Recent December leak involved another 200 GB of ESA data, underscoring a persistent security gap.
Memorable Moment:
Sarah Lane [00:12]:
“The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Timestamps:
- Story start: [00:06]
- Notable quote: [00:12]

2. ‘Nightmare’ Flaw Jeopardizes n8n Workflow Servers

Summary:
A critical vulnerability dubbed ‘Nightmare’ (with an ‘8’) affects n8n, a popular open-source workflow automation tool.
Details:
- Researchers estimate 100,000+ exposed instances.
- Flaw allows unauthenticated attackers to remotely hijack servers, read arbitrary files, access secrets, bypass authentication, and execute code (depending on configuration).
- n8n recommends updating to version 1.1.1.0 and restricting webhooks; no complete workaround yet.
- Disclosed with max 10.0 severity rating in November.
Quote:
Sarah Lane [00:43]:
“There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Timestamps:
- Story start: [00:38]

3. Taiwan Blames ‘Cyber Army’ for Spike in Intrusion Attempts

Summary:
Taiwan’s National Security Bureau reports a 6% rise in cyber intrusions in 2025, primarily targeting government and critical infrastructure.
Details:
- 2.63 million daily attempts—spikes coincide with PLA patrols and political events.
- Notable increases in energy and hospital sectors.
- Chinese attackers leveraging telecoms and supply chain for technology and intelligence theft.
Quote:
Sarah Lane [01:06]:
"Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Timestamps:
- Story start: [01:03]

4. PKR MTSI: Malvertising Campaigns & Evolving Malware Loader

Summary:
Malware loader PKR MTSI is deployed in large-scale malvertising and SEO poisoning schemes.
Details:
- Masquerades as legitimate installers (Putty, Rufus, Microsoft Teams).
- Delivers multiple payloads: Oyster, Voice, Vidar, Vanguard Stealer, Supper.
- Newer variants feature obfuscation and anti-analysis.
- DLLs can persist via REGSVR32EXE.
- Reversing Labs released updated Yara rules for detection.
Quote:
Sarah Lane [01:49]:
"DLL versions can run via REGSVR32EXE for persistence. Reversing Labs released updated Yara coverage noting recurring parsing flaws that give defenders consistent detection opportunities.”
Timestamps:
- Story start: [01:29]

5. Stalkerware Developer Pleads Guilty

Summary:
Brian Fleming, creator of PC Tattletale, pleads guilty to selling software for covert partner surveillance.
Details:
- Since 2017, software captured texts, emails, calls, GPS, and browsing by video recording.
- Company shuttered in 2024 after breach exposed 138,000+ victims and customers.
- Fleming faces up to 15 years in prison and forfeiture.
Quote:
Sarah Lane [02:33]:
“Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Timestamps:
- Story start: [02:24]

6. Classic Outlook Bug Blocks Encrypted Emails

Summary:
Microsoft confirms a bug in Classic Outlook blocks ‘Encrypt Only’ emails after a recent update.
Details:
- Impacted users see “v2rpmsg attachment” instead of message content.
- Temporary fixes: resaving encrypted messages before sending or rolling back to a prior build.
Quote:
Sarah Lane [02:51]:
“Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Timestamps:
- Story start: [02:49]

7. Ghosttap Malware Powers Remote NFC Payment Fraud

Summary:
Researchers report surging Android Ghosttap malware used for remote NFC payment fraud.
Details:
- Over 54 malicious APKs sold in Chinese-language Telegram channels.
- Malware hijacks card reader apps and relays data to criminal point-of-sale terminals.
- Victims targeted via smishing and vishing, with one group profiting $355,000+.
- Group IB warns technique is globalizing; calls for stronger KYC and fraud defenses.
Quote:
Sarah Lane [03:27]:
“One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Timestamps:
- Story start: [03:12]

8. Cloud Credential Heists Enabled by Weak MFA Practices

Summary:
Hudson Rock identifies “Zestix” using infostealers (Redline, Llama, Vidar) to harvest credentials from infected devices.
Details:
- Attackers logged into ShareFile, OwnCloud, NextCloud at approx. 50 companies—bypassing exploits due to missing MFA.
- Impacted industries: aviation, construction, legal, robotics, critical infrastructure (e.g., Iberia, Sekisui House).
- Warns of thousands of organizations similarly exposed; basic MFA would have blocked attacks.
Quote:
Sarah Lane [04:06]:
“Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”
Timestamps:
- Story start: [03:56]

Notable Quotes & Timestamps

Sarah Lane on ESA Breach [00:12]: “The group says the vulnerability used to gain access back in September still isn't patched and offers live system access.”
Sarah Lane on n8n Flaw [00:43]: “There’s no full workaround. The flaw was disclosed to n8n in November with a maximum 10.0 severity.”
Sarah Lane on Taiwan Intrusions [01:06]: "Taiwan links the activity to political and military pressure campaigns, noting spikes along PLA patrols and high profile government events.”
Sarah Lane on Stalkerware Breach [02:33]: “Fleming's firm shuttered in 2024 after a breach exposed data from more than 138,000 customers and victims.”
Sarah Lane on Outlook Bug [02:51]: “Impacted users see a message v2rpmsg attachment instead of decrypted content. Microsoft is developing a fix.”
Sarah Lane on Ghosttap Payments [03:27]: “One vendor's POS activity saw at least $355,000 in fraudulent payments from late 2024 to mid-2025.”
Sarah Lane on MFA Lapses [04:06]: “Hudson Rock warns thousands more organizations have exposed credentials in infostealer logs and says basic MFA and password hygiene would have prevented the breaches.”

Conclusion

For more details on these headlines and further analysis, visit CISOseries.com.

wavePod

ESA confirms new data heist, Ni8mare lets hackers hijack n8n servers, Taiwan blames 'cyber army' for intrusion attempts

Powered by Wave AI

Summary

Cybersecurity Headlines: Key Stories from January 8, 2026

Episode Overview

Key Discussion Points & Insights

1. ESA Data Heist: Major Space Industry Leak

2. ‘Nightmare’ Flaw Jeopardizes n8n Workflow Servers

3. Taiwan Blames ‘Cyber Army’ for Spike in Intrusion Attempts

4. PKR MTSI: Malvertising Campaigns & Evolving Malware Loader

5. Stalkerware Developer Pleads Guilty

6. Classic Outlook Bug Blocks Encrypted Emails

7. Ghosttap Malware Powers Remote NFC Payment Fraud

8. Cloud Credential Heists Enabled by Weak MFA Practices

Notable Quotes & Timestamps

Conclusion

Summary

Cybersecurity Headlines: Key Stories from January 8, 2026

Episode Overview

Key Discussion Points & Insights

1. ESA Data Heist: Major Space Industry Leak

2. ‘Nightmare’ Flaw Jeopardizes n8n Workflow Servers

3. Taiwan Blames ‘Cyber Army’ for Spike in Intrusion Attempts

4. PKR MTSI: Malvertising Campaigns & Evolving Malware Loader

5. Stalkerware Developer Pleads Guilty

6. Classic Outlook Bug Blocks Encrypted Emails

7. Ghosttap Malware Powers Remote NFC Payment Fraud

8. Cloud Credential Heists Enabled by Weak MFA Practices

Notable Quotes & Timestamps

Conclusion