Cybersecurity Headlines – Jan 20, 2026

Host: Sarah Lane, CISO Series
Episode Theme:
A fast-paced rundown of the day’s top infosec stories, from AI vulnerability revelations and major legal proceedings to new malware discoveries and significant incidents across the cybersecurity landscape.

Main Stories & Key Discussion Points

1. Gemini Prompt Injection Flaw Exposes Calendar Info

• [00:11]
  • Discovery: Mego Security identified a prompt injection vulnerability in Google Gemini.
  • Exploit Details:
    • Attackers could embed hidden instructions within calendar invites.
    • When users made simple scheduling requests, Gemini would inadvertently copy private meeting information into a new calendar event accessible to the attacker.
  • Response:
    • Google patched the issue after being informed.
  • Industry Implications:
    • Researchers highlighted that “AI native workflows broaden the attack surface.”
    • Similar vulnerabilities were demonstrated in Microsoft Copilot, Vertex AI agents, and multiple AI coding IDEs.
  • Quote:

    "Researchers say AI native workflows broaden the attack surface as other labs recently demonstrated similar data exfiltration and privilege escalation paths across Copilot vertex AI agents and multiple AI coding IDEs." – Sarah Lane [00:36]

2. Hacker Admits to Leaking US Supreme Court Data

• [00:54]
  • Subject: 24-year-old Nicholas Moore (Springfield, TN) pleaded guilty to hacking the Supreme Court's filing system in 2023.
  • Method:
    • Used stolen credentials, accessed the system over 25 times.
    • Posted breach screenshots to Instagram.
    • Also accessed AmeriCorps and VA systems, leaking personal and health data.
  • Consequences:
    • Faces up to 1 year in prison and a $100,000 fine.
  • Quote:

    "...pleaded guilty to hacking the US Supreme Court's electronic filing system more than 25 times in 2023, using stolen credentials, then posting screenshots to an Instagram account to show off the breach." – Sarah Lane [00:57]

3. Researchers Uncover PDFSIDER Malware

• [01:23]
  • Description:
    • "PDFSIDER" is a newly documented backdoor, distributed via malicious DLL sideloading in spearphishing ZIP files.
    • Masquerades as a fake PDF24 executable to evade detection.
    • Executes commands in memory over AES-encrypted C2 channels.
    • Features anti-VM checks, DNS exfiltration, and delivers decoy intelligence documents.
  • Characterization:
    • Styled as advanced persistent threat (APT) tooling.
    • Focused on stealth and persistence, not mass infections.
  • Quote:

    "Researchers describe it as an apt style tooling focused on stealth and long term access rather than mass infection." – Sarah Lane [01:49]

4. Internal Upheaval at CISA Over CIO Reassignment

• [02:01]
  • Context:
    • Acting CISA director Madhu Gautamakala attempted to rapidly reassign Chief Information Officer Robert Costello.
    • Move would have forced Costello to resign or transfer within DHS.
    • Senior political appointees objected; DHS intervention halted the move.
    • Costello regarded as one of CISA’s “strongest technical leaders.”
  • Backstory:
    • Previous clashes between Costello and Gautamakala over contracting and policy decisions.
  • Quote:

    "Senior political appointees reportedly objected and DHS halted the move. Costello is viewed by many as one of SISA's strongest technical leaders." – Sarah Lane [02:14]

5. Malware Broker Sentencing – Initial Access Broker for U.S. Attacks

• [03:12]
  • Defendant: Jordanian national Faras Khalil Ahmad Al Bashidi (a.k.a. Riz, R1Z).
  • Crimes:
    • Sold access and malware to an undercover FBI agent in 2023.
    • Aided attacks on at least 50 US companies.
    • Sold an EDR-disabling tool, revealing his IP and linking him to a $50M ransomware case.
  • Legal Outcome: Extradited in 2024; faces sentencing (up to 10 years in prison and $250,000 fine) in May.
  • Quote:

    "...facilitated attacks against at least 50 U.S. companies and sold an EDR disabling tool that ultimately exposed his IP address and tied him to a $50 million ransomware incident." – Sarah Lane [03:22]

6. Ingram Micro Ransomware Update – 42,000+ Impacted

• [03:51]
  • Disclosure: New stats from the July 2025 ransomware breach:
    • Data stolen on over 42,000 individuals (including SSNs and job applicant records).
    • 3.5 TB of data taken; outage led to days-long work-from-home orders.
  • Attribution: SafePay ransomware crew (not formally confirmed by Ingram Micro).
    • SafePay has filled gaps left by notorious groups like Lockbit and Black Hat.
  • Quote:

    "The attack caused a days long outage, work from home orders and 3.5 terabytes of documents stolen." – Sarah Lane [04:05]

7. TP-Link Patches VIGI Camera Vulnerability

• [04:27]
  • Vulnerability: High-severity auth bypass impacting 32+ VIGI and VIGI Insight surveillance camera models.
  • Impact:
    • Attackers could reset admin passwords and control devices (including live feeds).
    • Over 2,500 devices found exposed online at disclosure.
    • “Patching [is] urgent” due to prior abuse of TP-Link flaws.
  • Quote:

    "Attackers can reset admin passwords and take full control, including video feeds... he counted more than 2500 exposed cameras online." – Sarah Lane (quoting Arco Dar) [04:34]

8. Windows 11 Shutdown Bug Triggers Emergency Patch

• [04:58]
  • Issue: January patch broke shutdown, restart & hibernation on devices with Secure Launch enabled.
  • Response: Microsoft rushed an out-of-band update (KB577797, Jan 17) to fix this and a Remote Desktop auth bug.
  • Lingering Problems: Separate Outlook POP bug remains unresolved.
  • Industry Reflection:
    • "Security updates can create unexpected side effects."
  • Quote:

    "Microsoft urges affected users to install KB57 7797, reminding us that security updates can create unexpected side effects." – Sarah Lane [05:23]

Notable Quotes & Memorable Moments

• On Red Team Automation and AI:
  [05:35]

  "When the glut of LLM based tools started cropping up, many assumed they could never approximate the human creativity needed to be effective red teamers by themselves. But these tools are proving remarkably effective. So what's left for the red team that can't be automated?"

• Closing Reflection:

  "AI is very efficient at making us forget the value of humans." – Sarah Lane [05:54]

Timestamps for Key Segments

| Segment | Timestamp | |--------------------------------------------------------------|-----------| | Gemini prompt injection/AI attack surface | 00:11–00:53 | | Supreme Court breach admission | 00:54–01:22 | | PDFSIDER malware discovery | 01:23–02:01 | | CISA internal dispute over CIO | 02:01–03:11 | | Malware broker sentencing | 03:12–03:50 | | Ingram Micro ransomware update | 03:51–04:26 | | TP-Link VIGI camera vulnerability | 04:27–04:57 | | Windows 11 emergency patch | 04:58–05:34 | | Red teaming automation, AI & human value (teaser) | 05:35–06:16 |

Tone and Language

• Direct & Informative: Sarah Lane delivers concise, high-impact news with a sense of urgency.
• Expert Attribution: Frequent reference to security researchers, political sources, and technical leaders.
• Reflective: Ends with thought-provoking questions about automation, AI in security, and enduring human skills.

For in-depth coverage or source links for each story, visit CISOSeries.com.