Summary4 min read

Cybersecurity Headlines – January 29, 2026

Host: Sarah Lane
Main Theme:
A rapid-fire roundup of critical cybersecurity incidents and trends, ranging from newly discovered software flaws and fake tools spreading malware, to breakthroughs in automated vulnerability discovery and major law enforcement actions against cybercriminals.

Key Headlines & Insights

1. Sandbox Flaw Exposes n8n Instances (00:15)

Issue: JFrog researchers found two serious sandbox escape vulnerabilities in the n8n workflow automation platform.
- First Flaw: Critical (CVSS 9.9) – Allows authenticated, non-admin users to escape JavaScript sandboxing, gaining full host control.
- Second Flaw: Enables remote code execution (RCE) via Python subprocesses.
Scope: Only affects self-hosted instances, not cloud-hosted n8n.
Risk: “JFROG warns slow patching will leave tens of thousands of exposed instances at risk.” (00:39)
Fix: Patched in the latest n8n releases; immediate updates urged.

2. Fake ‘Moltbot Assistant’ Drops Malware (01:02)

Discovery: A counterfeit “claudebot” AI assistant surfaced on Microsoft’s VS Code Marketplace.
How It Works:
- Secretly installs malware, granting persistent attacker access via a bundled Screen Connect client.
- “The extension exploited moltbot’s popularity… using multiple fallback methods to deliver payloads even if infrastructure went offline.” (01:18)
Wider Risks: Highlights issues like exposed, unauthenticated Moltbot instances leaking API keys and sensitive credentials.

3. PeckBirdy Takes Flight for Cross-Platform Attacks (01:43)

Actors: China-aligned threat groups.
Tool: “PeckBirdy,” a JavaScript-based command-and-control (C2) framework active since at least 2023.
Operations: Used against Chinese gambling sites and Asian governments alongside modular backdoors (mkdor, Holodonut).
Tactics:
- Delivered fake software updates, harvested credentials, enabled lateral movement.
- “The framework’s use of JavaScript and living-off-the-land binaries makes detection difficult and points to ongoing state-linked espionage activity.” (02:20)

4. OpenSSL Flaws Uncovered by Autonomous System (02:26)

What Happened: January’s update fixed 12 previously unknown OpenSSL vulnerabilities, some going back to 1998.
How Found: Automated analysis by a system called “Aisle.”
Impact: Spanned over 8 subsystems; one high-severity issue could allow RCE in specific cases.
Significance: “The findings highlight how automated analysis can surface long-standing issues in heavily audited code bases.” (02:46)

5. Teen Swatting Suspects Arrested (03:12)

Action: Hungarian and Romanian police arrested four suspects (including teenagers) for coordinated swatting/doxing campaigns.
Method: Used Discord to gather victim data, then made fake bomb threats and emergency calls.
Result: “A 17-year-old Romanian national faces terrorism-related and false reporting charges while investigations continue into the roles of the other suspects.” (03:37)

6. FBI Seizes RAMP Cybercrime Forum (03:51)

Event: The FBI took over both Tor and clearnet domains of “RAMP,” a major ransomware forum.
Potential: Law enforcement may now have access to user messages, emails, and IPs.
Background: RAMP allowed ransomware promotion, with links to the Babuk ransomware operator, indicted in 2023.

7. Electrum Tied to Polish Cyber Attack (04:30)

Attribution: Drago links a December attack on Poland’s power grid to Russia-associated group “Electrum.”
Target: Communications and control systems for wind, solar, and combined heat/power facilities.
Damage: Disrupted operations at ~30 sites; some OT equipment permanently disabled, though no outages.
Analysis: Shows “division of labor” between Electrum and “Commissite” (access-focused cluster).

8. Empire Owner Pleads Guilty to Drug Conspiracy (05:25)

Defendant: Virginia man and co-creator of dark web’s Empire Market.
Charges: Federal drug conspiracy tied to more than $430 million in illegal transactions (2018-2020).
Platform Reach: “Empire Market…facilitated roughly $375 million in drug sales, with operators using cryptocurrency to launder proceeds and evade law enforcement.” (05:46)
Outcome: $75 million in crypto seized; mandatory minimum of 10 years in prison for the defendant.

Memorable Quotes

On n8n Vulnerabilities:
“One bug is rated critical at 9.9 and allows authenticated non admin users to escape JavaScript sandboxing and gain host level control.” (00:25) – Sarah Lane
On Fake Moltbot Risks:
“The extension exploited moltbot’s popularity…using multiple fallback methods to deliver payloads even if infrastructure went offline.” (01:18) – Sarah Lane
On PeckBirdy Espionage:
“The framework’s use of JavaScript and living-off-the-land binaries makes detection difficult and points to ongoing state-linked espionage activity.” (02:20) – Sarah Lane
On Automated Vulnerability Discovery:
“OpenSSL maintainers credited Aisle’s disclosures and said the findings highlight how automated analysis can surface long-standing issues in heavily audited code bases.” (02:46) – Sarah Lane

Timestamps for Key Segments

n8n Sandbox Vulnerabilities: 00:15 – 01:01
Fake 'Moltbot Assistant' Malware: 01:02 – 01:41
PeckBirdy (China-aligned Attacks): 01:43 – 02:25
Automated OpenSSL Flaw Discovery: 02:26 – 03:11
Teen Swatting Ring Arrests: 03:12 – 03:50
FBI Seizes RAMP Forum: 03:51 – 04:29
Russian Group Hits Polish Power Grid: 04:30 – 05:24
Empire Market Conspiracy Plea: 05:25 – 06:08

Tone and Language

Direct and Concise: The host delivers urgent security stories in a fast-paced, fact-focused manner with clarity and gravitas.
Expert-Driven: Terminology and context assume a professional, informed cybersecurity audience.

For more stories and full context, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, January 29, 2026. I'm Sarah Lane. Sandbox escape flaw exposes N8N instances JFrog researchers disclosed two sandbox escape vulnerabilities in the N8N workflow automation platform that can lead to a full remote code execut on self hosted instances. One bug is rated critical at 9.9 and allows authenticated non admin users to escape JavaScript sandboxing and gain host level control. The other enables similar RCE via Python sub processes. The flaws are patched in recent N8N releases. Cloud hosted N8N is not affected and JFROG warns slow patching will leaves tens of thousands of exposed instances at risk. Fake Multbot Assistant drops malware Security researchers flagged a fake claudebot agent AI coding assistant on Microsoft's VS Code Marketplace that secretly installs malware, giving attackers persistent remote access via a bundled Screen Connect client. The extension exploited multbod's popularity despite the project having no official VS code plug using multiple fallback methods to deliver payloads even if infrastructure went offline. The report also highlights broader Multbot security risks, including exposed unauthenticated instances, leaking API keys and credentials Peck Birdie takes flight for cross platform attacks Trend Micro reports that China aligned threat actors have used a cross platform J script based code command and control framework dubbed Peckbirdie since at least 2023 to run cyber espionage campaigns. In two separate operations, attackers targeted Chinese gambling websites and Asian government entities using Peck Birdie alongside new modular backdoors mkdor and Holodonut to deliver fake software updates, harvest credentials and enable lateral movement while evading endpoint defenses. The framework's use of JavaScript and living off the Land binaries makes detection difficult and points to ongoing state linked espionage activity. Autonomous system uncovers open SSL flaws A January update fixed 12 previously unknown open SSL vulnerabilities, some dating back to 1998 uncovered by autonomous analysis from Aisle. The flaws spanned more than eight subsystems and included one high severity bug that could enable remote code execution under specific conditions alongside moderate and low severity issues. OpenSSL maintainers credited aisles disclosures and said the findings highlight how automated analysis can surface long standing issues in heavily audited code bases. Huge thanks to our sponsor Conveyor, another security questionnaire hits your desk. Ever wish it could magically disappear? You already have the answers that customers should self serve, but they can't find the info in your trust center that's why Conveyor built the first truly agentic trust center. An AI agent lives inside it, answering customer questions, sharing documents and even completing full questionnaires. Instantly, customers get what they need fast. It's magical, touchless, extremely accurate. Join teams at Atlassian, Zapier and more@conveyor.com Teen swatting suspects arrested Hungarian and Romanian police arrested four suspects, including teenagers, over coordinated swatting and doxing campaigns that triggered repeated bomb threats and false emergency calls across Hungary. Authorities say the group used Discord to collect victims personal information, then placed fake threats in their names, prompting large police responses. A 17 year old Romanian national faces terrorism related and false reporting charges while investigations continue into the roles of the other suspects. FBI seizes Ramp the FBI has seized the Ramp Cybercrime forum, a major marketplace used by ransomware gangs to advertise malware hacking services and recruit affiliates. Both its Tor and clearnet domains now show an FBI seizure notice potentially giving law enforcement access to user data, including Messages, emails and IP addresses. RAMP launched back in 2021 as one of the few forums still allowing ransomware promotion and was linked to Babook ransomware operator Mikhail Metv, who was indicted by the DOJ in 2023. Electrum tied to Polish cyber attack Drago says a coordinated cyber attack on Poland's power grid in December is tied with medium confidence to the Russian state linked hacking group Electrum. The attack targeted communications and control systems connecting grid operators to distributed energy resources including wind, solar and combined heat and power facilities, disrupting operations at around 30 sites and permanently disabling some OT equipment. Though no power outages were reported, Drago says the incident shows a division of labor between Electrum and a related access focused cluster Commissite. Empire owner pleads guilty to drug conspiracy A Virginia man who co created the dark web marketplace Empire Market has pleaded guilty to a federal drug conspiracy tied to more than $430 million in illegal transactions between 2018 and 2020. Prosecutors say Empire Market, an AlphaBay style platform with more than 1.6 million users, facilitated roughly $375 million in drug sales, with operators using cryptocurrency to launder proceeds and evade law enforcement. Authorities have seized around $75 million in crypto and the defendant now faces a mandatory minimum of 10 years in prison. If customers want cybersecurity vendors to solve a problem, it should be clear how to market the solution. Unfortunately, too many vendors are marketing something that buyers don't really care about. We try and make sense of the situation on the latest episode of Defense in depth. Look for the episode when cybersecurity marketing fails to reach the buyer. Wherever you get your podcasts. If you have thoughts on the news from today or about the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. I am Sarah Lane, reporting for the CISO series. Stay classy and warm out there and we'll see you tomorrow.
[07:48]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.