Cybersecurity Headlines – January 29, 2026

Host: Sarah Lane
Main Theme:
A rapid-fire roundup of critical cybersecurity incidents and trends, ranging from newly discovered software flaws and fake tools spreading malware, to breakthroughs in automated vulnerability discovery and major law enforcement actions against cybercriminals.

Key Headlines & Insights

1. Sandbox Flaw Exposes n8n Instances (00:15)

• Issue: JFrog researchers found two serious sandbox escape vulnerabilities in the n8n workflow automation platform.
  • First Flaw: Critical (CVSS 9.9) – Allows authenticated, non-admin users to escape JavaScript sandboxing, gaining full host control.
  • Second Flaw: Enables remote code execution (RCE) via Python subprocesses.
• Scope: Only affects self-hosted instances, not cloud-hosted n8n.
• Risk: “JFROG warns slow patching will leave tens of thousands of exposed instances at risk.” (00:39)
• Fix: Patched in the latest n8n releases; immediate updates urged.

2. Fake ‘Moltbot Assistant’ Drops Malware (01:02)

• Discovery: A counterfeit “claudebot” AI assistant surfaced on Microsoft’s VS Code Marketplace.
• How It Works:
  • Secretly installs malware, granting persistent attacker access via a bundled Screen Connect client.
  • “The extension exploited moltbot’s popularity… using multiple fallback methods to deliver payloads even if infrastructure went offline.” (01:18)
• Wider Risks: Highlights issues like exposed, unauthenticated Moltbot instances leaking API keys and sensitive credentials.

3. PeckBirdy Takes Flight for Cross-Platform Attacks (01:43)

• Actors: China-aligned threat groups.
• Tool: “PeckBirdy,” a JavaScript-based command-and-control (C2) framework active since at least 2023.
• Operations: Used against Chinese gambling sites and Asian governments alongside modular backdoors (mkdor, Holodonut).
• Tactics:
  • Delivered fake software updates, harvested credentials, enabled lateral movement.
  • “The framework’s use of JavaScript and living-off-the-land binaries makes detection difficult and points to ongoing state-linked espionage activity.” (02:20)

4. OpenSSL Flaws Uncovered by Autonomous System (02:26)

• What Happened: January’s update fixed 12 previously unknown OpenSSL vulnerabilities, some going back to 1998.
• How Found: Automated analysis by a system called “Aisle.”
• Impact: Spanned over 8 subsystems; one high-severity issue could allow RCE in specific cases.
• Significance: “The findings highlight how automated analysis can surface long-standing issues in heavily audited code bases.” (02:46)

5. Teen Swatting Suspects Arrested (03:12)

• Action: Hungarian and Romanian police arrested four suspects (including teenagers) for coordinated swatting/doxing campaigns.
• Method: Used Discord to gather victim data, then made fake bomb threats and emergency calls.
• Result: “A 17-year-old Romanian national faces terrorism-related and false reporting charges while investigations continue into the roles of the other suspects.” (03:37)

6. FBI Seizes RAMP Cybercrime Forum (03:51)

• Event: The FBI took over both Tor and clearnet domains of “RAMP,” a major ransomware forum.
• Potential: Law enforcement may now have access to user messages, emails, and IPs.
• Background: RAMP allowed ransomware promotion, with links to the Babuk ransomware operator, indicted in 2023.

7. Electrum Tied to Polish Cyber Attack (04:30)

• Attribution: Drago links a December attack on Poland’s power grid to Russia-associated group “Electrum.”
• Target: Communications and control systems for wind, solar, and combined heat/power facilities.
• Damage: Disrupted operations at ~30 sites; some OT equipment permanently disabled, though no outages.
• Analysis: Shows “division of labor” between Electrum and “Commissite” (access-focused cluster).

8. Empire Owner Pleads Guilty to Drug Conspiracy (05:25)

• Defendant: Virginia man and co-creator of dark web’s Empire Market.
• Charges: Federal drug conspiracy tied to more than $430 million in illegal transactions (2018-2020).
• Platform Reach: “Empire Market…facilitated roughly $375 million in drug sales, with operators using cryptocurrency to launder proceeds and evade law enforcement.” (05:46)
• Outcome: $75 million in crypto seized; mandatory minimum of 10 years in prison for the defendant.

Memorable Quotes

• On n8n Vulnerabilities:
  “One bug is rated critical at 9.9 and allows authenticated non admin users to escape JavaScript sandboxing and gain host level control.” (00:25) – Sarah Lane
• On Fake Moltbot Risks:
  “The extension exploited moltbot’s popularity…using multiple fallback methods to deliver payloads even if infrastructure went offline.” (01:18) – Sarah Lane
• On PeckBirdy Espionage:
  “The framework’s use of JavaScript and living-off-the-land binaries makes detection difficult and points to ongoing state-linked espionage activity.” (02:20) – Sarah Lane
• On Automated Vulnerability Discovery:
  “OpenSSL maintainers credited Aisle’s disclosures and said the findings highlight how automated analysis can surface long-standing issues in heavily audited code bases.” (02:46) – Sarah Lane

Timestamps for Key Segments

• n8n Sandbox Vulnerabilities: 00:15 – 01:01
• Fake 'Moltbot Assistant' Malware: 01:02 – 01:41
• PeckBirdy (China-aligned Attacks): 01:43 – 02:25
• Automated OpenSSL Flaw Discovery: 02:26 – 03:11
• Teen Swatting Ring Arrests: 03:12 – 03:50
• FBI Seizes RAMP Forum: 03:51 – 04:29
• Russian Group Hits Polish Power Grid: 04:30 – 05:24
• Empire Market Conspiracy Plea: 05:25 – 06:08

Tone and Language

• Direct and Concise: The host delivers urgent security stories in a fast-paced, fact-focused manner with clarity and gravitas.
• Expert-Driven: Terminology and context assume a professional, informed cybersecurity audience.

For more stories and full context, visit CISOseries.com.