San Mateo, CA, February 2, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
CISA chief scrutiny after sensitive data shared with ChatGPT
The acting head of the Cybersecurity and Infrastructure Security Agency reportedly uploaded sensitive government contracting documents marked for official use only to ChatGPT, according to Politico. The incident involved acting director Madhu Gottumukkala, a Trump appointee whose activity triggered multiple internal security alerts designed to prevent unauthorized disclosure of federal data. Officials at the Department of Homeland Security reviewed the uploads to determine whether national security was put at risk, as public large language models can retain and reuse submitted information. Gottumukkala reportedly had been granted an exception to use ChatGPT at a time when other CISA employees were prohibited from doing so. A CISA spokesperson said the usage was short-term and limited. The report adds to scrutiny surrounding Gottumukkala’s leadership, which has included a disputed counterintelligence polygraph and the suspension of multiple career staff. Read more.
China-linked PeckBirdy used in espionage campaigns
China-aligned threat actors have been using a cross-platform JScript command-and-control framework known as PeckBirdy to support cyber-espionage operations for several years, according to Trend Micro. The framework enables attackers to deploy dynamically generated JavaScript across multiple environments, helping them evade traditional endpoint defenses and abuse living-off-the-land binaries. Researchers identified two separate campaigns using PeckBirdy, one targeting Chinese gambling websites with fake software update lures and another aimed at Asian government entities through website injections and credential harvesting. The activity was supported by modular backdoors, including MKDoor and the newly discovered H HoloDonut malware. Trend Micro said the framework’s flexibility underscores how Chinese state-aligned groups continue to refine tools to sustain persistent access, reinforcing the need for continuous infrastructure monitoring and threat hunting. Read more.
ShinyHunters claims dating app data leak
The cybercrime group ShinyHunters claims it has leaked more than 10 million user records linked to Match Group-owned dating apps, including Match, Hinge, and OKCupid. According to Cybernews, the data allegedly includes user IDs, IP addresses, and other sensitive information, and there are indications it may have been sourced from the mobile analytics platform AppsFlyer. Researchers who reviewed the dataset reported finding dating profiles, Hinge match data, subscription identifiers, employee emails, internal contracts, and information tied to the Indian dating app Vivald. While investigators said the material does not expose extensive personal details, they warned that dating-related data can still be weaponized for highly targeted scams with greater psychological impact than standard phishing. ShinyHunters has previously extorted major organizations, including AT&T, and continues to leak large datasets tied to consumer-facing brands. Read more.
FBI seizes Russian Anonymous Marketplace
The FBI has reportedly taken down the notorious cybercriminal forum Russian Anonymous Marketplace, known as RAMP, in an operation described as “a meaningful disruption to a core piece of criminal infrastructure.” The notice indicates the operation was carried out in coordination with the U.S. Attorney’s Office for the Southern District of Florida and the Justice Department’s Computer Crime and Intellectual Property Section. RAMP, founded in 2012 and later linked to the Babuk ransomware group, became a central hub after other major forums banned ransomware discussions. Threat intelligence researchers described it as a high-trust marketplace supporting the full ransomware supply chain. Sophos researcher Rebecca Taylor said the takedown has created uncertainty across underground communities. At the same time, Red Sense co-founder Yelisey Bohuslavskiy noted the impact will likely fall hardest on low-tier actors, with limited effect on top ransomware groups. Read more.
Nike probes alleged 1.4TB data leak
Nike is investigating a potential cybersecurity incident after extortion group WorldLeaks claimed it stole and leaked more than 1.4TB of internal company data. Threat intelligence firm JustaBreach reported that nearly 190,000 files were posted after a ransom deadline expired, describing the exposure as a full data dump. Nike said it is “actively assessing the situation” and that it takes consumer privacy and data security seriously. The leaked materials allegedly include research and development assets, product designs, technical packs, supply chain documents, factory audits, and internal business presentations dating from 2020 through 2026. While no evidence has emerged showing exposure of personally identifiable information, analysts warn that the breach could enable industrial espionage and aid counterfeit operations. The incident highlights the growing practice of “value chain extortion,” which targets a victim’s competitive advantages rather than customer data. Read more.
SolarWinds patches critical Web Help Desk flaws
SolarWinds has released security updates to fix multiple critical vulnerabilities in its Web Help Desk IT service management software, including authentication bypass and remote code execution flaws. The patched issues allow unauthenticated attackers to bypass login protections and execute commands remotely through low-complexity attacks. Researchers from watchTowr and Horizon3.ai identified vulnerabilities, including insecure deserialization flaws and hardcoded credentials that could expose administrative functions. SolarWinds confirmed the issues are resolved in Web Help Desk version 2026.1 and urged administrators to apply updates immediately. The company warned that Web Help Desk flaws have been repeatedly exploited in past attacks, including vulnerabilities previously added to CISA’s catalog of known exploited bugs. Web Help Desk is widely deployed across enterprises, healthcare, education, and government environments, increasing the potential impact of unpatched systems. Read more.
AI deepfake calls target crypto users
A sophisticated phishing campaign is targeting cryptocurrency holders using AI-generated deepfake video calls that impersonate trusted contacts. The attack begins on Telegram, where victims receive video call requests from compromised accounts that appear legitimate. During Zoom or Microsoft Teams calls, attackers present realistic deepfake videos of known individuals to establish trust. Victims are then told there is an audio issue and instructed to install a fake plugin or update. Bitcoin News analysts said this software grants attackers full system access, enabling them to steal Bitcoin wallets, credentials, and Telegram accounts. The campaign even nearly compromised Bitcoin treasury strategist Ed Juline by impersonating BTC Prague co-founder Martin Kuchař. Researchers warned that the attack spreads rapidly as hijacked accounts are reused to target new victims. Read more.
HaxorSEO SEO poisoning marketplace uncovered
Security researchers have uncovered a large-scale SEO poisoning operation that allows threat actors to push malicious pages higher in search rankings by abusing compromised legitimate websites. Fortra’s Intelligence and Research Experts found the HaxorSEO marketplace operating through Telegram and WhatsApp, offering access to more than 1,000 backlinks hosted on trusted domains that are often 15 to 20 years old. Once purchased, the service injects malicious links through webshell access, helping phishing and malware pages appear more legitimate to search engines. In some cases, fake banking login pages ranked higher than the real sites they impersonated. The low cost of just six dollars per backlink enables attacks at scale, while also degrading the SEO standing of legitimate pages. “Users are advised to be wary of URLs that they access via search engines, especially banking login pages. A best practice is to bookmark sensitive login pages, like your bank login, rather than locating it via a search engine,” said Fortra. Read more.
Nonprofit challenges TSA ICE travel data sharing
A government watchdog nonprofit is suing the federal government for records related to a data-sharing agreement between the Transportation Security Administration (TSA) and Immigration and Customs Enforcement (ICE) that allowed domestic flight data to be used for immigration enforcement. American Oversight filed the lawsuit after TSA and ICE allegedly failed to respond to Freedom of Information Act requests seeking details about what passenger information was shared and whether U.S. citizens were affected. The suit follows congressional testimony from acting TSA Administrator Ha Nguyen McNeill, who said the data transfers were fully authorized within the Department of Homeland Security. Reports indicate TSA shared passenger names and birth dates with ICE multiple times per week. The program was reportedly linked to the wrongful deportation of a 19-year-old college student in 2025, intensifying scrutiny over TSA’s role in immigration enforcement. Read more.
Lazarus Group uses fake fonts to target developers
North Korea’s Lazarus Group has launched a supply chain attack dubbed Fake Font that targets software developers through fraudulent job interviews and malicious GitHub repositories. The campaign begins on LinkedIn, where fake recruiters posing as crypto or fintech hiring managers send coding assessments tied to realistic-looking repositories. These projects include standard React and Node.js structures, documentation, and CI/CD files, making them appear legitimate. Each repository contains a VS Code task that runs automatically when the folder is opened. The task runs JavaScript malware disguised as .woff2 font files, triggering a multi-stage infection chain. The final payload deploys the InvisibleFerret Python backdoor, which steals browser credentials and cryptocurrency wallets and maintains persistent access. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
