San Mateo, CA, January 19, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Attackers exploit critical WordPress plugin to gain admin access
A maximum severity vulnerability in a WordPress plugin called Modular DS is being actively exploited in the wild, according to Patchstack. Tracked as CVE-2026-23550 with a CVSS score of 10.0, the flaw allows unauthenticated privilege escalation in all versions up to 2.5.1 and has been fixed in version 2.5.2. The plugin, which has more than 40,000 active installs, contains a routing weakness that allows attackers to bypass authentication by abusing a permissive direct request mode. By setting specific URL parameters, attackers can access sensitive routes, including login and server management endpoints, and automatically authenticate as an administrator once a site is connected to Modular. Patchstack says exploitation was first observed on January 13, 2026, with attackers issuing login requests and attempting to create new admin users. Successful exploitation can lead to full site compromise, malware deployment, or user redirection, prompting urgent calls to update immediately. Read more.
Ransomware gangs drop encryption in favor of data extortion
Cybercriminal groups are increasingly abandoning encryption in favor of data theft extortion, according to new research from Symantec and Carbon Black. While traditional ransomware activity remained essentially flat in 2025, with 4,737 incidents reported, encryptionless extortion attacks surged to nearly 1,500 cases, up from just 28 in 2024. These campaigns rely on stealing sensitive data and threatening public leaks rather than locking systems. Threat group ShinyHunters exploited Salesforce environments at firms including Allianz, Qantas, and Google, while Scattered Spider also adopted extortion-only tactics. Symantec warns organizations must strengthen patching, credentials, MFA, and third-party risk management, saying that this “broadening of potential attack types presents new challenges for enterprises that not only have to maintain a robust security posture on their own networks but now also must put greater focus on the security of their software supply chain.” Read more.
Fast Pair Bluetooth flaw enables device hijacking
Security researchers have uncovered a critical flaw in Google’s Fast Pair protocol that allows attackers to hijack Bluetooth audio accessories, track users, and eavesdrop on conversations. Tracked as CVE-2025-36911 and dubbed WhisperPair, the vulnerability affects hundreds of millions of headphones, earbuds, and speakers from major brands because it resides in the accessories themselves, not smartphones, placing Android and iPhone users equally at risk. Researchers from KU Leuven found that many vendors failed to enforce a core Fast Pair requirement to ignore pairing requests when not in pairing mode. As a result, attackers can force pairing from up to 14 meters away using common Bluetooth-capable devices, gaining complete control over audio playback and microphones. The flaw can also enable covert location tracking through Google’s Find Hub network. Google awarded a $15,000 bounty and coordinated patches, but updates may not yet be available for all devices, leaving firmware updates as the only effective defense. Read more.
MonetaStealer targets macOS users
MonetaStealer is a new information stealer targeting macOS users through deceptive portfolio files and social engineering. Researchers at Iru discovered the threat on January 6, 2026 after finding a Mach-O binary disguised as a Windows executable named Portfolio_Review.exe. The malware runs on Apple systems, stealing browser passwords, cryptocurrency wallets, Wi Fi credentials, SSH keys, and financial documents. Analysts say much of its code appears to have been generated by machine learning tools, suggesting early development, yet it showed zero detections on VirusTotal. The payload, a PyInstaller-bundled Python file, hides logic inside a compressed archive and displays a “PROFESSIONAL MACOS STEALER v2.0” banner. It targets Google Chrome data, triggers Keychain prompts, filters cookies for banking and crypto terms, and exfiltrates data via Telegram bot infrastructure. Read more.
Crypto fraud hits record highs
Cryptocurrency-related fraud reached new highs last year as AI and increasingly organized criminal networks accelerated the scale and effectiveness of scams, according to Chainalysis. The blockchain analytics firm estimates that at least $14 billion flowed to criminals in 2025, already surpassing the previous record and likely rising to $17 billion as more illicit wallets are identified. Average scam payments jumped 253% year over year, while impersonation schemes saw volume and value explode. Chainalysis says scams linked to AI tools generate more than four times the revenue of those without, enabling fraudsters to target more victims simultaneously and craft more persuasive lures. The report also highlights the growing industrialization of fraud across Southeast Asia, with specialized roles spanning phishing developers, data brokers, spammers, and money laundering networks despite notable law enforcement successes and major seizures. Read more.
Microsoft patches 114 flaws after exploited Windows bug
Microsoft has released its first security updates of 2026, fixing 114 vulnerabilities across Windows and related components, including one flaw confirmed as actively exploited in the wild. Eight issues are rated Critical, with the majority tied to privilege escalation, information disclosure, and remote code execution. The exploited vulnerability, CVE-2026-20805, affects the Desktop Window Manager and allows local attackers to leak user-mode memory addresses, potentially weakening defenses such as ASLR when chained with other bugs. Security researchers warn that this type of flaw is often used to make advanced exploits more reliable. The issue has been added to CISA’s Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3, 2026. Microsoft also addressed Secure Boot certificate risks and removed vulnerable legacy modem drivers, underscoring the importance of prompt patching across enterprise environments. Read more.
Magecart campaign skimmed payment data for years
Cybersecurity researchers have uncovered a large-scale web skimming campaign active since January 2022, targeting payment ecosystems linked to American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. According to Silent Push, the operation primarily impacts enterprise organizations that rely on these payment providers, using Magecart-style client-side attacks to inject malicious JavaScript into compromised checkout pages. The campaign was traced to a domain hosting heavily obfuscated skimmer code designed to evade detection, including logic that self-destructs when WordPress administrators are logged in. The skimmer also impersonates Stripe payment forms, tricking victims into entering card data that is quietly exfiltrated along with personal information such as names, email addresses, phone numbers, and shipping details. Once complete, the malware removes itself to avoid detection, highlighting a highly polished, persistent threat model. Read more.
Fortinet discloses critical RCE flaw
Fortinet has disclosed a critical heap-based buffer overflow vulnerability in the cw_acd daemon affecting FortiOS and FortiSwitchManager, allowing remote, unauthenticated attackers to execute arbitrary code via crafted network requests. The flaw poses a heightened risk for organizations using Fortinet firewalls, SASE deployments, and switch management platforms, particularly when fabric interfaces are exposed. Discovered internally by Fortinet’s Product Security Team, the issue has no assigned CVE but could enable full system compromise without authentication. Fortinet urges immediate upgrades across multiple FortiOS branches, FortiSASE releases, and FortiSwitchManager versions. Temporary mitigations include disabling fabric access on interfaces and restricting CAPWAP-CONTROL traffic to trusted sources. Read more.
Instagram denies breach after password reset surge
Instagram says it has fixed a bug that allowed attackers to mass request password reset emails, after claims that data tied to more than 17 million accounts was scraped and leaked online. A Meta spokesperson told BleepingComputer there was no breach of internal systems and that accounts remain secure, advising users to disregard the emails. The controversy began after Malwarebytes warned customers of an alleged leak involving 17.5 million profiles posted for free on hacking forums, reportedly sourced from an unconfirmed 2024 API issue. The dataset includes usernames, IDs, emails, phone numbers, names, and some physical addresses, though many records are incomplete. Researchers on X speculate the data stems from a 2022 scraping incident. Read more.
California fines data brokers under Delete Act
California privacy regulators have recently fined two data brokers under the Delete Act for trading or handling sensitive personal data without proper registration. The California Privacy Protection Agency penalized Rickenbacher Data LLC, operating as Datamasters, for buying and reselling data tied to millions of people in 2024 without registering in the state. Records included names, contact details, addresses, health conditions, perceived race, age, political views, and spending behavior. “Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, head of enforcement at CalPrivacy, warning such data could be misused beyond advertising. Datamasters was fined $45,000 and ordered to stop selling California data and delete existing records. Separately, S&P Global was fined $62,600 for missing the annual registration deadline there. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
