![Cybersecurity News | Daily Recap [30 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [30 Jan 2026]")
Daily Recap, a wave of critical flaws including n8n CVE-2026-1470/0863 enabling authenticated remote code execution and extensive updates across builds, alongside KEV catalog additions (Microsoft Office CVE-2026-21509, GNU InetUtils, SmarterMail, Linux kernel) highlight widespread risk across software, networks and OT. In parallel, state-backed and criminal groups continue weaponizing legacy flaws (WinRAR CVE-2025-8088 with UNC4895/RomCom, APT44, Turla), LLM/MCP abuses (Operation Bizarre Bazaar), C2 abuse (Sheet Attack), exposed AI tools (Bondu Panel, ChatGPT) and infrastructure attacks (IPIDEA takedown, Poland grid disruption), underscoring the need for resilient, AI-assisted defenses. #n8n #OperationBizarreBazaar
Vulnerabilities & Exploits
- A pair of critical n8n evalāinjection flaws (CVEā2026ā1470, CVEā2026ā0863) could allow authenticated remote code execution and full instance takeover, with patches released in multiple n8n builds ā n8n RCE, n8n RCE
- Multiple actively exploited flaws including a Microsoft Office bypass (CVEā2026ā21509), GNU InetUtils telnetd root bug, SmarterMail RCEs and a Linux kernel integer overflow were added to CISAās KEV catalog with a remediation deadline of Feb 16, 2026 ā KEV Additions
- The sixāmonthāold CVEā2025ā8088 WinRAR pathātraversal bug continues to be weaponized by stateālinked and criminal groups (UNC4895/RomCom, APT44, Turla) to drop payloads like NESTPACKER/Snipbot, STOCKSTAY and POISONIVY via Alternate Data Streams ā WinRAR Abuse
AI, LLMs & Cloud Abuse
- A largeāscale LLMjacking operation dubbed Operation Bizarre Bazaar scans and hijacks exposed LLM/MCP endpoints to resell API access, exfiltrate data and monetize compute (over 35,000 observed sessions; targets include Ollama and OpenAIācompatible endpoints) ā LLM Hijack
- A Pakistanālinked campaign called āSheet Attackā abuses Google Sheets as a C2 to target Indian government entities using tools like SHEETCREEP, showing AIāassisted malware development and cloudāservice blending ā Sheet Attack
- An exposed Bondu AI toy admin panel leaked tens of thousands of childrenās transcripts and personal data via an IDOR/auth bypass, prompting takedown and investigation ā Bondu Panel
- The acting CISA director triggered alerts by uploading sensitive contracting files into public ChatGPT, prompting a DHS damage assessment and scrutiny of public AI tool use in government ā CISA ChatGPT
Networks & Botnets
- Google disrupted/dismantled the global IPIDEA residential proxy network that covertly enrolled millions of consumer devices via SDKs, seizing control domains and degrading proxy operations used for espionage and cybercrime ā IPIDEA Takedown, IPIDEA Takedown
Incidents & Data Leaks
- A new wave of breaches hit consumer platforms including Bumble, Panera, Match Group and CrunchBase, with limited data exposure reported and the group ShinyHunters claiming responsibility via vishing and extortion tactics ā Platform Attacks
- Hudson Rock recovered internal operational documents exfiltrated from a Gaza Strip machine by an infostealer that revealed plans and OPSEC requests tied to the Breaking Dawn operation ā Gaza Infostealer
- An independent report finds EU dataābreach notifications rose 22% yearāonāyear to an average of 443 notifications/day and GDPR fines reached about ā¬1.2 billion in 2025, warning proposed rules (Digital Omnibus, NIS2, DORA) could reshape incidentānotification thresholds and enforcement ā EU Breaches
Malware, Initial Access & Mobile Threats
- Initial access broker TA584 is using aged compromised accounts and geofenced redirect chains to deploy PowerShell loaders that load Tsundere Bot (Node.js MaaS retrieving C2 via Ethereum) and XWorm, likely enabling ransomware followāons ā Tsundere Bot
- An Android romanceāscam campaign called GhostChat lured victims (notably in Pakistan) to install spyware disguised as chat apps, enabling silent surveillance and exfiltration tied to ClickFix social engineering and WhatsApp QR linking ā GhostChat Spyware
- Malicious Chrome extensions were shown to be capable of spying on usersā ChatGPT chats, highlighting extension risk to AI interaction privacy ā Chrome Spy Extensions
Critical Infrastructure & OT
- A coordinated cyberattack on Polandās grid impacted around 12ā30 distributed energy sites (CHP, wind, solar), damaged OT equipment and wiped Windows systems but failed to cut power (~1.2 GW / 5% of supply); Dragos attributes the campaign with moderate confidence to the Russianālinked Electrum using wipers like DynoWiper, Caddywiper and Industroyer2 ā Poland Grid
- A survey of 100+ energy systems reveals pervasive critical OT cybersecurity gaps across the sector, underscoring risks to distributed energy and industrial control environments ā OT Survey
Policy, Industry & Strategy
- SecurityWeekās Cyber Insights 2026 frames Zero Trust as an ongoing identityāfirst journey complicated by AI, nonāhuman identities, OT/IT convergence and regulation, urging continuous verification and microsegmentation ā Zero Trust
- PwC and Google Cloud struck a $400 million, threeāyear deal to build AIāpowered security operations that integrate Google threat intelligence with PwC managed services for hybrid and multiācloud defense ā PwC Google
- Guidance and decision pieces for CISOs outline three priority choices to reduce downtime risk in 2026, emphasizing resilience, identity controls and measured automation adoption ā CISO Decisions
- Analysis comparing background activities of the GoTo Resolve tool to common ransomware tactics highlights telemetry and governance gaps enterprises should assess ā GoTo Resolve