Svoboda Cybersecurity Brief January 21, 2026

Critical ACME Vulnerability in Cloudflare Exposes Origin Servers

A flaw in Cloudflare’s ACME validation logic allowed attackers to bypass WAF protections and access origin servers. The vulnerability involved mishandling of HTTP-01 challenge paths, enabling unauthorized requests to reach backend systems. No evidence of exploitation was found.
Impact: Potential exposure of sensitive data on origin servers via WAF bypass.
Mitigation: Cloudflare patched the issue by enforcing stricter path validation for ACME challenges.
Source: The Hacker News

APT-Grade PDFSider Malware Adopted by Ransomware Groups

PDFSider, a sophisticated malware using DLL sideloading via PDF24 Creator, delivers a backdoor with RCE and data exfiltration capabilities. Observed in attacks against Fortune 100 firms and ransomware operations, it evades detection via multi-stage environment checks.
Impact: Persistent access, data theft, and ransomware deployment risks.
Mitigation: Monitor DLL sideloading and restrict execution of unsigned binaries.
Source: SecurityWeek

North Korea Targets Developers with Malicious VS Code Projects

State-aligned actors used malicious GitHub repositories with weaponized VS Code tasks to deploy BeaverTail and InvisibleFerret backdoors. Attacks leverage job recruitment lures to compromise developers’ systems.
Impact: Credential theft and persistent access to high-value developer environments.
Mitigation: Audit VS Code task configurations and enforce repository trust controls.
Source: The Hacker News

SK Telecom Fights $91M Fine Over 23M User Data Breach

South Korea’s largest telecom is contesting a record fine for a USIM data leak affecting its entire customer base. The breach, disclosed late, prompted free SIM replacements and regulatory scrutiny.
Source: DataBreaches.net

Evelyn Stealer Malware Abuses VS Code Extensions

A new stealer targets developers via malicious VS Code extensions (e.g., “BigBlack” themes), exfiltrating credentials, crypto wallets, and browser data. Uses DLL sideloading and evades detection with headless browser flags.
Impact: Theft of sensitive developer and financial data.
Mitigation: Vet third-party extensions and monitor for unusual process injections.
Source: The Hacker News

EU Proposes Sweeping Cybersecurity Overhaul Targeting High-Risk Vendors

New legislation mandates removal of “high-risk” telecom suppliers (e.g., Huawei, ZTE) from critical infrastructure within 3 years. Includes stricter ENISA oversight and supply chain certifications.
Source: BleepingComputer

AI-Generated VoidLink Malware Framework Developed in One Week

VoidLink, a cloud-focused Linux malware, was created by a solo developer using AI (TRAE IDE). Exposed files revealed the project reached 88k lines of functional code in 7 days via Spec-Driven Development.
Source: BleepingComputer

UK MoD Afghan Data Breach Cover-Up Criticized

Former Defense Secretary Ben Wallace condemned using a gag order to hide a breach exposing Afghan interpreters’ details. The leak occurred via an emailed spreadsheet, endangering lives.
Source: DataBreaches.net

Healthcare Breaches Double in 2025, But Fewer Records Exposed

Ransomware and third-party compromises drove a 100% increase in incidents, yet affected records dropped significantly, per Fortified Health Security. Focus shifts to operational resilience over pure data protection.
Source: DataBreaches.net

Chainlit Vulnerabilities Expose AI App Secrets

CVE-2026-22218 and CVE-2026-22219 in Chainlit (Python AI framework) allow file reads and cloud metadata access, risking API keys and auth tokens. Affects pre-2.9.4 versions.
Impact: Unauthorized access to sensitive cloud and application data.
Mitigation: Update to Chainlit 2.9.4+.
Source: SecurityWeek

Gemini AI Exploited to Leak Calendar Data via Malicious Events

Attackers used prompt injection in Google Calendar event descriptions to trick Gemini into summarizing private meetings and leaking them via new events.
Impact: Unauthorized access to confidential scheduling data.
Mitigation: Google has patched the issue; restrict event editing permissions.
Source: BleepingComputer

$700M Crypto Theft Linked to Stolen Luxury Retail Data

Hackers cross-referenced breached Kering (Gucci/Balenciaga) customer spend data with other leaks to target high-net-worth Coinbase users. One attacker claimed $300k investment yielded $1.5M in stolen crypto.
Source: DataBreaches.net

WordPress ACF Plugin Bug Grants Admin Access

CVE-2025-14533 in ACF Extended (50k+ installs) lets unauthenticated attackers escalate to admin by abuserole fields in user forms. Fixed in v0.9.2.2.
Impact: Full site compromise via privilege escalation.
Mitigation: Update ACF Extended immediately.
Source: BleepingComputer

Anthropic MCP Git Server Flaws Allow Code Execution

CVE-2025-68143/4/5 in Anthropic’s mcp-server-git enabled path traversal and argument injection via malicious Git commands. Fixed in 2025.12.18.
Impact: Arbitrary file access and potential RCE via prompt injection.
Mitigation: Update to patched versions and validate Git inputs.
Source: The Hacker News

LinkedIn Phishing Delivers RAT via DLL Sideloading

Attackers impersonate recruiters to distribute WinRAR SFX archives containing a sideloaded malicious DLL masquerading as a PDF reader. Drops Python-based RAT with persistence via Registry Run keys.
Impact: Persistent remote access and data exfiltration.
Mitigation: Block untrusted SFX archives and monitor DLL load events.
Source: The Hacker News

Over 42k Exposed Secrets Found in JavaScript Bundles

Intruder’s scan of 5M apps revealed hardcoded API keys (e.g., GitLab, Linear) in frontend JS. Traditional scanners miss these due to lack of SPA spidering.
Impact: Unauthorized access to internal systems and data.
Mitigation: Implement SPA-focused secrets scanning and shift-left controls.
Source: The Hacker News

Cambodian Scam Hub Tudou Processes $12B Before Shutdown

The Telegram-based marketplace for stolen data and fraud tools halted operations after linked CEO Chen Zhi’s arrest. Highlighted rampant crypto-fueled “pig butchering” scams.
Source: The Hacker News

Share this brief: https://svo.bz/4kRR