Critical WordPress Plugin Flaw Under Active Exploitation
A maximum-severity vulnerability in the WordPress plugin Modular DS is being actively exploited in the wild, according to security firm Patchstack. The flaw, tracked as CVE-2026-23550, carries a CVSS score of 10.0 and allows unauthenticated attackers to escalate privileges and gain administrator access due to a flawed routing mechanism. The plugin, which has more than 40,000 active installs, exposes API routes under the “/api/modular-connector/” prefix that can be bypassed when “direct request” mode is enabled. Attacks began on January 13 with hackers attempting to create admin users via HTTP GET requests to vulnerable endpoints. The issue has been patched in version 2.5.2, and users are strongly urged to update immediately.
Chinese Hackers Use Venezuela Crisis to Target US Government
A Chinese-linked cyberespionage group known as Mustang Panda has been targeting US government agencies with Venezuela-themed phishing emails following the US operation to capture Venezuelan President Nicolás Maduro. Researchers at Acronis discovered the campaign after finding a malicious zip file named “US now deciding what’s next for Venezuela” uploaded to a public malware analysis service on January 5. The archive contained a legitimate executable paired with a hidden DLL-based backdoor called LOTUSLITE, which enables remote tasking and data exfiltration. The malware was compiled just hours after the US operation began, demonstrating how quickly threat actors weaponize breaking geopolitical events. While no successful infections have been confirmed, the campaign underscores the ongoing threat from state-sponsored actors exploiting current events.
Reprompt Attack Turned Microsoft Copilot Into Silent Data Thief
Security researchers at Varonis have disclosed a now-patched attack method dubbed “Reprompt” that could allow attackers to exfiltrate sensitive data from Microsoft Copilot Personal with just a single click. The attack leveraged the ‘q’ URL parameter to inject malicious prompts into authenticated Copilot sessions, bypassing data leak protections and enabling persistent session exfiltration even after the Copilot window was closed. By chaining parameter injection with double-request and chain-request techniques, attackers could continuously query Copilot for user information such as file access history, locations, and personal details. Microsoft addressed the vulnerability in its January 2026 Patch Tuesday release. Enterprise customers using Microsoft 365 Copilot were not affected due to stronger tenant governance controls.
Keylogger Compromised Major US Bank’s Employee Store
Researchers at Sansec discovered an active keylogger on the employee merchandise store of one of America’s largest banks, potentially exposing over 200,000 employees to credential theft. The malware intercepted everything typed into the site’s forms, including login credentials, payment card numbers, and personal information. The breach is particularly concerning because bank employees often reuse corporate credentials, potentially providing attackers with footholds into internal banking systems. The malware was live for approximately 18 hours before being removed following Sansec’s disclosure. The incident highlights a dangerous blind spot in corporate security, as employee-facing e-commerce platforms frequently fall outside the scope of standard security audits despite handling sensitive credentials.
CISA’s Secure Software Tool Had XSS Vulnerability of Its Own
A CISA tool designed to help government agencies buy secure software turned out to have a cross-site scripting vulnerability of its own. Jeff Williams, former leader of OWASP and co-founder of Contrast Security, discovered the flaw in CISA’s “Software Acquisition Guide: Supplier Response Web Tool” and reported it in September 2025. The vulnerability, which was fixed in December, could have allowed attackers to inject malicious JavaScript into the web page and potentially attack other users or deface the website. Williams noted the irony, saying it was “a little hypocritical to be promoting secure software development and not do the most basic test you could possibly do.” CISA acknowledged the report, stating it followed standard coordinated disclosure processes and implemented process improvements for future vulnerability reports.
