Today’s roundup
Ni8mare flaw gives unauthenticated control of n8n instances
U.S. CISA adds HPE OneView and Microsoft Office PowerPoint flaws to its Known Exploited Vulnerabilities catalog
Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances
China-linked groups intensify attacks on Taiwan’s critical infrastructure, NSB warns
Misconfigured email routing enables internal-spoofed phishing
Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches
New GoBruteforcer attack wave targets crypto, blockchain projects
Microsoft to enforce MFA for Microsoft 365 admin center sign-ins
Illinois state agency exposed personal data of 700,000 people
Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages
Summary
A critical vulnerability, CVE-2026-21858 (CVSS 10.0), dubbed "Ni8mare," has been found in the n8n workflow automation platform. This flaw allows remote, unauthenticated attackers to achieve full server compromise, including arbitrary file reading and escalation to remote code execution. The issue was patched in n8n version 1.121.0 in November 2025.
CISA has added CVE-2025-37164 in HPE OneView (CVSS 10.0) and CVE-2009-0556 in Microsoft Office PowerPoint to its KEV catalog due to active exploitation. The HPE flaw enables remote unauthenticated code execution, while the PowerPoint flaw is a memory corruption vulnerability. Federal agencies must patch these by January 28, 2026.
Researchers revealed eleven critical-severity flaws in Coolify, an open-source, self-hosting platform. These vulnerabilities, including CVE-2025-66209 (CVSS 10.0), could lead to authentication bypass and remote code execution, enabling full server compromise on affected instances.
Taiwan's National Security Bureau (NSB) reported a tenfold increase in cyberattacks against its energy sector in 2025, with overall incidents up 6% across nine critical sectors. China-linked groups like BlackTech and APT41 used vulnerability exploitation, DDoS, social engineering, and supply-chain attacks, correlating with political and military actions.
Microsoft warns that threat actors are exploiting complex email routing and misconfigured spoof protections to conduct phishing campaigns. These attacks deliver emails appearing internal, leveraging PhaaS platforms like Tycoon2FA to steal credentials and facilitate financial scams. Strict DMARC reject and SPF hard-fail policies are advised.
The Black Cat cybercrime group is running an SEO poisoning campaign, using fake software download sites to trick users into downloading a backdoor. This malware is designed to steal sensitive data from victims.
A new wave of GoBruteforcer botnet attacks is targeting databases of cryptocurrency and blockchain projects. These attacks primarily focus on exposed servers, with some potentially configured using AI-generated examples.
Microsoft will enforce multi-factor authentication (MFA) for all users accessing the Microsoft 365 admin center starting next month, enhancing security for administrative access to critical M365 environments.
The Illinois Department of Human Services inadvertently exposed personal information for over 700,000 residents. The data was publicly accessible on the internet for up to four years before being secured in September.
Researchers found three malicious npm packages—"bitcoin-main-lib," "bitcoin-lib-js," and "bip40"—delivering the new NodeCordRAT malware. These packages, uploaded by "wenmoonx" and since removed, exploited Bitcoin themes.
Want to dig deeper?
Vulnerabilities
Cyber Groups