In today’s cybersecurity news…
Instagram denies breach post-data leak
Instagram has weighed in on what it says is a bug, not a breach, that let attackers mass-trigger password reset emails after cybercriminals claimed data from more than 17 million accounts was scraped and leaked. The dataset being shared includes varying combinations of usernames, emails, phone numbers, names, and addresses, but no passwords. Researchers suggest it may compile older scraped data rather than stem from a new API leak. Instagram parent company Meta says it’s unaware of any past API incidents, but users are advised to watch for phishing and enable 2FA. (BleepingComputer)
Sweden detains consultant suspected of spying
Swedish authorities detained a 33-year-old former IT consultant for the country’s Armed Forces on suspicion of spying for Russian intelligence. Prosecutors say the activity occurred through 2025 and into the New Year and may date back to 2022. The suspect previously worked with the military via an IT services firm and is listed as heading a cybersecurity company focused on offensive operations with no recorded turnover. The case involves Sweden’s Justice Ministry and comes amid a broader European crackdown on alleged Russian intelligence activity. (The Record)
n8n supply chain attack steals OAuth tokens
Threat actors uploaded eight malicious npm packages posing as n8n workflow integrations to steal OAuth tokens and other credentials. Security firm Endor Labs says the campaign targeted n8n’s community nodes, which act as centralized credential vaults for services like Google Ads, Stripe and Salesforce. Once installed, the fake integrations captured OAuth tokens and exfiltrated them to attacker servers. n8n warned that community nodes run without sandboxing and can read environment variables, access files and receive decrypted credentials, urging developers to audit packages or disable community nodes. (The Hacker News)
Block CISO red-teams AI agent to run an infostealer on an employee laptop
Block CISO James Nettesheim told The Register the company is treating AI security like self-driving safety, arguing agents must be “safer and better than humans.” Block’s Goose agent is used by almost all 12,000 staff and connects to internal systems. In internal red-teaming, Block successfully used prompt injection hidden in Unicode to poison a workflow recipe, leading a developer to execute an infostealer on a laptop. Block has since added recipe warnings, Unicode detection, and is testing adversarial AI to evaluate prompts and outputs before execution. (The Register)
Huge thanks to our sponsor, ThreatLocker
University of Hawaii Cancer Center hit by ransomware attack
The University of Hawaii says a ransomware attack on its Cancer Center in August encrypted systems tied to a single research project and led to the theft of study files, including 1990s-era documents containing Social Security numbers. UH paid for a decryptor and for the purported deletion of stolen data, and is still notifying affected participants once contact info is confirmed. Operations and care weren’t disrupted. UH has since replaced compromised systems, reset credentials, added endpoint protection, and conducted third-party audits. (BleepingComputer)
Separate campaigns target exposed LLM services
Researchers from GreyNoise observed nearly 100,000 probes against exposed LLM services between October 2025 and January 2026, split across two campaigns. The first appeared to be grey-hat researchers exploiting SSRF for outbound callbacks. The second generated more than 80,000 sessions in 11 days from two IPs that methodically mapped 73-plus OpenAI-compatible and Gemini-style endpoints across major model families. GreyNoise says the activity indicates growing interest in fingerprinting enterprise AI deployments to enable future attacks and recommends blocking OAST domains, watching for enumeration patterns, tightening egress, and monitoring JA4 fingerprints. (Dark Reading)
Endesa discloses data breach
Endesa, Spain’s largest electric utility, disclosed that hackers accessed its commercial platform and pulled customer contract data. The company says exposed fields include identity details, contact info, DNI numbers, contract information, and IBANs, but not passwords. Endesa notified regulators and is contacting affected users, adding that it sees no evidence of fraud but warns of phishing risks. Separately, a threat actor is advertising what they claim is 1TB of Endesa SQL data covering 20 million records, allegedly matching the breached fields. (BleepingComputer)
Dutch court sentences cocaine smuggling hacker
A Dutch appeals court sentenced a 44-year-old hacker to seven years for compromising port systems in Antwerp and Rotterdam to move cocaine shipments. Investigators say he used malware planted via USB to gain remote access to container and gate controls, enabling traffickers to import 210 kilograms of cocaine in 2020–2021. Intercepted Sky ECC messages showed him directing the intrusion and helping falsify transport paperwork. Judges cited risks to port security and also convicted him of attempted extortion. (The Record)