In today’s cybersecurity news…
Sandbox flaw exposes n8n instances
JFrog researchers disclosed two sandbox escape vulnerabilities in the n8n workflow automation platform that can lead to full remote code execution on self-hosted instances. One bug is rated critical at 9.9 and allows authenticated non-admin users to escape JavaScript sandboxing and gain host-level control, the other enables similar RCE via Python subprocesses. The flaws are patched in recent n8n releases, cloud-hosted n8n is not affected, and JFrog warns slow patching leaves tens of thousands of exposed instances at risk. (BleepingComputer)
Fake Moltbot assistant drops malware
Security researchers flagged a fake “ClawdBot Agent” AI coding assistant on Microsoft’s VS Code Marketplace that secretly installs malware, giving attackers persistent remote access via a bundled ScreenConnect client. The extension exploited Moltbot’s popularity despite the project having no official VS Code plugin, using multiple fallback methods to deliver payloads even if infrastructure went offline. The report also highlights broader Moltbot security risks, including exposed unauthenticated instances leaking API keys and credentials. (The Hacker News)
PeckBirdy takes flight for cross-platform attacks
Trend Micro reports that China-aligned threat actors have used a cross-platform JScript-based command-and-control framework dubbed PeckBirdy since at least 2023 to run cyber-espionage campaigns. In two separate operations, attackers targeted Chinese gambling websites and Asian government entities, using PeckBirdy alongside new modular backdoors, MKDoor and HoloDonut, to deliver fake software updates, harvest credentials, and enable lateral movement while evading endpoint defenses. The framework’s use of JavaScript and living-off-the-land binaries makes detection difficult and points to ongoing, state-linked espionage activity. (Dark Reading)
Autonomous system uncovers OpenSSL flaws
A January update fixed 12 previously unknown OpenSSL vulnerabilities, some dating back to 1998, uncovered by autonomous analysis from AISLE. The flaws spanned more than eight subsystems and included one high-severity bug that could enable remote code execution under specific conditions, alongside moderate and low-severity issues. OpenSSL maintainers credited AISLE’s disclosures and said the findings highlight how automated analysis can surface long-standing issues in heavily audited codebases. (Infosecurity Magazine)
Huge thanks to our sponsor, Conveyor
Ever wish it could magically disappear? You already have the answers that customers should self-serve, but they can’t find the info in your Trust Center.
That’s why Conveyor built the first truly agentic Trust Center.
An AI Agent lives inside it, answering customer questions, sharing documents, and even completing full questionnaires instantly.
Customers get what they need fast. it’s magical, touchless, and extremely accurate.
Join teams at Atlassian, Zapier, and more at conveyor.com.
Teen swatting suspects arrested
Hungarian and Romanian police arrested four suspects, including teenagers, over coordinated swatting and doxxing campaigns that triggered repeated bomb threats and false emergency calls across Hungary. Authorities say the group used Discord to collect victims’ personal information, then placed fake threats in their names, prompting large police responses. A 17-year-old Romanian national faces terrorism-related and false reporting charges, while investigations continue into the roles of the other suspects. (The Record)
FBI seizes RAMP
The FBI has seized the RAMP cybercrime forum, a major marketplace used by ransomware gangs to advertise malware, hacking services, and recruit affiliates. Both its Tor and clearnet domains now show an FBI seizure notice, potentially giving law enforcement access to user data including messages, emails, and IP addresses. RAMP launched in 2021 as one of the few forums still allowing ransomware promotion and was linked to Babuk ransomware operator Mikhail Matveev, who was indicted by the DOJ in 2023. (BleepingComputer)
ELECTRUM tied to Polish cyberattack
Dragos says a coordinated cyberattack on Poland’s power grid in December is tied, with medium confidence, to the Russian state-linked hacking group ELECTRUM. The attack targeted communications and control systems connecting grid operators to distributed energy resources, including wind, solar, and combined heat and power facilities, disrupting operations at around 30 sites and permanently disabling some OT equipment, though no power outages were reported. Dragos says the incident shows a division of labor between ELECTRUM and a related access-focused cluster, KAMACITE. (The Hacker News)
Empire owner pleads guilty to drug conspiracy
A Virginia man who co-created the dark web marketplace Empire Market has pleaded guilty to a federal drug conspiracy tied to more than $430 million in illegal transactions between 2018 and 2020. Prosecutors say Empire Market, an AlphaBay-style platform with more than 1.6 million users, facilitated roughly $375 million in drug sales, with operators using cryptocurrency to launder proceeds and evade law enforcement. Authorities have seized about $75 million in crypto, and the defendant now faces a mandatory minimum of 10 years in prison. (BleepingComputer)