This report analyzes the cybersecurity threat landscape observed between January 19 – January 26, 2026. The week was characterized by a sharp rise in AI-generated malware, supply chain compromises via developer tools, and persistent exploitation of edge infrastructure.
Key Highlights:
Malicious Developer Extensions: Discovery of the “MaliciousCorgi” campaign involving compromised VS Code extensions with over 1.5 million installs, exfiltrating code to servers in China.
AI-Written Malware: Detection of VoidLink, a sophisticated Linux malware strain entirely generated by an adversarial AI model, capable of evading traditional signature detection.
Infrastructure Attacks: Continued fallout from the Fortinet FortiCloud SSO bypass (CVE-2025-59718), with active exploitation observed despite available patches.
Critical Infrastructure Targeting: The Sandworm group (Russia) deployed a new wiper variant, DynoWiper, targeting Polish energy sectors, signaling escalated geopolitical cyber aggression.
Dominant Trends:
Weaponization of AI: Attackers are rapidly operationalizing “Agentic AI” to write malware and automate phishing at scale.
Supply Chain Infiltration: A shift from compromising software libraries to compromising the tools developers use (IDEs/Extensions).
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The global cybersecurity scene continues to face intense pressure from both state-sponsored actors and financially motivated cybercriminal syndicates.
Key Observations:
Europe (Poland/Ukraine): High alert status following the discovery of DynoWiper in Polish critical national infrastructure (CNI), attributed to the Russian-backed Sandworm group.
North America/Global: Widespread impact of the “MaliciousCorgi” VS Code extensions, affecting tech/dev sectors globally.
Asia-Pacific: Increased espionage activity targeting India via a new multi-stage backdoor, detailed by eSentire’s Threat Response Unit.
III. NOTABLE INCIDENTS AND DATA BREACHES
VS Code “MaliciousCorgi” Campaign: Two popular VS Code extensions posing as AI coding assistants were found to be spyware. They provided legitimate coding help while silently exfiltrating source code and environment variables to C2 servers in China.
Fake LastPass Maintenance Campaign: A sophisticated phishing wave targeted LastPass users with “mandatory security update” emails (Jan 22, 2026), leading to credential harvesting.
Polish Power Grid Targeting: ESET and local CERTs identified attempted disruptive attacks on Polish energy substations using a new wiper strain, DynoWiper.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date
Incident
Affected Organization/Sector
Impact
Jan 26, 2026
Malicious VS Code Extensions
Global Dev/Tech Sector
Exfiltration of proprietary source code & API keys from 1.5M+ devices.
Jan 23, 2026
FortiCloud SSO Exploitation
Enterprise/Network Edge
Unauthorized access to firewalls via unpatched CVE-2025-59718.
Jan 22, 2026
LastPass Phishing Wave
General Public/Enterprise
Credential theft via realistic “maintenance” lures.
Jan 21, 2026
Calendar Invite Attacks
Google Workspace Users
Malicious calendar invites used to bypass email filters and deliver payloads.
Jan 19, 2026
Sandworm DynoWiper
Polish Energy Sector
Operational disruption attempts; discovery of new OT-specific wiper.
V. CURRENT THREAT LANDSCAPE ANALYSIS
Emerging Trends:
Agentic AI Threats: The discovery of VoidLink confirms that threat actors are successfully using LLMs not just for social engineering, but for functional malware generation. VoidLink was created in under 6 days using an adversarial AI model.
IDE as an Attack Vector: With the “MaliciousCorgi” incident, Integrated Development Environments (IDEs) are now a prime target. Attackers recognize that developer machines often hold high-privileged credentials and IP.
VI. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Description
Severity
Mitigation
CVE-2025-59718
Fortinet FortiCloud SSO Bypass: Allows unauthenticated attackers to bypass authentication on FortiGate devices if SSO is enabled.
Critical (9.8)
IMMEDIATE: Upgrade to FortiOS 7.4.4+ or disable FortiCloud SSO.
Windows NTLMv1 Bypass: Allows attackers to bypass NTLMv1 authentication and gain SYSTEM privileges. (Still actively exploited).
Critical (9.8)
Apply Jan 2025/Feb 2026 cumulative updates; enforce NTLMv2 only.
CVE-2026-1011
Linux Kernel eBPF Flaw: A privilege escalation vulnerability in the eBPF verifier, exploited by VoidLink malware.
High (7.8)
Patch Linux Kernel to 6.8+; disable unprivileged eBPF.
VII. THREAT ACTOR ACTIVITIES
Sandworm (Unit 74455)
Objective: Disruption / Sabotage
TTPs: Use of “Living off the Land” binaries (LOLBins) combined with custom wipers (DynoWiper). They are now targeting OT (Operational Technology) protocols specifically in NATO-aligned countries.
Target Sectors: Energy, Transportation, Government (Poland, Ukraine).
Salt Typhoon (China-Nexus)
Objective: Espionage / Data Theft
TTPs: Leveraging CVE-2025-59718 (Fortinet) to gain initial access, followed by lateral movement into telecommunications networks to monitor traffic.
Polymorphic Code: Recompiles its own structure every 12 hours to evade hash-based detection.
Silent Persistence: Uses subtle cron jobs and modifies systemd services disguised as legitimate “log rotation” tasks.
Data Exfiltration: Compresses data using custom algorithms before exfiltrating via DNS tunneling.
Delivery Method: Drive-by downloads from compromised legitimate websites and malicious package repositories.
Affected Platforms: Linux Servers (Ubuntu, CentOS, Debian).
Spotlight: MaliciousCorgi
Type: VS Code Extension / Spyware
Capabilities: Captures file contents upon “Save” actions, environment variables (AWS keys, API tokens), and clipboard data.
Delivery: Social engineering via VS Code Marketplace (fake reviews/inflated download counts).
IX. RECOMMENDATIONS
For Technical Audiences:
Immediate Actions (24-48 Hours):
Patch Fortinet Devices: Verify all edge firewalls are patched against CVE-2025-59718. If patching is impossible, disable FortiCloud SSO immediately.
Audit VS Code Extensions: Run a script to list all installed extensions across developer environments. Block/Uninstall “Koi.AI” or “SmartCoder” extensions (linked to MaliciousCorgi).
Block IoCs: Ingest the IP addresses and hashes provided in the Appendix into SIEM/EDR solutions.
Strategic Improvements:
Post-Quantum Preparation: Review the new Europol guidelines on “Prioritising Post-Quantum Cryptography Migration” released this week. Begin inventorying cryptographic assets.
Restrict Developer Environments: Implement strict allow-lists for IDE extensions and consider using ephemeral development environments (e.g., GitHub Codespaces with strict controls) to limit data exfiltration risks.
For Non-Technical Audiences:
Security Awareness:
Verify “Maintenance” Emails: Be skeptical of emails from services like LastPass or Microsoft claiming “Urgent Maintenance.” Verify by logging into the service directly, not via email links.
Calendar Invite Caution: Do not click links inside unsolicited Google Calendar invites; report them as spam.
Incident Response Preparedness:
Update Contact Lists: Ensure the crisis management team has updated contacts for legal, forensic, and insurance partners.
“Out-of-Band” Communication: Establish a secondary communication channel (e.g., Signal, separate Slack instance) in case corporate email is compromised.
X. ANALYST NOTES
The emergence of VoidLink marks a pivotal moment: we are moving from “AI-assisted” attacks (phishing) to “AI-generated” weaponry. Traditional signature-based AV is becoming obsolete against these polymorphic threats. Organizations must pivot to behavioral analysis (EDR/XDR) that detects what a file does, not just what it looks like.
Additionally, the MaliciousCorgi campaign highlights that developers are the new “weak link.” Security teams often whitelist developer machines to avoid hindering productivity, but this trust is being weaponized. Expect to see more attacks via npm, PyPI, and IDE marketplaces in Q1 2026.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
