China orders domestic companies to stop using US cybersecurity software

Don't miss my latest CSO piece on Sean Plankey's renomination and how Congress is weakening US cybersecurity with delayed action.

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Sources say Chinese authorities have told domestic companies to stop using cybersecurity software made by roughly a dozen firms from the US and Israel due to national security concerns.

As trade and diplomatic tensions flare between China and the US and both sides vie for tech supremacy, Beijing has been keen to replace Western-made technology with domestic alternatives.

The US companies whose cybersecurity software has been banned include Broadcom-owned VMware, Palo Alto Networks, and Fortinet, while the Israeli companies include Check Point Software Technologies, the sources said.

Chinese authorities expressed concern that the software could collect and transmit confidential information abroad, the sources said. They declined to be named due to the sensitivity of the situation.

The United States and China, which have been locked in an uneasy trade truce, are preparing for a visit by U.S. President Donald Trump to Beijing in April.
Even before Trump's return to power at the start of last year, the politics around foreign cybersecurity vendors has long been fraught.

While the West and China have clashed over China's efforts to build up its semiconductor and artificial intelligence sectors, Chinese analysts have said Beijing has become increasingly concerned that foreign powers could hack any Western equipment.

It has therefore sought to replace Western computer equipment and word processing software. (Beijing and Shanghai newsrooms and Rafael Satter / Reuters)

Related: Barron's, Sri Lanka Guardian, The Kenya Times

Donald Trump re-nominated Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency, the White House, after the nomination failed to clear the full Senate at the end of last year.

The timing for Plankey’s confirmation isn’t fully clear. Sen. Thom Tillis, R-N.C., said last week that he’d block all DHS nominees until Homeland Security Secretary Kristi Noem commits to testifying before the Senate Judiciary Committee.

CISA’s current acting director, Madhu Gottumukkala, is also being scrutinized by congressional Democrats after a Politico report last month showed he failed a polygraph exam that may have been wrongfully administered.

Plankey, a former Energy Department cybersecurity official in Trump’s first term, had faced multiple holds to his nomination in the Senate throughout last year, some tied to broader political disputes rather than cybersecurity policy itself. (David DiMolfetta / NextGov/FCW)

Related: White House, CyberScoop, CSO Online, Politico

Sensitive details of around 4,500 ICE and Border Patrol employees—including almost 2,000 agents working in frontline enforcement—have allegedly been released by a Department of Homeland Security whistleblower following last week’s fatal shooting of Renee Nicole Good.

The alleged leak to the ICE List, a self-styled “accountability initiative,” is believed to be the largest ever breach of DHS staff data. It appears to include names, work emails, telephone numbers, roles, and some resumé data, including previous jobs of federal immigration staff.

ICE List founder, Dominick Skinner, told the Daily Beast: “It is a sign that people aren’t happy within the US government, clearly. The shooting [of Good] was the last straw for many people.”

According to Skinner, who leads the volunteer-run website, the dataset includes about 1,800 on-the-ground agents and 150 supervisors. Early analysis by the organization suggests that around 80 per cent of the staff identified remain employed by DHS.

An initial set of names from the leak was posted on Tuesday night. (Tom Latchem / The Daily Beast)

Related: ICE List, WTOV, The Independent

Nicholas Moore, a resident of Springfield, Tennessee, is expected to plead guilty to hacking the US Supreme Court’s electronic document filing system dozens of times over several months, although no details of the crime have been released.

Prosecutors say between August and October 2023, Nicholas Moore, 24, “intentionally accessed a computer without authorization on 25 different days and thereby obtained information from a protected computer,” according to a court document.

Moore is scheduled to plead guilty in court by video link on Friday. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Court Listener, The Record

Microsoft issues its January Patch Tuesday fixes containing security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities.

This Patch Tuesday also addresses eight "Critical" vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws.

The actively exploited zero day is CVE-2026-20805 - Desktop Window Manager Information Disclosure Vulnerability. "Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally," explains Microsoft.

Microsoft says that successfully exploiting the flaw allows attackers to read memory addresses associated with the remote ALPC port.

"The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory," continued Microsoft.

Microsoft has attributed the flaw to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC) but has not shared how the flaw was exploited.

Other vendors who issued January Patch Tuesday updates include Adobe, Cisco, Fortinet, D-Link, Google, jsPDF, n8n, SAP, Service Now, Trend Micro, and Veeam. (Lawrence Abrams / Bleeping Computer)

Related: Infosecurity Magazine, CSO Online, Security Affairs, Petri, Krebs on Security, Rapid7, SANS Internet Storm Center, Ask Woody, The Register, CyberScoop

Belgian hospital AZ Monica was forced to shut down all servers, cancel scheduled procedures, and transfer critical patients earlier today due to a cyberattack.

The hospital, which operates campuses in Antwerp and Deurne, disconnected all servers at 6:32 AM after its systems were hit.

The cyberattack also forced the hospital to suspend all scheduled procedures on Tuesday, as the emergency department continues to operate at reduced capacity, even though emergency medical services and intensive care transport units remain offline.

"Due to this situation, no scheduled procedures are possible today. We have informed all patients. The Emergency Department is operating at reduced capacity. The Emergency Department (MUG) and Intensive Care Unit (PIT) services are currently not operational," the hospital said in a press statement.

Seven patients who required critical care were transferred to other hospitals with Red Cross assistance. Hospital officials added that all remaining patients are staying at AZ Monica and receiving necessary care, but warned that registration procedures for new patients will be slower, since employees "have to register a lot of things on paper."

The hospital has also notified relevant authorities and said that the police and prosecutors are now investigating the cybersecurity incident. It also noted that it continues monitoring the situation and will provide updates as more information becomes available. (Sergiu Gatlan / Bleeping Computer)

Related: AZ Monica, De Tijd, Techzine, Belga News Agency, VRT, The Brussels Times, Security Affairs

Ukraine's CERT says officials of Ukraine's Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe.

PluggyApe is a backdoor that profiles the host, sends information to the attackers, including a unique victim identifier, and then waits for code execution commands. It achieves persistence via Windows Registry modification.

The attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution.

Laundry Bear is the same threat group responsible for breaching the Dutch police's internal systems in 2024 and stealing sensitive information about officers.

The hackers are known for focusing on NATO member states in attacks aligned with Russian interests that steal files and emails.

The attacks observed by CERT-UA begin with instant messages over Signal or WhatsApp telling recipients to visit a website allegedly operated by a charitable foundation, and download a password-protected archive supposedly containing documents of interest.

Instead, the archives contain executable PIF files (.docx.pif) and the PluggyApe payloads, which are sometimes sent directly through the messaging app. (Bill Toulas / Bleeping Computer)

Related: CERT-UA, The Record, GBHackers

The US urged United Nations member states to take a tougher stance against North Korean efforts to skirt sanctions through its IT worker scheme and cryptocurrency heists.

Eleven countries led a session at the UN headquarters in New York centered around a 140-page report released last fall that covered North Korea’s extensive cyber-focused efforts to fund its nuclear and ballistic weapons program.

The report links the North Korean IT worker scheme — where citizens of the country steal identities and secure employment at western companies — with Pyongyang’s billion-dollar crypto thefts.

Both efforts, alongside several other initiatives, are designed to bring in funding for North Korea’s regime, simplify weapons purchases, and circumvent multiple UN security resolutions.

The report said more than 40 countries have been impacted by either crypto heists — which surpassed $2 billion last year — or IT worker activities. (Jonathan Grieg / The Record)

Related: UN Web TV

Chainalysis says that crypto scams and fraud took in at least $14 billion on-chain in 2025, up from a revised total of $12 billion the previous year.

The 2024 figure was revised up from the $9.9 billion Chainalysis initially reported, and the 2025 figure could exceed $17 billion as the company identifies more illicit wallet addresses in the coming months.

Last year’s increase was driven by a surge in impersonation tactics and the use of artificial intelligence (AI) tools, according to the post.

Impersonation scams, in which fraudsters pose as legitimate organizations or authority figures, saw a year-over-year growth of 1,400%, the post said. Examples seen in 2025 included scammers impersonating representatives of the E-ZPass electronic road toll collection system and the Coinbase cryptocurrency exchange.

As of Tuesday, the home page of E-ZPass Group includes a banner saying that “there has been a major increase in fraudulent text & email messages being sent that appear to be from various toll agencies across the country, including the E-ZPass Group, stating there is money owed.”

AI-enabled scams were 4.5 times more profitable than traditional ones, according to the Chainalysis blog post. This form of fraud includes the use of tools such as face-swap software, deepfake technology, and large language models. AI tools enable fraudsters to manage more victims at the same time and to make their scams more persuasive, Chainalysis said. (PYMNTS)

Related: Chainalysis, Decrypt, New York Times, Disruption Banking

The Python Software Foundation (PSF) has an extra $1.5 million heading its way, after AI upstart Anthropic entered into a partnership aimed at improving security in the Python ecosystem.

“This investment will enable the PSF to make crucial security advances to CPython and the Python Package Index (PyPI) benefiting all users, and it will also sustain the foundation’s core work supporting the Python language, ecosystem, and global community,” wrote the organization’s deputy executive director Loren Crary. CPython is the reference implementation of the Python language, and PyPI is a repository of software for Python devs.

“Anthropic’s funds will enable the PSF to make progress on our security roadmap, including work designed to protect millions of PyPI users from attempted supply-chain attacks,” she added.

Crary thinks this effort may benefit other FOSS projects.

“One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories. As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem.” (Simon Sharwood / The Register)

Related: Python Software Foundation, Help Net Security, WebProNews

Researchers at Check Point report that a newly discovered advanced cloud-native Linux malware framework named VoidLink focuses on cloud environments, providing attackers with custom loaders, implants, rootkits, and plugins designed for modern infrastructures.

VoidLink is written in Zig, Go, and C, and its code shows signs of a project under active development, with extensive documentation, and likely intended for commercial purposes.

The analysts say that VoidLink can determine if it runs inside Kubernetes or Docker environments and adjust its behavior accordingly.

However, no active infections have been confirmed, which supports the assumption that the malware was created "either as a product offering or as a framework developed for a customer."

The researchers note that VoidLink appears to be developed and maintained by Chinese-speaking developers, based on the interface locale and optimizations.

Check Point researchers say that VoidLink is developed with stealth in mind, as it "aims to automate evasion as much as possible" by thoroughly profiling the targeted environment before choosing the best strategy.

They note that the new framework "is far more advanced than typical Linux malware" and is the work of developers with "a high level of technical expertise" and very skilled in multiple programming languages. (Bill Toulas / Bleeping Computer)

Related: Check Point, Ars Technica, Cyber Press, Techzine

The US Senate unanimously passed legislation that would allow victims to sue over nonconsensual, sexually explicit AI-generated images in response to a widening uproar over a flood of graphic content on billionaire Elon Musk’s X platform.

Under the measure, known as the Defiance Act, victims would gain the federal civil right to sue perpetrators responsible for creating the pornographic images. It builds on a law enacted last year that requires social media companies to remove such content within 48 hours of a victim’s request.

The bill seeks to address a growing global controversy over the thousands of images of undressed women and girls that have been produced without their permission on X using the platform’s Grok AI tool. Democratic Senator Dick Durbin of Illinois, who requested the bill’s passage, called the Grok images “horrible.” (Emily Birnbaum and Steven T. Dennis / Bloomberg)

Related: Senate Committee on the Judiciary, The 19th, Politico, Engadget, The Hill, The Verge, The Decorder

Amid budding sentiment in the Trump administration and Congress to expand offensive cyber operations, some lawmakers and experts are warning that the United States needs to get its defenses in order before going too far down that road.

A House Homeland Security subcommittee on Tuesday examined how to deter foreign cyberattacks, with an emphasis on the role US attacks could play in countering them. One long-running concern about improving the US offense is how it might provoke further attacks.

“I’m concerned we’re putting the cart before the horse, when we have not had a hearing on why the [Cybersecurity and Infrastructure Security] Agency has lost one-third of its workforce in the last year,” the top Democrat on the full committee, Bennie Thompson of Mississippi, said. “We ought to be cautious about pursuing an approach involving the use of offensive cyber tools that could result in retaliation or escalation if we’re not in a position to help defend US networks.”

Other panel Democrats invoked a sentiment from sports about the importance of defense over offense. “Both are still important,” Rep. James Walkinshaw, D-Va., said during the hearing of the Cybersecurity and Infrastructure Protection Subcommittee. ,(Tim Starks / ,CyberScoop)

Related: Committee on Homeland Security, Committee on Homeland Security, NextGov/FCW, Industrial Cyber

A handful of police departments that use Flock have unwittingly leaked details of millions of surveillance targets and a large number of active police investigations around the country because they have failed to redact license plate information in public records releases.

Flock responded to this revelation by threatening a site that exposed it and by limiting the information the public can get via public records requests.

Completely unredacted Flock audit logs have been released to the public by numerous police departments and in some cases include details on millions Flock license plate searches made by thousands of police departments from around the country. The data has been turned into a searchable tool on a website called HaveIBeenFlocked.com, which says it has data on more than 2.3 million license plates and tens of millions of Flock searches. (Jason Koebler / 404 Media)

Related: r/technology

CrowdStrike announced an agreement to acquire Seraphic Security, a browser runtime security provider, in a deal a source says is worth $420 million.

The move signals growing recognition among cybersecurity firms that traditional protective measures have failed to keep pace with how employees actually work.

The acquisition, expected to close during CrowdStrike’s first fiscal quarter of 2027, will integrate Seraphic’s browser-level protection into CrowdStrike’s Falcon platform. (Greg Otto / CyberScoop)

Related: CTech, Forbes, CRN, Globes, CyberScoop, Business Wire

Best Thing of the Day: Women Fighting for What's Right

A coalition of women's groups, tech watchdogs, and progressive activists is calling on Alphabet owner Google and Apple to remove the social media site X and its related chatbot, Grok, from their app stores.

Bonus Best Thing of the Day: Ireland Fighting for What's Right

Ireland's Arts and Media Oireachtas committee is holding a hearing on the regulation of online platforms and online safety, with a particular focus on the recent controversy surrounding the Grok tool on the X platform.

Worst Thing of the Day: Expanding the Already Overweening US Government Surveillance Industry

Under a two-year, $121 million contract between US Immigration and Customs Enforcement and a subsidiary of for-profit prison company GEO Group called BI Incorporated, the company will perform “skip tracing” services for the federal government, ostensibly to hunt down immigrants better, expanding the massive government surveillance mechanisms mounted by the Trump administration in the name of border control.

Closing Thought

,