Salt Typhoon infiltrated US House China Committee, other committees, sources

Help Metacurity continue to survive and thrive in 2026!

Metacurity depends on our paid subscribers to cover our not insignificant expenses. Please consider helping us to continue to not only survive but thrive during 2026 with more features and original content.

Upgrade your subscription today or donate what you can to support Metacurity. Thank you!

Chinese intelligence accessed email systems used by some staffers on the House China committee in addition to aides on the foreign affairs committee, intelligence committee, and armed services committee, according to people familiar with the attack.

The intrusions were detected in December.

The attacks are the latest element of an ongoing cyber campaign against US communication networks by the Ministry of State Security, China’s intelligence service. One person familiar with the attack said it was unclear if the MSS had accessed lawmakers’ emails.

The MSS has been operating Salt Typhoon for several years. It allows China to access the unencrypted phone calls, texts, and voicemails of almost every American, and in some cases enables access to email accounts.

Salt Typhoon has also intercepted the calls of senior US officials over the past couple of years, said people familiar with the campaign.

Mark Warner, the top Democrat on the Senate intelligence committee, in December said it was “baffling” that more attention was not being paid to Salt Typhoon. “Unless you’re on an encrypted device, they can pick any one of us,” Warner told the Defense Writers Group.

Jake Sullivan, former President Joe Biden’s national security adviser, told the Financial Times last year after leaving the White House that US telecom companies were “highly vulnerable” to Salt Typhoon.

The campaign is one of many cyber espionage efforts by Chinese intelligence and the People’s Liberation Army that target US infrastructure. (Demetri Sevastopulo / Financial Times)

Related:  Reuters, Cyber Security News, r/neoliberal, r/politics, 24World, Business World, WION

After Texas Attorney General Ken Paxton filed lawsuits against Samsung and other TV manufacturers last month, alleging that they're spying on Texas residents through their TVs, a Texas District Court judge issued an order that stops Samsung from doing what it was doing.

The technology works by capturing screenshots of whatever's on the TV screen every 500 milliseconds, and then sending that information to their servers and partners without users' consent.

The Temporary Restraining Order now blocks Samsung and all relevant parties working with the company from continuing to use, sell, transfer, collect, or share Automated Content Recognition data on Texas consumers.

A similar order has also been passed against Hisense by the District Court, and will likely be passed against all TV manufacturers that the state has sued, as these are preliminary proceedings that have no bearing on the actual merits of the case.

There will now be a hearing on January 9 where both parties will provide evidence on whether a temporary injunction should be issued pending the final decision in this lawsuit which is likely going to take some time. This temporary order will expire on January 19 unless the court extends it. (Adnan Farooqui / Sam Mobile)

Related: Android Authority, Temporary Restraining Order

The US Federal Communications Commission said it is exempting imports of some new models of foreign-made drones and critical components from a sweeping import ban adopted in December.

The telecommunications regulator acted on a Pentagon recommendation to exempt some components and drones from the restrictions through the end of 2026.

The list of imported drones allowed for import includes models from Parrot, Teledyne FLIR, Neros Technologies, Wingtra, Auterion, ModalAI, Zepher Flight Labs, and AeroVironment, and imports will be allowed until the end of 2026.

The FCC also said it was approving a list of imported critical components for drones produced by companies including Nvidia, ModalAI, Panasonic, Sony, Samsung, and ARK Electronics. (David Shepardson / Reuters)

Related: FCC, DroneLife, Tech in Asia, DroneDJ

An Illinois man, Kyle Svara, is accused of getting access to Snapchat access codes for nearly 600 women and gaining access to the accounts of more than 50 women to steal nude images on behalf of a former track and field coach at Northeastern University, Steve Waithe.

Prosecutors said Svara also allegedly targeted women who resided in or around the area of Plainfield, or who were students at Colby College in Waterville, Maine.

Svara is charged with aggravated identity theft, wire fraud, computer fraud, conspiracy to commit computer fraud, and false statements related to child pornography, officials said. (ABC7 Chicago Digital Team)

Related: WGME

A maximum severity vulnerability dubbed "Ni8mare" allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.

The security issue is identified as CVE-2026-21858 and has a 10 out of 10 severity score. According to researchers at data security company Cyera, there are more than 100,000 vulnerable n8n servers.

The Ni8mare vulnerability gives an attacker access to files on the underlying server by executing certain form-based workflows.

"A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage," n8n developers say.

Cyera researchers discovered the Ni8mare vulnerability (CVE-2026-21858) and reported it to n8n on November 9, 2025. They say that the security issue is a content-type confusion in the way n8n parses data.

n8n developers say that there is no official workaround available for Ni8mare, but one mitigation is to restrict or disable publicly accessible webhook and form endpoints.

The recommended action is to update to n8n version 1.121.0 or a more recent one. (Bill Toulas / Bleeping Computer)

Related: Cyera, GitHub, Cyber Security News, The Hacker News, CyberScoop, Security Affairs, SiliconANGLE, CSO, Cyber Security News, r/cybersecurit, r/netsec

Cisco has patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges.

Enterprise admins use Cisco ISE to manage endpoint, user, and device access to network resources while enforcing a zero-trust architecture.

The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices.

"This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application," Cisco said.

"A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials."

While the Cisco Product Security Incident Response Team (PSIRT) found no evidence of active exploitation, it did warn that a proof-of-concept (PoC) exploit is available online.

Cisco considers "any workarounds and mitigations (if applicable) to be temporary solutions" and said that it "strongly recommends that customers upgrade to the fixed software" to "avoid future exposure" and fully address this vulnerability. (Sergiu Gatlan / Bleeping Computer)

Related: Cisco

Researchers at Check Point report that a new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.

GoBrutforcer is also known as GoBrut. It is a Golang-based botnet that typically targets exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services.

The malware often relies on compromised Linux servers to scan random public IPs and carry out brute-force login attacks.

Check Point researchers estimate that there are more than 50,000 internet-facing servers that may be vulnerable to the GoBrut attacks.

They say that initial compromise is often obtained through the FTP servers on servers running XAMPP because many times the configuration has a weak default password, unless the administrator goes through the security configuration.

Check Point's report highlights a campaign where a compromised host was infected with TRON wallet-scanning tools that perform sweeps across TRON and Binance Smart Chain (BSC). The attackers used a file containing approximately 23,000 TRON addresses, targeting them with automated utilities to identify and drain wallets with non-zero balances.

Admins defending against GoBruteforcer should avoid using AI-generated deployment guides and rely on non-default usernames with strong, unique passwords.

It is also recommended to check FTP, phpMyAdmin, MySQL, and PostgreSQL for exposed services, and replace outdated software stacks like XAMPP with more secure alternatives. (Bill Toulas / Bleeping Computer)

Related: Check Point, Cyber Security News, GBHackers, Red Hot Cyber

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged a maximum-severity HPE OneView vulnerability as actively exploited in attacks.

HPE's OneView infrastructure management software helps IT admins automate the management of storage, servers, and networking devices from a centralized interface.

Tracked as CVE-2025-37164, this critical security flaw was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to HPE, which released security patches in mid-December.

CVE-2025-37164 affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors through low-complexity code-injection attacks to gain remote code execution on unpatched systems.

"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE warned on December 16.

There are no workarounds or mitigations for CVE-2025-37164, so HPE advised customers to upgrade to OneView version 11.00 or later (available through HPE's Software Center) as soon as possible.

CISA has also added the vulnerability to its catalog of flaws exploited in the wild, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Techzine, Security Affairs, Cyber Security News, The Stack

File-sharing platform ownCloud warned users to enable multi-factor authentication (MFA) to block attackers using compromised credentials from stealing their data.

ownCloud has over 200 million users worldwide, including hundreds of enterprise and public-sector organizations such as the European Organization for Nuclear Research, the European Commission, German tech company ZF Group, insurance firm Swiss Life, and the European Investment Bank.

In a security advisory published, the company urged users to enable MFA following a recent report from Israeli cybersecurity company Hudson Rock, which revealed that multiple organizations had their self-hosted file sharing platforms (including some ownCloud Community Edition instances) breached in credential theft attacks.

"The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved," ownCloud said.

"The incidents occurred through a different attack chain: threat actors obtained user credentials via infostealer malware (such as RedLine, Lumma, or Vidar) installed on employee devices. These credentials were then used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled."

ownCloud advised users to immediately enable MFA on their ownCloud instance to secure their data against future attacks and prevent unauthorized access even when their credentials are compromised.

Additionally, ownCloud recommends resetting all user passwords, invalidating all active sessions to force re-authentication, and reviewing access logs for suspicious login activity. (Sergiu Gatlan / Bleeping Computer)

Related: ownCloud, CyberPress, GBHackers, Cyber Security News

versions released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability.

Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier versions 13 builds.

"This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," Veeam explained in a Tuesday advisory.

However, the information technology company adjusted its rating to high severity because it can only be exploited by attackers with the Backup or Tape Operator roles.

"The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such. Following Veeam's recommended Security Guidelines further reduces the opportunity for exploitability," it added.

Veeam released version 13.0.1.1071 on January 6 to patch CVE-2025-59470 and address two other high-severity (CVE-2025-55125) and medium-severity (CVE-2025-59468) vulnerabilities that enable malicious backup or tape operators to gain remote code execution by creating a malicious backup configuration file or sending a malicious password parameter, respectively. (Sergiu Gatlan / Bleeping Computer)

Related: Veeam, Security Affairs, Cyber Security News, GBHackers, Security Week, CyberScoop, TechZine, CSO Online

The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.

The flaw is a local file inclusion and path traversal that allows passing unsanitized paths to the file loading mechanism (loadFile) in jsPDF versions before 4.0. It is tracked as CVE-2025-68428 and received a severity score of 9.2.

The jsPDF library is a widely adopted package with more than 3.5 million weekly downloads in the npm registry.

In jsPDF’s Node.js builds, the 'loadFile' function is used for reading the local filesystem. The problem arises when user-controlled input is passed as the file path, causing jsPDF to incorporate into the generated PDF output the content of the file.

According to the jsPDF security bulletin, the issue only affects the Node.js builds of the library, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

In a detailed technical report, application security company Endor Labs says that the exploitation risk is low or nonexistent if file paths are hardcoded, come from a trusted configuration, or strict allowlists are used for inputs.

CVE-2025-68428 was fixed in version 4.0.0 of jsPDF by restricting filesystem access by default and relying instead on Node.js permission mode. (Bill Toulas / Bleeping Computer)

Related: Endor Labs, GitHub, Cyber Press

Marks & Spencer Plc said it is accelerating its turnaround plan and maintained its profit guidance as the British retailer seeks to recover from last April’s cyberattack.

Comparable food sales rose 5.6% in the quarter ended Dec. 27, M&S said Thursday, missing analyst estimates but giving what the company said was its highest ever share of the UK grocery market. Sales of clothing and homeware fell 2.9% as the retailer said it is still getting back on track after the disruption.

The Christmas trading period took on extra significance for M&S after the cyberattack disrupted online sales for almost four months earlier in the year. The hit to the retailer, which competes with the likes of Waitrose in food and Next Plc in clothing, came just as its turnaround under Chief Executive Officer Stuart Machin had been gaining momentum. (Maddie Parker / Bloomberg)

Related: This Is Money, Drapers, The Guardian

Best Thing of the Day: We Got Enough Problems to Deal With Baseless Speculation

Cloudflare poured cold water on a theory that the USA’s incursion into Venezuela coincided with a cyberattack on telecoms infrastructure.

Bonus Best Thing of the Day: At Least We Have the EU as a Backstop

As a crisis of nonconsensual AI-generated nudification images spirals out of control, the European Commission ordered Elon Musk's social media platform X to retain all internal documents and data relating to its built-in artificial intelligence chatbot, Grok, until the end of 2026.

Worst Thing of the Day: Soon We'll Need New Server Farms to Host Grok's Nudified Images

Elon Musk's Grok is generating about 6,700 images every hour that were identified as sexually suggestive or nudifying, compared to 79 new AI undressing images per hour on other top websites.

Bonus Worst Thing of the Day: Just When You Thought It Was Safe to Go Into the Water

Donald Trump's US DOGE Service is one of several tech teams that are now looking for talent after having decimated the ranks of US government employees.

Closing Thought