InfoSec News 21JAN2026

General

• Brian Krebs has just dropped part three of his investigation into the Kimwolf botnet
  • https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/
• Checkpoint researchers - who first revealed the VoidLink malware (15JAN2026 news) - are suggesting it may have been built with a large amount of LLM assistance. They've uncovered initial specifications (using Spec Driven Design), and subsequent task artefacts that align with use of "an AI-centric IDE" (Integrated Development Environment) called TRAE.
  • https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
  • https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
  • https://www.theregister.com/2026/01/20/voidlink_ai_developed/
• [UK] The UK is launching a new "Report Fraud" service, that promises to keep people informed as their reporting leads to investigations. Underneath - analytics, including Palantir Foundry.
  • https://therecord.media/uk-report-fraud-platform-launch-police-cybercrime
• [UK] Dell is suing VMware for not honouring contracts to extend support for perpetual VMware licences.
  • https://www.theregister.com/2026/01/15/dell_vmware_claim_tesco_case/
• [US] Efforts are underway to keep the CISA Act limping along - only ten days remain for it to pass, before existing (temporary) funding expires.
  • https://therecord.media/lawmakers-move-to-extend-two-cyber-programs-again

Getting Techy

• An interesting (now closed) window in Cloudflare WAF (but potentially something similar exist in other WAF products), built to support ACME automated certificate issuance.
  • https://fearsoff.org/research/cloudflare-acme
  • https://blog.cloudflare.com/acme-path-vulnerability/
• A classic race-condition, in the Flashbots relay for Ethereum.
  • https://mavlevin.com/2026/01/18/flashbots-mev-relay-race-condition-vulnerability
• Humorous retro bug in telnetd, that's over ten years old.
  • https://seclists.org/oss-sec/2026/q1/89

Privacy

• [US] The Supreme Court will hear a challenge to the constitutionality of geofence warrants.

According to Chatrie’s lawyers’ petition to the Supreme Court, Google saw a 1,500% increase in geofence warrant requests from 2017 to 2018. An increase of an additional 500% occurred in 2019, according to Harvard Law Review. The warrants are still used today.
...
After Chatrie challenged the geofence warrant used in his case as unconstitutional, a federal judge agreed the search likely violated the Fourth Amendment, but declined to prevent prosecutors from introducing the evidence collected from the warrant.

• https://therecord.media/supreme-court-geofence-constitutionality
• [US] Admissions that DOGE accessed information, "even after a court order prohibited it". They may also have illegally shared information for political activities, in contravention of the Hatch Act.
  (SSA = Social Security Administration)

SSA determined in its recent review that in March 2025, a political advocacy group contacted two members of SSA’s DOGE Team with a request to analyze state voter rolls that the advocacy group had acquired. The advocacy group’s stated aim was to find evidence of voter fraud and to overturn election results in certain States.

• https://storage.courtlistener.com/recap/gov.uscourts.mdd.577321/gov.uscourts.mdd.577321.197.0.pdf
• https://www.politico.com/news/2026/01/20/trump-musk-doge-social-security-00737245
• https://techcrunch.com/2026/01/20/trump-administration-admits-doge-may-have-misused-americans-social-security-data/

AI

• OpenAI pushing to win back users with a limited-time free-for-a-month ChatGPT-Plus offering.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/you-can-get-chatgpts-20-plus-subscription-for-free-for-a-limited-time/
• Another day, another LLM subverted - Google Gemini convinced to leak private calendar info, via a calendar invite. In short - send a calendar invite with instructions, wait for the trigger to be used (e.g. "what's my calendar look like for today"), leak data via new calendar entry.
  • https://www.miggo.io/post/weaponizing-calendar-invites-a-semantic-attack-on-google-gemini
  • https://www.bleepingcomputer.com/news/security/gemini-ai-assistant-tricked-into-leaking-google-calendar-data/
• One more subversion - chaining MCP (Model Context Protocol) servers together.
  • https://www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/