175,000 AI servers wide open to the internet. 130 countries. Attackers are selling access to other people’s hardware at a 50% discount, and using it for spam, phishing, and worse. 🧐

Running AI locally sounds like the safe option. No cloud, no third parties, everything stays on your own machine. So people install Ollama, fire up a language model, and assume they’re good. Except the default settings expose the server to anyone who knows where to look, and a lot of people know where to look.

An AI just found 12 zero-day vulnerabilities in OpenSSL. All 12. In a single release. One of those bugs is older than OpenSSL itself, sitting in the code since 1998. 🧐

OpenSSL is the cryptographic library that encrypts roughly two-thirds of all internet traffic. It runs on 95% of IT organizations worldwide. Banks use it. Hospitals use it. Governments use it. Cloud platforms, enterprise applications, operating systems, critical infrastructure. When OpenSSL has a vulnerability, the entire internet has a problem.

Microsoft pushed one security update. It broke at least 10 different things. 114 security fixes. Two emergency patches. PCs that won’t boot. Outlook that crashes. Remote Desktop that fails. Shutdown buttons that do nothing. And Microsoft is still investigating why some systems show a black screen and never start again. 🧐

A Windows and Microsoft story that keeps getting worse.

This was one of the largest Patch Tuesday releases in history. 114 vulnerabilities fixed, 8 rated Critical, 106 Important. The breakdown: 57 privilege escalation flaws, 22 remote code execution bugs, and 22 information disclosure vulnerabilities. Three zero-days in total, one actively exploited in the wild and two publicly known before Microsoft could patch them. In 2025 alone, Microsoft patched 1,130 CVEs across the year, 12% more than 2024.

Microsoft Office zero-day actively exploited. Every version from 2016 to 365, including LTSC 2021 and 2024, over 400 million users. Attackers bypass all the protections Microsoft built to stop malicious documents. Just open the file, and they are in. Microsoft pushed an emergency patch on a Sunday. 🧐

CVE-2026-21509. CVSS 7.8.

Someone sends a Word document, an Excel file, a PowerPoint. The target opens it. No macro warning pops up, no “enable content” button appears. The embedded object just executes and the attacker has access.

Linux running inside a PDF. An actual working operating system with a terminal where you can type commands. Open a PDF in Chrome. Wait 30 seconds. You now have a working Linux terminal. No installation, no software, just a 6MB file that boots an entire operating system.

A high school student named Allen built this, the same kid who previously crammed Doom into a PDF. Before that he made tools to bypass school software restrictions and exploits to boot Linux on locked-down Chromebooks.

Two VSCode extensions with 1.5 million installs are stealing source code right now, not last month. Researchers published their findings on January 22. Three days later, both extensions are still live on Microsoft’s official marketplace. Still collecting downloads. Still harvesting files. 🧐

The extensions are ChatGPT - 中文版 with 1.34 million installs and ChatMoss with 150,000 installs. Both marketed as AI coding assistants. Both work as advertised. Both contain identical spyware that sends everything to servers in China. Researchers named the campaign MaliciousCorgi.

It’s 2026 and attackers are still getting root shells via Telnet with a single command that requires no password whatsoever. 😏

SSH has existed for 31 years. Yet 221,000 telnet servers are still running online, and a bug hidden in the code since 2015 just handed attackers the keys to the kingdom. CVE-2026-24061. CVSS 9.8. Critical.

The vulnerability sat in GNU InetUtils telnetd for almost 11 years before anyone noticed. Security researcher Kyu Neushwaistein found it on January 20, 2026, and by January 21, attackers were already exploiting it in the wild.

Attackers found a way to hijack legitimate apps in the Snap Store. 7000 packages. Millions of Linux users. One victim already lost 9 Bitcoin. That was $490,000. 🧐

The Snap Store is the official app store for Ubuntu and other Linux distributions, run by Canonical. When developers publish apps, they sign up with an email on their own domain. Something like dev@mycoolproject.tech. But domains expire. People forget to renew, move on to other things, and that domain goes back on the market for anyone to grab.

A fake SymPy package deploys XMRig cryptominers on Linux machines. The malware hides inside polynomial functions. It only activates when you do math. Over 1,000 downloads in day one. Still live on PyPI. The real SymPy has 85 million downloads per month. That is the target size. 🧐

Socket’s Threat Research Team found this on January 21, 2026. The attacker copied SymPy’s entire project description and branding, then uploaded it under a name that looks like a development build. Developers searching for SymPy or copy-pasting requirements might grab the wrong package without noticing.

One developer just built 88,000 lines of advanced malware in six days using AI. A single person with an AI coding assistant created a framework sophisticated enough to target AWS, Azure, Google Cloud, Alibaba, Tencent, Kubernetes pods, and Docker containers. 🧐

Check Point revealed VoidLink on January 20, 2026. A Linux malware framework designed to compromise cloud infrastructure. The malware detects where it runs and changes its behavior based on what it finds.