Linux running inside a PDF. An actual working operating system with a terminal where you can type commands. Open a PDF in Chrome. Wait 30 seconds. You now have a working Linux terminal. No installation, no software, just a 6MB file that boots an entire operating system.

A high school student named Allen built this, the same kid who previously crammed Doom into a PDF. Before that he made tools to bypass school software restrictions and exploits to boot Linux on locked-down Chromebooks.

Two VSCode extensions with 1.5 million installs are stealing source code right now, not last month. Researchers published their findings on January 22. Three days later, both extensions are still live on Microsoft’s official marketplace. Still collecting downloads. Still harvesting files. 🧐

The extensions are ChatGPT - 中文版 with 1.34 million installs and ChatMoss with 150,000 installs. Both marketed as AI coding assistants. Both work as advertised. Both contain identical spyware that sends everything to servers in China. Researchers named the campaign MaliciousCorgi.

It’s 2026 and attackers are still getting root shells via Telnet with a single command that requires no password whatsoever. 😏

SSH has existed for 31 years. Yet 221,000 telnet servers are still running online, and a bug hidden in the code since 2015 just handed attackers the keys to the kingdom. CVE-2026-24061. CVSS 9.8. Critical.

The vulnerability sat in GNU InetUtils telnetd for almost 11 years before anyone noticed. Security researcher Kyu Neushwaistein found it on January 20, 2026, and by January 21, attackers were already exploiting it in the wild.

Attackers found a way to hijack legitimate apps in the Snap Store. 7000 packages. Millions of Linux users. One victim already lost 9 Bitcoin. That was $490,000. 🧐

The Snap Store is the official app store for Ubuntu and other Linux distributions, run by Canonical. When developers publish apps, they sign up with an email on their own domain. Something like dev@mycoolproject.tech. But domains expire. People forget to renew, move on to other things, and that domain goes back on the market for anyone to grab.

A fake SymPy package deploys XMRig cryptominers on Linux machines. The malware hides inside polynomial functions. It only activates when you do math. Over 1,000 downloads in day one. Still live on PyPI. The real SymPy has 85 million downloads per month. That is the target size. 🧐

Socket’s Threat Research Team found this on January 21, 2026. The attacker copied SymPy’s entire project description and branding, then uploaded it under a name that looks like a development build. Developers searching for SymPy or copy-pasting requirements might grab the wrong package without noticing.

One developer just built 88,000 lines of advanced malware in six days using AI. A single person with an AI coding assistant created a framework sophisticated enough to target AWS, Azure, Google Cloud, Alibaba, Tencent, Kubernetes pods, and Docker containers. 🧐

Check Point revealed VoidLink on January 20, 2026. A Linux malware framework designed to compromise cloud infrastructure. The malware detects where it runs and changes its behavior based on what it finds.

Cracking Windows domain admin passwords just got simple. A massive set of rainbow tables just went public, a $600 laptop is enough, and it takes 12 hours max. This flaw has existed since 1999. Microsoft ignored it for 25 years. So Google decided to force the conversation. 🔓

The flaw is in NTLMv1. That’s an authentication protocol from 1993. When a Windows machine logs in over a network, it sends an encrypted response based on the user’s password. The problem? That encryption uses 56-bit DES. Cryptographers declared that dead decades ago.

Your browser extension logo just became malware. Not the code. The actual image file. A PNG icon sitting in your toolbar, looking normal, hiding JavaScript that takes over your browser. Over 1 million victims through GhostPoster. Part of a larger operation hitting 8.8 million. Seven years undetected. 🧐

Last week, researchers revealed the full scope of a campaign they call GhostPoster. Koi Security published the first findings in December 2025. LayerX followed up with additional discoveries on January 15, 2026. And it is worse than anyone thought.

GootLoader is back. This week, researchers discovered their newest trick: a way to make security tools completely blind. Your antivirus scans the ZIP file. Nothing found. WinRAR tries to open it. Fails. 7-Zip tries. Also fails. Corrupted file, right? But when you double-click it, Windows opens it just fine. And now you’re infected. 🧐

The trick is simple but brilliant. They take 500 to 1000 ZIP files and glue them together into one massive file. Most analysis tools read ZIP files from the beginning. They hit the first archive, see garbage, and crash. But here is the thing about ZIP files. They are actually read from the END. The “End of Central Directory” record tells the reader where to find the actual content. Windows knows this. It skips all the junk, finds the last valid archive, and happily extracts the malware.

Netflix. Twitch. iCloud. The servers of the CIA and NSA. 30% of all cloud infrastructure worldwide runs on Amazon Web Services. Two missing characters in a regex filter nearly compromised all of it. 😬

A ^ at the start and a $ at the end. That’s what was missing from a security filter, and that’s all it would have taken for attackers to inject malicious code into the AWS JavaScript SDK.