Someone sends you an audio message. You don’t open it, you don’t play it, you don’t even look at your phone. And you’re already hacked. 😏 Google Project Zero just published a three-part series this week showing exactly how they built a working exploit chain for the Pixel 9. No clicks required and no interaction at all. Just receive a message and your phone is compromised.

CVE-2025-54957

The vulnerability sits in Dolby’s audio decoder, a component that ships on almost every Android phone sold today. Pixel, Samsung, and dozens of other brands all use it. When someone sends you an audio message through SMS or RCS (the default messaging on most Android phones), your phone automatically decodes it for transcription. Before you even see the notification, the malicious code is already running.

January 13, 2026. Microsoft patches a vulnerability in Copilot that let attackers steal personal data with a single click. The security bypass that worked for five months? Tell the AI to do everything twice. Microsoft has spent $80 billion on AI infrastructure and plans $120 billion more for 2026, but the safeguards protecting your data failed against a one-line prompt. 🤔

Varonis Threat Labs discovered a way to steal personal data from Microsoft Copilot using nothing more than a single click on a link, with no plugins required and no further user interaction needed. The attack continues running even after the victim closes the browser tab.

In January 2026, Microsoft had already patched 114 vulnerabilities! Four modem drivers deleted since October. Companies that wrote them: gone. Source code: inaccessible. Microsoft’s only option: remove them entirely. Meanwhile, ransomware groups are loading over 900 other vulnerable drivers that still ship with Windows. 😱 Hackers discovered they could use a 20-year-old telephone code to take over any Windows machine. No hardware required.

One vulnerability stood out: CVE-2023-31096. A CVE number from 2023. Fixed in 2026. Three years later.

SAP just patched four critical vulnerabilities

SAP just patched four critical vulnerabilities. CVSS scores up to 9.9. One lets attackers run code with nothing but a malicious link. 425,000 companies run SAP. Over 85% of Fortune 500. The patches dropped today, January 13, 2026. 🧐

SAP Patch Tuesday just landed with seventeen security notes. Four are HotNews - SAP’s term for patch immediately or accept the consequences.

The most severe vulnerability lets someone with a basic user account run arbitrary SQL queries against the entire financial database.

Your iPhone can be compromised by loading a webpage. No click. No download. Just visit the wrong site. Apple patched this a month ago. Only 16% of users have updated. 🤔

StatCounter data from January 2026:

→ iOS 26 (all versions): 16% of iPhones

→ iOS 18 (unpatched): over 60% of iPhones

For comparison, iOS 18 reached 63% adoption by January 2025. iOS 26 is at less than one quarter of that rate. The lowest adoption Apple has seen in years.

A 52-year-old tape just revealed a buffer overflow that looks exactly like the bugs we’re still finding today. 😏

In July 2025, someone found a magnetic tape from 1973 in a storage room at the University of Utah. Handwritten on the label: “UNIX Original From Bell Labs V4”. This turned out to be the only surviving copy of Unix v4, the 1973 version where Ken Thompson and Dennis Ritchie rewrote the entire operating system from assembly into C.

100,000 servers. One HTTP header change. Full admin access. No password required. They call it “Ni8mare.” CVSS 10.0. The patch existed for 7 weeks. The release notes mentioned nothing. 😏

CVE-2026-21858. “Ni8mare” The name says it all.

n8n is a workflow automation platform. Think Zapier, but open source and self-hosted. Over 100 million Docker pulls. Used by Vodafone, Delivery Hero, StepStone. Thousands of enterprises run their entire automation infrastructure on it, with 400+ integrations connecting everything in one central hub.

Notion AI steals data before the user clicks OK. 100 million users. 4 million paying customers. Amazon. Nike. Uber. Pixar. More than half of Fortune 500 companies trust this $10 billion platform with their documents. And a hidden PDF can extract everything. 😏 Two major vulnerabilities since September 2025. Notion’s response to the latest one: “Not Applicable.”

Someone uploads a document to Notion AI. A resume, a customer report, anything. Looks completely normal. But hidden inside is white text on white background, 1-point font size, with a white square image placed over it for good measure. Invisible to humans. The AI reads it perfectly.

Two Chrome extensions. 900,000 users. Every ChatGPT and DeepSeek conversation stolen. Sent to attacker servers every 30 minutes. Google gave one of them a Featured badge. The extensions are still live in the Chrome Web Store right now. 🤔

This is the third major case in three weeks. First the sleeper extensions that waited 7 years before activating. Then Urban VPN selling 8 million users’ AI chats to data brokers. Now this. Security researchers have a name for it: “Prompt Poaching.” And it’s becoming a gold rush.

$5 buys two months of complete access to someone’s computer. Keylogging, webcam, passwords, files. The malware is called DCRat. The delivery method: a fake Blue Screen of Death that tricks people into hacking themselves. 😱

ClickFix attacks surged 517% in six months. Now the second most common attack vector after phishing. 8% of all blocked attacks. The campaign is called PHALT#BLYX. Securonix published their analysis January 5, 2026.

An email arrives with subject “Reservation Cancellation.” Sender appears to be Booking.com. The message mentions a refund over €1,000 and urges the recipient to click and review. Booking.com has been a popular target before, with similar campaigns in 2023 and 2024.