Top 5 Cybersecurity News Stories January 23, 2026

Cybersecurity threats are constantly evolving as threat actors seek access to your data and money. To help you stay secure, we have searched the internet for the top five cybersecurity news stories of the week that we think you should be aware of.  No story is too big or small as we look at threats from espionage to security flaws in everyday devices:

1. LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords

LastPass has issued an alert about a phishing campaign impersonating the company to steal users’ master passwords. Attackers send emails claiming urgent system maintenance, urging recipients to back up their vaults within 24 hours.

These messages redirect users to a fraudulent domain designed to harvest credentials. LastPass confirms that it never requests master passwords or demands immediate action, and it is collaborating with partners to dismantle the malicious infrastructure. Users are advised to remain vigilant, verify sender legitimacy, and report suspicious messages.
Read more on The Hacker News

2. Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

Cybersecurity researchers have identified a phishing campaign leveraging LinkedIn private messages to distribute Remote Access Trojan (RAT) malware. Attackers target high-value individuals, sharing malicious WinRAR SFX files that execute a DLL sideloading attack using a legitimate PDF reader.

The payload installs a Python interpreter configured to run at login and execute in-memory shellcode, enabling persistent remote access and data exfiltration. The campaign exploits trust in social platforms, bypassing traditional email-based monitoring. Researchers describe it as broad and opportunistic, with activity spanning multiple sectors globally.
Read more on The Hacker News

3. Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs

Two high-severity vulnerabilities, CVE-2026-22218 and CVE-2026-22219, were discovered in the Chainlit AI framework, enabling arbitrary file reads and SSRF attacks. Exploiting these flaws allows attackers to access sensitive environment variables, API keys, internal file paths, and potentially leak database files.

When chained, the vulnerabilities enable privilege escalation and lateral movement within affected environments. Chainlit patched the issues in version 2.9.4 following responsible disclosure. Researchers warn that widespread adoption of AI frameworks increases the risk of embedding traditional software vulnerabilities into AI infrastructure, expanding attack surfaces across cloud-connected deployments.
Read more on The Hacker News

4. Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Researchers demonstrated successful exploits against Tesla’s infotainment system at Pwn2Own Automotive 2026, earning $516,500 after executing 37 zero-day vulnerabilities. Teams used chained flaws, such as information leaks and out-of-bounds writes, to gain root permissions.

Additional automotive targets included EV chargers and digital media receivers from multiple vendors, with several teams earning substantial rewards for successful compromises. The event highlights the expanding attack surface in modern vehicles and the need for rapid vendor patching, with manufacturers given 90 days to release fixes before public disclosure.
Read more on BleepingComputer

5. ACF plugin bug gives hackers admin on 50,000 WordPress sites

A critical vulnerability in the ACF Extended plugin (CVE-2025-14533) allows unauthenticated attackers to gain administrator privileges on affected WordPress sites. The flaw stems from insufficient role restriction enforcement within “Insert User / Update User” forms, enabling arbitrary assignment of the administrator role.

Although fixed in version 0.9.2.2, approximately 50,000 sites remain at risk. Security researchers emphasize that exploitation depends on sites using forms with mapped role fields. Large-scale reconnaissance activity indicates that attackers are actively scanning plugins to identify vulnerable installations.
Read more on BleepingComputer

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.

For more information, please contact us now!