News
Hi folks,
It has been a while :-)
After the last issue I took some more time for myself. Not all for bad reasons though, in fact life is pretty sweet right now. My family is doing great, we're settling into the new house, and I went ahead and started a non-profit!
It's still early days, there's barely even a website, but I'm having so much fun. I haven't felt this driven and motivated in a long while, and it feels goood :-)
It's essentially a non-profit digital engineering company, where we focus on reliable, robust software for critical infrastructure and (real-world) incident response. It's exciting and maybe a little over-ambitious, but I've got a couple of projects going, and am even starting to pull in some help! We'll see where it goes :-) More to come later, I'm sure, but I won't drag this out for now.
I'm not sure what the frequency of securitynewsletter.co will be for the foreseeable future. I'll probably send, well, when I feel like it. Which I've only recently learned how much of a privilege that is, indeed.
I've gathered the news below that stood out to me from the last few weeks and months. As always, I hope you get value out of it.
Thank you for reading, thank you for waiting, and as always, thank you to 1Password for their support.
Cheers to all,
Dieter
Notepad++ boosts update security with ‘double-lock’ mechanism
During my break there was the big Notepad++ compromise, which happened through their update mechanism. It threw me back to some oldies but goodies in the update-supply-chain-compromises, like NotPetya and Solarwinds.
Curl ending bug bounty program after flood of AI slop reports (2026-01-22)
Curl will end its HackerOne security bug bounty program at the end of this month.
BeyondTrust warns of critical RCE flaw in remote support software
"Approximately 11,000 instances are exposed to the internet including both cloud and on-prem deployments. About ~8,500 of those are on-prem deployments which remain potentially vulnerable if patches aren’t applied.". Ouch.
CISA will shutter some missions to prioritize others
The agency has lost roughly one-third of its workforce since January 2025.
Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive (2026-01-23)
Those are always interesting :-)
Cyberattack on Polish energy grid impacted around 30 facilities (2026-01-28)
The coordinated attack on Poland's power grid in late December targeted multiple sites across the country, and was likely executed by Sandworm.
And some more news, but shorter:
- Chinese state attackers going after Dell zero-day since mid-2024: link.
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack: link.
- Critical n8n flaws disclosed along with public exploits: link.
- CISA seeks infrastructure sector consultation on incident reporting rule: link.
- Majority of Ivanti EPMM threat activity linked to hidden IP: link.
Microsoft shares workaround for Outlook freezes after Windows update (2026-01-21)
This wouldn't be my newsletter if I didn't punch on Microsoft some. They are on my shit-list ever since their outsourcing of DoD support to China, and I haven't seen a reason yet to take them off it.
I asked ChatGPT just now to list all their screw-ups related to updates in the last six months and it gave me ten items. That's actually a rather impressive screw-up rate, at more than one per month on average. Consider the linked article an amuse-bouche in case you want to dive deeper yourself.
Opening ceremony with robots
This one isn't related to security, really. It just blew my mind. I had no idea we (well, "we") already are at the "choreographed-ninja" stage of humanoid robotics. It's fine.
Hackers ( 1995 ) - Animated Experience
This made me actually giggle in delight (yes, giggle, shut up.).
Some absolute badass called David Vidovic made a Hackers-like experience where you fly through the terminals of the Gibson's Big Iron, in the browser.
I love the Hackers movie with a passion. It's just so bad and so, so good. If you're in the same boat you'll enjoy the experience. You're in the butterzone now, baby!