Welcome to 2026 — It's Already Chaos
Hey there,
Cipherceval here with your weekly dose of cybersecurity chaos. Episode 60 just dropped, and let me tell you — 2026 is not messing around. We've got five major stories this week, and honestly, any one of them could have been its own episode.
Let's break it down.
Story 1
🟥Microsoft Office Zero-Day (CVE-2026-21509)
The bottom line: Microsoft dropped an emergency out-of-band patch for an actively exploited zero-day affecting Office 2016 through Microsoft 365.
What's happening: This is a security feature bypass that lets attackers circumvent OLE mitigations. In plain English? The security check is looking at something the attacker controls — and the attacker lies.
The good news: It's not a preview pane attack. You have to actually open a malicious file.
The bad news: Tricking users into opening Office documents has never been an insurmountable problem for attackers. That's literally the bread and butter of phishing campaigns.
What you need to do:
Office 2021+ users: Restart your Office applications (server-side fix requires app restart)
Office 2016/2019 users: Apply registry mitigations from Microsoft's advisory (patches coming "soon")
CISA deadline: February 16, 2026
Cipher-ism: Update your stuff. A patch does you no good if it isn't installed.
Story 2
📘WordPress Modular DS (CVE-2026-23550)
CVSS Score: 10.0 — That's the golden goose of hacking.
What is it: Modular DS is a WordPress plugin that lets you manage multiple sites from one dashboard. Over 40,000 active installations. Convenient, right? Well, the problem with convenience is it usually comes at the cost of security.
The vulnerability: Unauthenticated privilege escalation. Here's the attack chain:
Supply
origin=moparameter (bypasses authentication)Hit the login endpoint
Auto-login as administrator
Game over.
Yes, really. A magic parameter grants admin access. Security by obscurity does not work, folks.
Timeline:
January 13, 2026 (~2:00 UTC): First attacks detected (BEFORE public disclosure)
Hours later: Vendor released v2.5.2
January 16: v2.6.0 released (initial fix missed some exploit paths)
Attacker IPs: 45.11.89.19, 185.196.0.11
Post-compromise IOCs: Rogue admin accounts like "support2026" or "admin_backup", malicious plugins/themes
Action required: Update to version 2.6.0 or later. Not 2.5.2 — specifically 2.6.0+. Then audit your admin users and installed plugins.
Story 3
🔒 Chrome Extensions Stealing AI Chats
Campaign name: Prompt Poaching (great name, honestly)
The discovery: OX Security researchers found two malicious Chrome extensions exfiltrating ChatGPT and DeepSeek conversations to attacker-controlled C2 servers. Every 30 minutes, your data gets batched up, base64 encoded, and shipped off.
The scale: 900,000+ downloads combined.
The kicker: One of them — "ChatGPT for Chrome with GPT-5, Claude Sonnet, and DeepSeek AI" — had Google's Featured badge. You know, the mark that's supposed to indicate quality and trust.
The extensions:
ChatGPT for Chrome with GPT-5, Claude Sonnet, and DeepSeek AI (600,000+ users)
AI Sidebar with DeepSeek, ChatGPT, Claude and more (300,000+ users)
C2 domains: deepaichats[.]com, chatsaigpt[.]com
Technical details: They leverage the Chrome tabs.onUpdated API to detect when you navigate to ChatGPT or DeepSeek, then interact directly with the DOM to extract prompts, responses, and session metadata.
Why it matters: Think about what people share with AI chatbots — proprietary code, business strategies, customer data, internal URLs, corporate secrets. That data can be weaponized for espionage, identity theft, or sold on underground forums.
The law of spam applies: Cast a wide enough net, and someone will bite. 900,000 people installed these.
Action: Remove these extensions immediately. Be skeptical of ANY browser extension, even ones with good ratings and featured badges.
Story 4
📡 Brightspeed Data Breach
Threat actor: Crimson Collective
Victim: Brightspeed — US fiber broadband provider operating across 20 states, serving 1M+ customers
Claimed data: Names, billing addresses, email addresses, phone numbers
Status: Investigation ongoing. Brightspeed has NOT confirmed a breach occurred.
The bigger picture: This is part of a broader 2026 trend — extortion groups increasingly targeting telecoms and ISPs because of the sheer volume of customer data they hold.
If you're a Brightspeed customer: Watch for phishing attempts using any exposed information to seem more legitimate. When in doubt, find an official phone number and call the company directly.
Story 5
👤 Cybersecurity Pros Plead Guilty to Ransomware
This one is... infuriating. Disappointing. Like, what even is this?
The defendants:
Ryan Goldberg — Former incident response manager at Sygnia
Kevin Martin — Former ransomware negotiator at DigitalMint
The charges: Conspiracy to commit extortion as BlackCat/ALPHV ransomware affiliates
Let that sink in. One guy was doing incident response — helping companies recover from attacks. The other was a ransomware negotiator — someone companies hired to negotiate with attackers. And they were both moonlighting as ransomware affiliates.
The numbers:
Active period: May - November 2023
Ransom demands: $300K - $10M
Confirmed payments: $1.27M+
Victims: Pharmaceutical, engineering, healthcare, drone manufacturing
Sentencing: March 2026, up to 20 years each
The lesson: Security is just as much about people as it is about technology. The insider threat is real. Background checks matter. Continuous monitoring matters. Least privilege matters — even for your security team.
🎯 Key Takeaways
Update your stuff. A patch does you no good if it isn't installed.
Security by obscurity does not work. Magic parameters don't make you secure.
Be skeptical of browser extensions — even ones with featured badges.
Nothing is hack-proof. Security is about making it as hard as possible for attackers.
The insider threat is real. Sometimes the threat is coming from inside the house.
🎧 Listen Now
[Listen to Episode 60 →]
Available on YouTube, Spotify, Apple Podcasts, and everywhere you get your audio.
If you enjoyed this breakdown, share it with someone who needs to hear it. And if you're not subscribed yet, hit that button — we drop new episodes every week covering the threats that matter.
Stay vigilant, stay curious, and update your stuff.
— Cipherceval, Exploit Brokers by Forgebound Research
P.S. Got a story you want me to cover? Reply to this email. I read everything.