Daily Threat Intel Digest - January 16, 2026

🔴 Critical Threats & Active Exploitation

[NEW] AWS CodeBuild Supply Chain Hijacks GitHub Repositories
Attackers exploited a regex filtering misconfiguration in AWS CodeBuild to hijack critical repositories, including the AWS JavaScript SDK used in 66% of cloud environments. By leveraging GitHub’s sequential ID assignment, researchers created bot accounts with substring IDs to bypass webhook filters, steal GitHub credentials, and gain admin control. The vulnerability allowed malicious code injection into SDK releases distributed to millions via the AWS Console. AWS has implemented PR approval gates and recommends immediate webhook regex hardening. [Wiz Research; GBHackers]

[NEW] Windows Update Bug Triggers Restart Loop on Enterprise PCs
Microsoft confirmed KB5073455 prevents Windows 11 23H2 devices with System Guard Secure Launch from shutting down or hibernating, forcing restarts instead. The issue affects Enterprise and IoT editions only, with no current workaround for hibernation failures. Users must execute shutdown /s /t 0 from Command Prompt to power down safely. This compounds January’s Windows update troubles after Cloud PC access failures and security alert false positives. [BleepingComputer]

[NEW] Critical WordPress Plugin Exploited for Admin Takeover
The Modular DS plugin (40k+ installations) suffers from CVE-2026-23550, allowing unauthenticated attackers to bypass authentication and gain admin privileges. Active exploitation began January 13 via flawed “direct request” mode handling and automatic admin login fallback. Version 2.5.2 patches the vulnerability, and users must regenerate WordPress salts post-update. Review access logs for suspicious requests and rogue admin accounts. [BleepingComputer]

🎯 Threat Actor Activity & Campaigns

[NEW] Ransomware Gangs Target Legal, Manufacturing, and Food Sectors
Qilin ransomware claimed attacks on Germany’s Aero-Coating, Canada’s Bergmanis Preyra Legal Services, and Singapore’s Neo Group, threatening data leaks unless ransoms are paid. Concurrently, Akira targeted US insuretech firm Paylogix (stealing 185GB including employee SSNs) and McAloon & Friedman law firm (627GB of legal/client data). These campaigns highlight ransomware’s expansion into professional services and supply chain extortion. [DeXpose; DeXpose; DeXpose; DeXpose; DeXpose]

[NEW] ShinyHunters Extorts Grubhub with Salesforce/Zendesk Data
Attackers stole Salesforce (Feb 2025) and Zendesk data from Grubhub via credentials compromised in the Salesloft Drift OAuth token breach. The ShinyHunters group is demanding Bitcoin to prevent leaks. While Grubhub confirms unauthorized access, it denies financial data theft. Organizations affected by Salesloft must rotate all OAuth tokens immediately. [BleepingComputer]

⚠️ Vulnerabilities & Patches

[NEW] Azure AD Token Flaw Enables Tenant-Wide Windows Admin Center Breaches
CVE-2026-20965 allows attackers with local admin rights on a single machine to compromise any Windows Admin Center-managed system in the same Azure tenant. The flaw stems from improper Proof-of-Possession token validation in Azure AD SSO. Microsoft has not yet released patches. [GBHackers]

[NEW] Zero-Click Exploit Chain Targets Google Pixel 9
Google Project Zero disclosed CVE-2025-54957 (Dolby decoder) and CVE-2025-36934 (kernel driver) chained for zero-click code execution and privilege escalation on Pixel 9 devices. No user interaction is required. Google has issued patches via January updates. [GBHackers]

🛡️ Defense & Detection

[NEW] Gootloader Malware Evades Analysis with 1,000-Part ZIP Archives
Gootloader now concatenates 500–1,000 ZIP archives with truncated End of Central Directory records and randomized metadata to crash analysis tools. Expel released a YARA rule to detect these malformed archives, which unpack successfully via Windows utilities but fail in 7-Zip/WinRAR. Defenders should block wscript.exe/cscript.exe execution on downloaded content. [BleepingComputer]

📋 Policy & Industry News

[NEW] CISA’s Own Software Tool Found Vulnerable to XSS
A basic XSS flaw in CISA’s “Software Acquisition Guide” web tool, discovered by Jeff Williams, allowed JavaScript injection and potential website defacement. Fixed in December after initial rejection from bug bounty programs. CISA acknowledged process improvements post-disclosure. [CyberScoop]

[NEW] Microsoft Launches VSCode Copilot Studio Extension
The new VSCode extension enables developers to manage Copilot Studio agents locally, integrate with Git workflows, and deploy via CI/CD pipelines. Available after 13k+ downloads, it supports AI-assisted agent editing while addressing recent concerns about AI development supply chain security. [BleepingComputer]

Tia N. List, Senior Threat Intelligence Analyst
Sources: 28 articles analyzed; 9 items prioritized for operational impact.