Podcasts
CyberWire Daily
Ep 2472
The CyberWire Daily Podcast 1.21.26
Ep 2472 | 1.21.26

DOGE and the data trail.

Show Notes
Transcript

DOGE staff face scrutiny over possible Hatch Act violations. GitLab fixes a serious 2FA bypass. North Korean hackers target macOS developers through Visual Studio Code. Researchers say the VoidLink malware may be largely AI-built. MITRE rolls out a new embedded systems threat matrix. Oracle drops a massive patch update. Minnesota DHS reports a breach affecting 300,000 people. Germany looks to Israel for cyber defense lessons. A major illicit marketplace goes dark. Our guest is Ashley Jess, Senior Intelligence Analyst from Intel 471, with a “crash course” on underground cyber markets. And auditors emerge as an unlikely line of cyber defense.

Today is Wednesday January 21st 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

DOGE members are under scrutiny for possible Hatch Act violations.

Newly disclosed Justice Department court filings reveal that two members of Elon Musk’s DOGE team at the Social Security Administration were in contact with an advocacy group seeking to overturn election results in certain states. One DOGE member signed an agreement that may have involved matching Social Security data with state voter rolls. According to a filing by Justice Department official Elizabeth Shapiro, SSA referred both employees for possible Hatch Act violations, which prohibit political activity by federal workers.

The disclosures correct earlier testimony during litigation over DOGE’s access to Social Security data. Shapiro said DOGE members shared data using unapproved third-party servers, including Cloudflare, and may have accessed restricted personal information despite court limits. Emails suggest DOGE members could have been asked to assist the advocacy group by using SSA data, though it remains unclear whether any data were actually shared.

Shapiro also reported that a senior DOGE adviser received a password-protected file containing private data on about 1,000 individuals. SSA says it was unaware of these actions at the time and that details remain unclear.

GitLab patches a 2FA bypass vulnerability. 

GitLab has released security updates to fix a high-severity vulnerability that allows attackers to bypass two-factor authentication in both its Community Edition and Enterprise Edition platforms. The flaw, tracked as CVE-2026-0723, is caused by an unchecked return value in GitLab’s authentication services. According to the company, an attacker who already knows a user’s account ID could submit forged device responses and circumvent two-factor protections.

In the same update, GitLab patched two additional high-severity vulnerabilities that could enable unauthenticated denial-of-service attacks through malformed authentication requests and improper API authorization checks. Two medium-severity DoS issues were also fixed.

GitLab has released patched versions 18.8.2, 18.7.2, and 18.6.4, urging self-managed users to upgrade immediately. GitLab.com is already updated, and dedicated customers are not affected.

North Korean threat actors target macOS developers by abusing Visual Studio Code. 

Jamf warns that North Korean threat actors are targeting macOS developers by abusing Visual Studio Code task configuration files to deliver malware. The campaign is a new variation of long-running fake job offer lures. Victims are tricked into cloning malicious GitHub or GitLab repositories posing as coding assignments. When opened and marked as trusted in VS Code, obfuscated JavaScript executes, retrieves additional payloads, and installs a persistent backdoor. According to Jamf, the malware collects system data, communicates with command-and-control servers, and enables remote code execution.

Researchers say VoidLink malware was likely AI generated. 

Researchers say VoidLink, a recently discovered Linux malware targeting cloud servers, was likely built almost entirely with the help of artificial intelligence. Initially analyzed by Check Point Research, VoidLink appeared to be the work of a sophisticated, well-funded threat group due to its modular design and feature set. Further investigation, however, suggests the malware was developed by a single individual using AI tools to plan, structure, and generate code.

Evidence includes exposed development documents outlining a 30-week plan, even though the malware evolved in roughly four weeks, a mismatch researchers attribute to AI-generated documentation. Check Point says AI was used not just for coding, but for project orchestration, marking a turning point. VoidLink demonstrates how AI can significantly accelerate and amplify advanced malware development when used by skilled actors.

MITRE launches its Embedded Systems Threat Matrix. 

MITRE has announced the launch of its Embedded Systems Threat Matrix, or ESTM, a new cybersecurity framework focused on protecting embedded systems. Modeled on MITRE ATT&CK, the framework maps attack tactics and techniques specific to hardware and firmware environments. According to MITRE, ESTM supports threat modeling and attack path analysis across sectors such as energy, industrial control systems, robotics, transportation, and healthcare. The framework aligns with existing security models, works with the EMB3D Threat Model, and is now available as the more mature ESTM 3.0, with community contributions encouraged.

Oracle releases a substantial Critical Patch Update. 

Oracle has released its first Critical Patch Update for 2026, delivering 337 security fixes across more than 30 products. According to Oracle, the update covers roughly 230 unique vulnerabilities, including more than two dozen rated critical and over 235 exploitable remotely without authentication. Several patches address a critical Apache Tika flaw with a maximum CVSS score. Oracle Communications and Fusion Middleware received the most fixes. Oracle also issued separate security updates for Solaris, including remotely exploitable vulnerabilities.

Minnesota’s DHS notifies over 300,000 people of a data breach. 

The Minnesota Department of Human Services is notifying nearly 304,000 people about a data breach involving unauthorized access to its MnChoices eligibility system. The incident was traced to a user affiliated with a licensed healthcare provider who accessed more data than permitted while using systems managed by FEI Systems. The access occurred between late August and September 2025 and was detected after FEI identified unusual activity in November.

State officials say there is no evidence of external hacking. The exposed information primarily involved demographic data, with more detailed personal and benefits information accessed for a smaller subset of individuals. DHS has revoked the provider’s access, launched fraud monitoring efforts, and reported the incident as a HIPAA breach to federal and state oversight bodies.

Germany turns to Israel for better cyber defense. 

Germany is seeking to significantly strengthen its cyber defenses against threats from countries including Russia, China, Iran, and North Korea, and is turning to Israel for expertise. Earlier this month, German Interior Minister Alexander Dobrindt signed a cyber defense cooperation agreement in Tel Aviv with Israeli Prime Minister Benjamin Netanyahu, citing interest in Israel’s Cyber Dome system. Developed under the Israel National Cyber Directorate, the Cyber Dome is a centralized, partly automated threat-detection platform that uses artificial intelligence to monitor attacks on critical infrastructure.

German officials and analysts say Israel’s experience, shaped by frequent cyberattacks and a mature offensive and defensive ecosystem, could inform Germany’s own efforts. The partnership includes plans for joint development of next-generation cyber defenses, an AI and cyber innovation center, and cooperation on protecting energy infrastructure, connected vehicles, and countering drone threats.

The third-largest illicit online marketplace shuts down. 

Tudou Guarantee, a Telegram-based illicit marketplace that processed more than $12 billion in fraud-related transactions, has shut down, according to blockchain intelligence firm Elliptic. Elliptic describes Tudou as the third-largest illicit marketplace ever, facilitating money laundering, sales of stolen personal data, and services supporting online scams. The shutdown followed the January 6 arrest and extradition to China of Chen Zhi, chairman of Cambodia’s Prince Group, after which activity in Tudou’s wallets sharply declined.

Some functions, including gambling services, remain active, leaving uncertainty over whether the closure is complete. The disruption impacts Southeast Asia’s fraud ecosystem, where scam operations have flourished. Tudou had risen rapidly after the shutdown of Huione Guarantee, its predecessor. Elliptic expects fraud activity to fragment across multiple smaller marketplaces, complicating but not preventing tracking efforts.

Accountants on the front lines. 

Australia’s recent mega-breaches at Optus, Medibank, and Latitude Financial left millions wondering how cyber disasters keep slipping through. The usual answer is technical inevitability: complex systems, clever attackers, bad luck. But research suggests another, quieter defense has been hiding in plain sight, the auditors.

Auditors do not write code or chase hackers. They ask awkward questions about controls, oversight, and whether anyone is actually paying attention. The study found that auditors who have lived through a client’s cyber breach become noticeably tougher everywhere else, flagging more weaknesses and issuing more meaningful clean bills of health. Those clean reports, it turns out, correlate with fewer future breaches.

For Australia, where regulators like Australian Securities and Investments Commission and Australian Prudential Regulation Authority are pressing boards on cyber governance, the message is simple. Firewalls matter. So does scepticism, preferably from someone who has already seen a glowing red screen ruin their week.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.