01/14/2026-01/21/2026 Critical Flaw in Modular DS WordPress Plugin, Binary-parser Bug Allows Node.js Privilege-Level Code Execution, Hackers Target Developers via Malicious VS Code Projects And More.

1. Actively Exploited Critical Flaw in Modular DS WordPress Plugin Enables Admin Takeover

A critical vulnerability in the Modular DS WordPress plugin (CVE-2026-23550, CVSS 10.0) is being actively exploited, allowing unauthenticated attackers to escalate privileges. Modular DS, installed on over 40,000 sites, enables centralized monitoring, updates, and remote administration of WordPress installations. In versions 2.5.1 and earlier, the flaw allows attackers to bypass authentication by abusing exposed API routes under /api/modular-connector/. A flawed isDirectRequest() check treats requests containing simple parameters (origin=mo&type=xxx) as trusted “direct” requests, without validating signatures, secrets, IPs, or User-Agent headers. If a site is already connected to Modular, attackers can access sensitive routes such as /login, /system, and /backup, leading to admin takeover and data theft. Exploitation began on January 13, 2026, with attackers targeting the login API to create new admin users. The issue was fixed in version 2.5.2 by tightening route handling and validation. Users should update immediately to mitigate risk.

2. CERT/CC Warns Binary-parser Bug Allows Node.js Privilege-Level Code Execution

A security vulnerability has been disclosed in the popular binary-parser npm library that could allow attackers to execute arbitrary JavaScript. Tracked as CVE-2026-1245, the flaw affects all versions prior to 2.3.0, which was released on November 26, 2025 to address the issue. Binary-parser is a widely used JavaScript parser builder for binary data, supporting multiple data types and receiving roughly 13,000 weekly downloads. According to CERT/CC, the vulnerability stems from insufficient sanitization of user-supplied values—such as parser field names and encoding parameters—when generating parser code dynamically at runtime using the Function constructor. Because the library builds JavaScript source code as a string and compiles it for execution, attacker-controlled input can be injected into the generated code, leading to arbitrary code execution within the Node.js process. Applications using only static, hard-coded parser definitions are not affected. Users are strongly advised to upgrade to version 2.3.0 and avoid passing untrusted input into parser definitions.

3. Hackers Exploiting Critical Fortinet FortiSIEM Flaw in Attacks

A critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with publicly available proof-of-concept exploit code is now being actively exploited in the wild. Reported by Horizon3.ai researcher Zach Hanley, the flaw combines multiple issues that allow unauthenticated attackers to perform arbitrary file writes, escalate privileges, and ultimately gain root-level code execution. Fortinet described the issue as an OS command injection vulnerability that can be triggered via crafted TCP requests. Horizon3.ai’s analysis revealed that dozens of command handlers exposed through the phMonitor service can be accessed remotely without authentication. By abusing argument injection, attackers can overwrite system files such as /opt/charting/redishb.sh to execute code as root. The vulnerability affects FortiSIEM versions 6.7 through 7.5. Patches are available in newer releases, while administrators unable to update immediately are advised to restrict access to the phMonitor port (7900). Threat intelligence firm Defused has confirmed active exploitation, urging defenders to check phMonitor logs for signs of compromise.

4. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

North Korean threat actors behind the long-running Contagious Interview campaign are using malicious Visual Studio Code (VS Code) projects to distribute backdoors. The tactic targets software developers through fake job assessments that instruct victims to clone GitHub, GitLab, or Bitbucket repositories and open them in VS Code. When a victim trusts the repository, malicious tasks.json files are automatically executed, abusing the runOn: folderOpen option to fetch and run obfuscated JavaScript payloads hosted on Vercel. On macOS, the attack uses background shell commands to pipe remote JavaScript directly into Node.js, enabling persistent execution even after VS Code closes. The payload deploys backdoors such as BeaverTail and InvisibleFerret, enabling remote code execution, system profiling, and continuous command-and-control communication. Later stages may introduce fallback infection methods, malicious npm packages, credential theft, crypto mining, and remote access tools. Developers are urged to carefully vet repositories, review task configurations, and avoid untrusted coding tests.

5. AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach by Wiz, could have enabled attackers to take over several AWS-managed GitHub repositories, including the AWS JavaScript SDK, creating a severe supply chain risk. The issue was responsibly disclosed on August 25, 2025, and fixed by AWS in September. The flaw stemmed from improperly configured CI webhook filters intended to restrict which GitHub users could trigger builds. Four AWS repositories used regex-based actor ID filters that lacked start (^) and end ($) anchors, allowing attackers to bypass restrictions by registering GitHub accounts with numeric IDs containing a trusted maintainer’s ID as a substring. Because GitHub user IDs are sequential, these IDs could be predicted and generated using automated bot accounts. By triggering a build, an attacker could access privileged GitHub tokens with admin rights, enabling direct code pushes, pull request approvals, and secret exfiltration. AWS confirmed the issue was limited to specific projects, implemented mitigations, rotated credentials, and found no evidence of exploitation in the wild.