Welcome to 2026, and welcome back to Exploit Brokers by Forgebound Research. In this packed episode, we’re covering five major cybersecurity stories — any one of which could have been its own episode. From Microsoft’s emergency patch to security professionals turning to the dark side, let’s dive in.
Listen to the full episode
🎬 YouTube: Watch Episode 60 🎧 Spotify: Listen on Spotify 🍎 Apple Podcasts: Listen on Apple
Episode Timestamps
| Time | Topic |
|---|---|
| 0:00 | Intro & Episode Teaser |
| 0:49 | Welcome & Call to Action |
| 1:34 | Story 1: Microsoft Office Zero-Day (CVE-2026-21509) |
| 5:35 | Story 2: WordPress Modular DS (CVE-2026-23550) |
| 11:18 | Story 3: Malicious Chrome Extensions Stealing AI Chats |
| 16:32 | Story 4: Brightspeed Data Breach |
| 19:07 | Story 5: Cybersecurity Pros Plead Guilty to Ransomware |
| 22:26 | Recap & Key Takeaways |
| 24:28 | Outro |
Story 1: Microsoft Office Zero-Day (CVE-2026-21509)
Microsoft has released an emergency out-of-band patch for an actively exploited zero-day vulnerability affecting multiple Office versions.
Key Details
- CVE: CVE-2026-21509
- Type: Security Feature Bypass (OLE mitigations)
- Affected Versions: Office 2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365
- Exploitation Status: Active exploitation in the wild
- CISA KEV Deadline: February 16, 2026
Technical Background
Microsoft Office uses OLE (Object Linking and Embedding) mitigations to prevent malicious embedded content from executing harmful actions. CVE-2026-21509 bypasses these protections entirely by exploiting a flaw where security decisions rely on untrusted inputs — inputs the attacker controls.
The good news: this isn’t a preview pane attack, meaning users must actually open a malicious file to be compromised. The bad news: social engineering users into opening Office documents is the bread and butter of phishing campaigns.
Action Required
For Office 2021 and later: Updates are available via server-side changes, but you must restart your Office applications for the protection to take effect.
For Office 2016/2019: Patches are not yet available. Microsoft recommends applying registry mitigations detailed in their security advisory.
Cipher-ism: “Update your stuff. A patch does you no good if it isn’t installed.”
Story 2: WordPress Modular DS (CVE-2026-23550)
This vulnerability is a masterclass in how multiple design choices can combine to create catastrophic security failures.
Key Details
- CVE: CVE-2026-23550
- CVSS Score: 10.0 (Critical)
- Type: Unauthenticated Privilege Escalation
- Affected Plugin: Modular DS (40,000+ active installations)
- Patched Version: 2.6.0 (not 2.5.2)
The Attack Chain
Modular DS is a WordPress plugin that allows administrators to manage multiple WordPress sites from a single dashboard. The vulnerability allows complete admin takeover without any credentials:
- Bypass Authentication: Supply
origin=moas a request parameter - Trigger Auto-Login: The plugin automatically logs unauthenticated users in as administrator
- Game Over: Full admin access achieved
This is a textbook example of why security by obscurity doesn’t work. A “magic parameter” is not authentication.
Timeline
- January 13, 2026 (~2:00 UTC): First attacks detected by Patchstack (before public disclosure)
- Hours later: Vendor released version 2.5.2
- January 16, 2026: Version 2.6.0 released to address additional exploit paths
Indicators of Compromise
- Attacker IPs: 45.11.89.19, 185.196.0.11
- Rogue Admin Accounts: support2026, admin_backup
- Malicious Plugins/Themes: Check for recently installed items you didn’t add
Remediation
- Update immediately to version 2.6.0 or later
- Audit admin users for suspicious accounts created mid-January
- Review installed plugins and themes for unauthorized additions
- Consider WAF rules blocking requests to
/api/modular-connectorwithorigin=mo
Story 3: Malicious Chrome Extensions Stealing AI Conversations
OX Security researchers discovered a malware campaign they’ve dubbed “Prompt Poaching” — and it affected over 900,000 users.
Key Details
- Campaign Name: Prompt Poaching
- Affected Users: 900,000+ combined downloads
- Targets: ChatGPT and DeepSeek conversations
- Exfiltration Interval: Every 30 minutes
- C2 Domains: deepaichats[.]com, chatsaigpt[.]com
The Malicious Extensions
- ChatGPT for Chrome with GPT-5, Claude Sonnet, and DeepSeek AI (600,000+ users) — This extension actually received Google’s Featured badge
- AI Sidebar with DeepSeek, ChatGPT, Claude and more (300,000+ users)
Technical Analysis
The extensions impersonate a legitimate tool from AITOPIA, replicating its functionality while adding hidden data exfiltration capabilities. They leverage Chrome’s tabs.onUpdated API to detect navigation to AI chat platforms, then interact directly with the page DOM to extract:
- User prompts
- AI responses
- Session metadata
- Complete browsing history
Data is batched every 30 minutes, base64 encoded, and transmitted to attacker-controlled servers.
The Bigger Picture
Consider what people share with AI chatbots: proprietary code, business strategies, customer data, internal URLs, corporate secrets. This stolen data can be weaponized for corporate espionage, identity theft, targeted phishing, or sold on underground forums.
Action Required
- Remove these extensions immediately if installed
- Audit all browser extensions and their permissions
- Be skeptical of any extension, even those with featured badges or high ratings
Story 4: Brightspeed Data Breach
On January 5, 2026, US fiber broadband provider Brightspeed confirmed they are investigating claims of a cyberattack by a threat actor called Crimson Collective.
Key Details
- Threat Actor: Crimson Collective
- Victim: Brightspeed (20 US states, 1M+ customers)
- Claimed Data: Names, billing addresses, email addresses, phone numbers
- Status: Investigation ongoing — breach not confirmed
Context
This incident fits a broader 2026 trend of extortion groups targeting telecommunications and internet service providers due to the massive volumes of customer data they hold. Similar recent incidents include:
- Ledger breach (January 2026): Customer order data exposed via e-commerce partner Global-E
- ManageMyHealth breach (January 3, 2026): 400,000 medical documents affecting 120,000 patients in New Zealand
Recommendations for Brightspeed Customers
- Monitor for official communications from Brightspeed
- Be vigilant about phishing attempts using potentially exposed information
- Never assume an email, text, or call is legitimate — verify through official channels
Story 5: Cybersecurity Professionals Plead Guilty to Ransomware Operations
On January 2, 2026, two US cybersecurity professionals pleaded guilty to conspiracy to commit extortion as affiliates of the BlackCat/ALPHV ransomware group.
The Defendants
- Ryan Goldberg: Former incident response manager at Sygnia
- Kevin Martin: Former ransomware negotiator at DigitalMint
The irony is staggering. One helped companies recover from attacks while moonlighting as an attacker. The other negotiated with ransomware operators on behalf of victims while being a ransomware operator himself.
Key Details
- Charge: Conspiracy to Commit Extortion
- Active Period: May – November 2023
- Ransom Demands: $300,000 – $10 million
- Confirmed Payments: $1.27 million+
- Victim Sectors: Pharmaceutical, engineering, healthcare, drone manufacturing
- Sentencing: March 2026 (up to 20 years each)
The Insider Threat Lesson
This case highlights a growing concern: insider risk from trusted cybersecurity personnel. When we give security professionals access to our most sensitive systems, incident response playbooks, and “keys to the castle,” we’re extending significant trust.
Mitigation Strategies
- Background checks matter — even for security hires
- Continuous monitoring — trust but verify
- Principle of least privilege — even for security teams
- Segregation of duties — limit single points of failure
Episode Recap: Key Takeaways
- Update your stuff. A patch does you no good if it isn’t installed. Restart those Office apps.
- Security by obscurity does not work. Magic parameters, hidden endpoints, and “nobody will find this” are not security controls.
- Be skeptical of browser extensions. Even Google’s Featured badge doesn’t guarantee safety. Audit permissions carefully.
- Nothing is hack-proof. Security is about making it as hard as possible for attackers while acknowledging that determined adversaries may still succeed.
- The insider threat is real. Sometimes the threat comes from inside the house. Background checks, least privilege, and monitoring apply to everyone — including your security team.
Subscribe for Weekly Updates
Never miss an episode of Exploit Brokers. Subscribe on your preferred platform:
- YouTube: @ForgeboundResearch
- Twitter/X: @ForgeboundLabs
- Spotify: Exploit Brokers By Forgebound Research
- Apple Podcasts: Exploit Brokers By Forgebound Research
- Newsletter: Forgebound Research Notes
Sources:
Never miss an episode of Exploit Brokers. Subscribe on your preferred platform:
- US Cybersecurity Plead Guilty: https://www.securityweek.com/two-us-cybersecurity-pros-plead-guilty-over-ransomware-attacks/
- OX Security Malicious Extensions: https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/
- Modular DS CVSS 10.0: https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
- Brightspeed Breach Claims: https://www.bleepingcomputer.com/news/security/us-broadband-provider-brightspeed-investigates-breach-claims/
- Microsoft CVE: https://www.securityweek.com/microsoft-patches-office-zero-day-likely-exploited-in-targeted-attacks/
This has been your host Cipherceval, and I’ll catch you in the next one. Stay vigilant, stay curious, and update your stuff.