Daily Signal Note: Malicious Execution Persists After Verification

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ issues and preserves dated, bounded external cyber judgment.
Not news reaction. Not advisory opinion. Not consensus analysis.

—

Coverage spans ongoing CISO intelligence and versioned decision artifacts, depending on use context.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: Coolify self-hosting platform discloses 11 critical vulnerabilities enabling full server compromise

Aikido Security and independent researchers disclosed January 8, 2026 multiple critical flaws in Coolify, an open-source server management platform. CVE-2025-66209, CVE-2025-66210, CVE-2025-66211 (all CVSS 10.0) enable authenticated command injection leading to container escape and root access. CVE-2025-64420 (CVSS 9.9) exposes root SSH private key to low-privileged users. CVE-2025-64419 allows unauthenticated RCE via Docker Compose build parameters. Approximately 52,890 Coolify instances exposed on internet per Censys. Germany (15,000), US (9,800), France (8,000) most affected. CVE-2025-64419 patched in v4.0.0-beta.445. CVE-2025-64420 patch status unclear. Source: The Hacker News, Aikido Security.

Signal 2: NodeCordRAT delivered via Bitcoin-themed npm packages using Discord C2

Zscaler ThreatLabz disclosed January 7, 2026 three malicious npm packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. Packages impersonate legitimate bitcoinjs repositories (bip32, bip38, bip39). Final payload is NodeCordRAT, a RAT using Discord for command-and-control. Capabilities: Chrome credential theft, .env file harvesting for API tokens, MetaMask wallet data extraction including seed phrases. Several thousand downloads recorded before removal. Packages used postinstall scripts to chain installation of malicious payload. Source: Zscaler ThreatLabz, The Hacker News.

Signal 3: Microsoft warns of domain spoofing via misconfigured email routing since May 2025

Microsoft Threat Intelligence disclosed January 6, 2026 that threat actors are exploiting complex email routing configurations to spoof organizational domains. Affected organizations have MX records not pointing directly to Office 365 and weak DMARC/SPF enforcement. Attackers send phishing emails appearing to originate internally with identical "From" and "To" domains. Tycoon2FA phishing platform primary attack vector. Microsoft blocked over 13 million malicious emails from Tycoon2FA in October 2025 alone. Activity increasing since May 2025. Source: Microsoft Security Blog, Infosecurity Magazine.

Signal 4: Chrome WebView policy enforcement bypass patched in emergency update

Google released Chrome 143.0.7499.192/193 on January 6, 2026 addressing CVE-2026-0628. High-severity vulnerability in WebView tag allows attackers to circumvent security policy enforcement. WebView renders web content across Chrome, Android apps, and thousands of third-party applications. Successful exploitation could bypass content blocking and script execution restrictions. Bobby Gould credited with discovery via Trend Micro ZDI. No active exploitation reported. Source: Google Chrome Releases, Cyber Press.