This Month in Security: January 2026 - The eScan Supply Chain Breach, Sandworm’s Power Grid Strike, and Gemini Calendar Injection

"Antivirus" by Infosec Images is licensed under CC BY 2.0.

‍

January 2026 opened the year with a series of high-stakes incidents that was dominated by a significant supply chain compromise of a global antivirus provider, a sophisticated attempt to dismantle a European power grid, and the emergence of more AI vulnerabilities. As organizations updated their risk profiles for the new year, the boundary between defensive software and attack vectors became increasingly blurred.

‍

Critical Zero-Day Exploits

The first month of 2026 saw a flurry of emergency patches, including an out-of-band fix from Microsoft and vulnerabilities in legacy drivers.

• Microsoft Office OLE Bypass (CVE-2026-21509): In late January, Microsoft issued an emergency out-of-band update for an actively exploited zero-day affecting Office 2016 through 2024. The flaw allows attackers to bypass Object Linking and Embedding (OLE) security protections by tricking a user into opening a malicious document; attackers can execute unauthorized code locally, bypassing standard security warnings (Security Affairs).
• Desktop Window Manager (DWM) Leak (CVE-2026-20805): During the January Patch Tuesday, an information disclosure vulnerability in a core Windows component was found and is already being exploited in the wild. Researchers warn it is being used in exploit chains to reveal memory addresses, making more severe remote code execution (RCE) attacks achievable (SentinelOne).
• Vite Access Control Flaw (CVE-2025-31125): CISA added this vulnerability in the popular Vite build tool to its KEV catalog this month. It allows improper access control during the development process, potentially allowing attackers to inject malicious scripts into a developer's local environment or CI/CD pipeline (BleepingComputer).
• Secure Boot Certificate Crisis (CVE-2026-21265): A critical security feature bypass in Windows Secure Boot was highlighted this month. The flaw involves the failure to recognize expired certificates, which could allow bootkits to persist. With major Secure Boot certificates set to expire later in 2026, this patch is considered a mandatory baseline for hardware integrity (HKCERT).
• Firefox Zero-Days (CVE-2026-0891/0892): Mozilla rushed out patches for Firefox and Firefox ESR to address two vulnerabilities. These flaws could allow sandbox escape and code execution on the affected systems (Ivanti).

‍

Notable Threats and Incidents

Infrastructure remains the primary target for state-sponsored actors, while a major supply chain hit reminded the industry of its dependence on trusted vendors.

• eScan Antivirus Supply Chain Breach: In one of the most significant supply chain attacks since SolarWinds, MicroWorld Technologies' eScan antivirus was found to be delivering malicious updates through its legitimate infrastructure. The malware, digitally signed with a compromised eScan certificate, included a backdoor that actively blocked further security updates, effectively bricking the system (InfoSecurity Magazine).
• Sandworm Attack on Polish Power Grid: ESET and Polish authorities confirmed that the Russia-aligned "Sandworm" group targeted Poland’s power sector in late December and early January. The attack utilized a newly discovered data-wiping malware dubbed "DynoWiper." While the Polish energy minister stated the attack was unsuccessful in causing a blackout, the sophistication of the wiper indicates a high-priority effort to disrupt NATO-aligned energy infrastructure (SecurityWeek).
• Luxshare Data Theft: The RansomHub group claimed responsibility for a massive breach at Luxshare, a key electronics manufacturer for Apple, Nvidia, and Tesla. The actors claim to have exfiltrated 3D CAD models and sensitive engineering documentation, highlighting the ongoing risk to intellectual property in the global tech supply chain (ZeroFox).
• Brightspeed Broadband Breach: Fiber provider Brightspeed is investigating claims by the Crimson Collective that data belonging to over 1 million customers was stolen. The leak allegedly includes PII, account details, and billing information, following an extortion attempt earlier in the month (Bright Defense).
• Gemini AI Calendar Injection: Researchers demonstrated a novel attack against Google Gemini’s AI assistant. By using a malicious meeting invite description, attackers could trick the agent into bypassing privacy controls and leaking the user's meeting summaries to an external server—marking the first high-profile privacy breach (SecurityWeek).

‍

Policy and Framework Updates

The regulatory landscape for 2026 is becoming a patchwork of state-level mandates and shifting federal priorities.

• California Transparency in Frontier AI Act (S.B. 53): Taking full effect on January 1, 2026, this law now requires developers of frontier AI models to publish detailed safety frameworks and report security incidents to the state (Office of Governor Gavin Newsom).
• New US State Privacy Laws: Comprehensive privacy acts in Indiana, Kentucky, and Rhode Island officially took effect January 1, 2026. These laws grant consumers new rights over their data and place stricter requirements on businesses for data minimization and security audits (Lewis Rice).

Patches and Vulnerabilities

• Microsoft Patch Tuesday: Fixed 113 vulnerabilities, with 8 rated as Critical.
  
  • LSASS RCE (CVE-2026-20854): A critical RCE bug in the Local Security Authority Subsystem Service was patched in this month's Patch Tuesday. While it requires authentication, it does not require elevated privileges, making it a prime candidate for lateral movement within a network (SentinelOne).
  • Office & Excel RCEs: Five of the eight critical fixes this month were for Microsoft Office components (notably CVE-2026-20944 and CVE-2026-20955), which could be triggered by opening a malicious file (CrowdStrike).
  • Cisco ISE Information Disclosure: Cisco urged administrators to patch a bug in its Identity Services Engine (ISE) after a proof-of-concept (PoC) exploit was released online. The flaw could allow an authenticated admin to access highly sensitive credentials and configuration data (SecPod).

Key Takeaways for Staying Secure

• Validate Defensive Tools: The eScan breach proves that even your security stack is a target. Ensure your endpoint protection tools are monitored for unusual network traffic.
• Harden Office Protections: With the new OLE bypass (CVE-2026-21509) and multiple Office RCEs, ensure that Protected View is enabled and that all January emergency updates are applied across the fleet.
• Audit AI Permissions: As AI agents (like Gemini or Copilot) gain more autonomy to read calendars and emails, review the permissions granted to these integrations. Treat Prompt Injection as a critical threat to data privacy.
• Prepare for Certificate Rotations: The Secure Boot flaw (CVE-2026-21265) is a reminder that 2026 is a major year for certificate expirations. Audit your hardware firmware versions now to avoid bricked systems later in the year.
• Monitor for Wipers: The emergence of DynoWiper suggests a renewed interest in destructive attacks. Ensure offline backups are tested and that your EDR is configured to detect bulk file deletion or unauthorized disk-level access.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍