Coordinated sabotage on Poland’s energy sector

The defining incident of the period was a sophisticated, multi-stage attack targeting Poland’s distributed energy resources and industrial infrastructure, which reached its destructive phase on December 29, 2025, and dominated recovery efforts throughout January.

European Space Agency (ESA) data exposures (700 GB Total)

The ESA faced two significant, distinct data breaches in quick succession, resulting in the theft of massive technical and development datasets.

• The “Development” Breach (200 GB): The threat actor “888” exfiltrated 200 GB of data from external collaboration servers. This included internal source code, CI/CD pipeline configurations, access tokens, and JIRA/Bitbucket repositories.
• The “Technical” Breach (500 GB): The group Scattered Lapsus$ Hunters disclosed the theft of 500 GB of highly sensitive technical documentation. Having gained access in September 2025 via a public vulnerability, the attackers moved laterally to an internal platform used by mission partners.
• Impact on the Aerospace: The combined leaks exposed proprietary specifications and mission roadmaps for programs like the Next Generation Gravity Mission (NGGM) and Earth Observation (EO). Critically, the data included proprietary specifications from major aerospace players such as SpaceX, Airbus, and Thales Alenia Space.

What Else Happened in January 2026?

1. New Malware Framework – VoidLink: a new sophisticated “cloud-native” Linux malware framework emerged, written in Zig and attributed to Chinese-affiliated developers. Engineered for modern infrastructure, designed to detect and adapt its behavior to major cloud providers (AWS, Azure, GCP) and containerized environments like Kubernetes and Docker. Its architecture is centered around a custom Plugin API – inspired by Cobalt Strike- allowing operators to deploy over 37 specialized modules for reconnaissance, credential harvesting, and container escape.
2. Operation MaliciousCorgi: Attackers published two AI coding extensions, “ChatGPT – 中文版” and “ChatMoss,” which appeared to function as legitimate productivity tools. The malware was capable of exfiltrating up to 50 workspace files on command to servers based in China. Over 1.5 million users were potentially affected, leading to the exposure of proprietary code, internal configuration files, and credentials.
3. High-Severity Vulnerabilities in Automation: Two critical sandbox escape flaws in the n8n workflow automation platform allow authenticated users to bypass execution restrictions and achieve remote code execution. CVE-2026-1470 (CVSS 9.9) exploits gaps in JavaScript expression validation using deprecated language features, while CVE-2026-0863 (CVSS 8.5) abuses Python exception handling to access restricted built-ins. Both require workflow creation privileges but enable full host compromise when exploited.