Cyware Daily Threat Intelligence, January 07, 2026

Your private conversations with AI chatbots might not be so private after all. Two malicious Chrome extensions, masquerading as helpful tools for ChatGPT and DeepSeek. Using a tactic dubbed "Prompt Poaching," these extensions harvested complete conversation logs and browsing history every 30 minutes.

Downloading a simple text editor could now hand the keys to your kingdom over to cybercriminals. The Black Cat hacker group has launched a sophisticated campaign using fake Notepad++ download sites that appear at the top of search results to distribute malware.

Backup administrators need to patch their systems immediately to prevent a total takeover. Veeam has released a critical security update for its Backup & Replication software to fix high-severity flaws that allow attackers to gain root-level privileges.

Top Malware Reported in the Last 24 Hours

Malicious Chrome extensions steal user data

Two malicious Chrome extensions, affecting over 900,000 users, have been discovered exfiltrating sensitive data from OpenAI ChatGPT and DeepSeek conversations. Named "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude, and more," these extensions impersonated legitimate tools to gain user trust. Once installed, they requested permissions to collect anonymized analytics but instead harvested complete conversation data and browsing activity, sending this information to remote servers every 30 minutes. This tactic, referred to as "Prompt Poaching," poses significant risks, as the stolen data can be weaponized for corporate espionage and identity theft. Additionally, legitimate extensions like Similarweb have also been implicated in similar data collection practices, raising concerns about privacy and security in browser extensions.

Black Cat hackers use fake Notepad++ sites

A sophisticated cyberattack campaign by the Black Cat hacker group has been revealed, utilizing fake Notepad++ download websites to distribute malware and steal sensitive data. By exploiting search engine optimization techniques, these phishing sites rank prominently in search results, deceiving users into downloading malicious software. The malware employs advanced tactics, including a multi-layered execution chain and DLL side-loading, to establish persistence and evade detection. Once installed, it creates shortcuts that lead to backdoor components, enabling the theft of browser credentials, keylogging, and sensitive data exfiltration. 

Top Vulnerabilities Reported in the Last 24 Hours

Veeam issues critical update for vulnerabilities

Veeam has released a critical security update for its Backup & Replication software to address multiple high-severity vulnerabilities that could allow remote code execution with root-level privileges. These vulnerabilities specifically impact version 13.0.1.180 and earlier builds of version 13, while earlier versions, such as the 12.x branch, are unaffected. One significant flaw, CVE-2025-59470, has a CVSS score of 9.0 and enables Backup or Tape Operators to execute remote code as a postgres user by manipulating parameters. Another critical issue, CVE-2025-55125, allows operators to achieve remote code execution as root through malicious backup configuration files. 

Critical command injection bug in D-Link routers

A recently discovered command injection vulnerability, tracked as CVE-2026-0625, is being actively exploited in multiple legacy D-Link DSL routers that have not received support for years. This flaw affects the dnscfg.cgi endpoint due to improper input sanitization, allowing unauthenticated attackers to execute remote commands through DNS configuration parameters. Vulnerability intelligence firm VulnCheck reported the issue to D-Link after observing exploitation attempts. The affected models include the DSL-526B, DSL-2640B, DSL-2740R, and DSL-2780B, all of which have reached end-of-life status since 2020 and will not receive firmware updates. D-Link is currently investigating whether other products are impacted, but identifying all affected models is challenging due to firmware variations. The exploitation could potentially involve browser-based attacks or devices configured for remote administration.