- Mycomputerspot Security Newsletter
- Posts
- Market & Momentum - 01/26/2026
Market & Momentum - 01/26/2026
This week’s threat momentum is being driven by trust abuse in developer ecosystems, confirmed exploitation of enterprise bugs, and fast-moving “patch-gap” attacks that punish slow validation and weak governance.
J.W. Croley
January 26, 2026
In partnership with
Introducing the first AI-native CRM
Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.
With AI at the core, Attio lets you:
Prospect and route leads with research agents
Get real-time insights during customer calls
Build powerful automations for your complex workflows
Join industry leaders like Granola, Taskrabbit, Flatfile and more.
The last 72 hours show a clear acceleration in trusted-platform compromise: attackers are leaning into developer tooling, common enterprise software, and internet-exposed services where defenders have limited visibility and even less time.
The common failure mode is not “lack of tools”… it’s lack of enforcement: plugins get installed, vulnerable services stay exposed, and “we patched” is assumed without verification.
Trend (Macro) | Likelihood | Direction | What to expect this week |
|---|---|---|---|
Trusted extension abuse (dev + browser ecosystems) | 80% | 🔺 Rising | Credential/token theft via “helpful” add-ons and assistants. |
Exploited enterprise software vulnerabilities | 76% | 🔺 Rising | Exploit attempts spike immediately after public confirmation. |
Patch validation gaps (patched ≠ protected) | 70% | 🔺 Rising | Exposure persists due to incomplete rollout/restarts/config drift. |
Internet-exposed legacy services | 64% | ➡ Stable | Attackers opportunistically harvest easy wins at scale. |
Secondary credential abuse & fraud | 62% | ➡ Stable | Stolen credentials reused quickly across SaaS and VPN entry points. |
Developer compromise via VS Code Marketplace “AI” add-ons
Malicious extensions posing as AI assistants were installed at scale and exfiltrated developer data (think: tokens, configs, secrets, source context). See malicious AI extensions.CISA-confirmed exploitation of 4 enterprise software flaws
Active exploitation was confirmed across multiple enterprise products, meaning “theoretical risk” is now “real intrusion pressure.” Treat these as incident-level patch priorities. See active exploitation confirmation.VMware vCenter RCE now in active exploitation (CISA confirmed)
VMware infrastructure sits near the top of the “blast radius” pyramid — if vCenter is hit, attackers often gain control of management planes and escalation paths quickly. See VMware RCE exploitation.Fortinet FortiGate SSO abuse enabling rogue admins + config theft
Automated activity is targeting firewall SSO paths to create persistence and steal configuration data (which effectively hands attackers your network map). See FortiGate SSO attacks.Mass exposure of Telnet services expands “easy initial access” surface
Large numbers of reachable Telnet services remain exposed, feeding brute force, botnets, and opportunistic footholds that defenders often don’t notice until it turns into lateral movement. See Telnet exposure report.
Write PRDs and tests by voice
Dictate PRDs, acceptance tests, and bug reproductions inside Cursor or Warp and get paste-ready text. Wispr Flow auto-tags file names and preserves variable names so your technical writing stays precise. Try Wispr Flow for engineers.
Developer ecosystems are now a frontline attack surface
If attackers can reach developer machines, they can often reach build pipelines, secrets, and production-adjacent tooling without “breaking in” the traditional way.
CISA exploitation confirmation is an attacker accelerator
Once exploitation is confirmed publicly, scanning and exploitation attempts tend to surge because the target list becomes obvious.
Patch speed isn’t enough — patch validation is the differentiator
Real-world compromise often happens in the gap between “patch released” and “patch actually effective everywhere.”
Edge and management planes remain the highest-leverage targets
Firewalls, hypervisor management, and remote access systems provide outsized control when compromised.
The internet still has too many open doors
Legacy exposed services remain the “free samples” table for attackers.
VS Code / dev extension risk: Lock down extension installs to approved publishers only; audit dev endpoints for recent extension installs; rotate any dev tokens that could have been exposed.
CISA exploited bugs: Assign owners + deadlines; patch fast and verify by validating versions, restart requirements, and exposure paths.
VMware vCenter: Treat as “stop-the-line” if unpatched; isolate management interfaces; hunt for unusual admin creation, auth anomalies, or unexpected process execution.
FortiGate SSO abuse: Review SSO config, disable non-essential SSO features, audit for unknown admin accounts, and monitor config export / admin changes.
Telnet exposure: Kill Telnet where possible; if not, hard-segment it, restrict source IPs, and alert on authentication failures and new connections.
If attackers are moving faster than your patch cycle, your real vulnerability is operational tempo.
Security isn’t losing because defenders don’t know what to do. It’s losing when defenders can’t enforce it consistently.
J.W.
(P.S. Forward this to the teams who own dev tooling, virtualization, firewalls, and patch governance… this week is about execution!)
AI-native CRM
“When I first opened Attio, I instantly got the feeling this was the next generation of CRM.”
— Margaret Shen, Head of GTM at Modal
Attio is the AI-native CRM for modern teams. With automatic enrichment, call intelligence, AI agents, flexible workflows and more, Attio works for any business and only takes minutes to set up.
Join industry leaders like Granola, Taskrabbit, Flatfile and more.