Security Check-in Quick Hits: MoltBot AI Risks, 149M Credential Leak, VMware Exploits, Microsoft Zero-Day, n8n RCE Flaws, WinRAR Malware, and Nike Breach
For January 31, 2026
The MoltBot AI Agent: A Double-Edged Sword in Cybersecurity
In the rapidly evolving world of AI assistants, MoltBot (formerly known as Clawdbot) has captured significant attention for its ability to automate tasks across messaging apps, execute shell commands, and integrate with services like email, calendars, and browsers. However, this open-source AI agent, which grants full system access to perform its functions, is emerging as one of the top cybersecurity concerns today. Security researchers have uncovered hundreds to thousands of exposed MoltBot instances on the public internet, often misconfigured without proper authentication. These exposures allow attackers to access private conversation histories, steal API keys, credentials, and even hijack the agent to run malicious commands on the user’s behalf.
The risks stem from MoltBot’s design, which punches through traditional security boundaries to enable autonomy. It stores credentials and environment variables in plaintext files (e.g., under ~/.clawdbot), making them vulnerable to infostealers or compromised machines. Even “deleted” credentials can linger in backups. Additionally, its skill library can be poisoned with malicious instructions, creating supply-chain attack vectors. Attackers can exploit this via prompt injections hidden in messages or HTML, leading to data exfiltration, account takeovers, or unauthorized actions across connected services like WhatsApp, Telegram, Slack, and AI models (e.g., OpenAI, Claude).
Recent rebrands to MoltBot and then OpenClaw haven’t alleviated these issues; in fact, they’ve amplified scrutiny, with experts warning of scams and enterprise risks where employees install it without IT approval. To mitigate, users should run MoltBot with minimal permissions, enable strong authentication on control panels, avoid public exposure, and regularly audit stored data. As AI agents become more prevalent, MoltBot serves as a stark reminder that convenience often comes at the cost of security—treat it like a powerful tool that demands vigilant oversight.
Massive Credential Leak Exposes 149 Million Accounts to Infostealer Risks
A staggering 149 million login credentials have been exposed in an unprotected 96 GB dataset, highlighting the persistent threat of infostealer malware in today’s cyber landscape. This breach includes credentials from major platforms: 48 million Gmail accounts, 17 million Facebook logins, 6.5 million Instagram accounts, 4 million Yahoo, 1.5 million Outlook, 900,000 iCloud, and even sensitive ones like 420,000 Binance crypto logins, alongside Netflix, HBO Max, Disney+, Roblox, OnlyFans, and government (.gov) domains worldwide.
The data, likely aggregated from infostealer campaigns, was left accessible without any password protection, making it a goldmine for cybercriminals to fuel phishing, fraud, and further breaches. Infostealers typically infect devices via malicious apps, browser extensions, or downloads, quietly harvesting logins without immediate detection. This incident underscores how even everyday users can fall victim, with risks extending to identity theft, financial losses, and corporate espionage if work-related accounts are involved.
To protect against such exposures, enable multifactor authentication (MFA) across all accounts, use unique strong passwords managed by a password manager, and install reputable antivirus software to scan for infostealers. Regularly review device permissions, avoid unverified app sources, and keep systems updated. If your credentials might be affected, change passwords immediately and monitor for suspicious activity. This leak is a wake-up call: in an era of rampant data aggregation, proactive hygiene is your best defense against cascading threats.
Active Exploitation of VMware vCenter Vulnerability Puts Virtualization at Risk
A critical vulnerability in VMware vCenter Server (CVE-2024-37079, CVSS 9.8) is under active exploitation, prompting urgent warnings from Broadcom and its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Patched back in June 2024, this flaw allows unauthenticated remote code execution, giving attackers a pathway to compromise high-value control planes and potentially escalate to broader virtualization-layer attacks.
Federal agencies must patch by February 13, but all organizations using vCenter should act immediately, as exploits are confirmed in the wild. The vulnerability affects internet-facing systems, making it a prime target for threat actors seeking persistent access. Once exploited, attackers can deploy malware, steal data, or disrupt operations across virtual environments.
Mitigation steps include applying the latest patches, restricting network access to vCenter, and monitoring for anomalous activity. Implement network segmentation and use intrusion detection systems to catch exploitation attempts. This incident highlights the ongoing challenge of timely patching in complex infrastructures—delays can turn patched vulns into active threats, emphasizing the need for automated update processes and vulnerability management tools.
Microsoft Office Zero-Day Exploit Demands Immediate Patching
Microsoft has issued an emergency patch for a zero-day vulnerability in Office (CVE-2026-21509), actively exploited through malicious OLE objects embedded in documents. This flaw allows remote code execution when users open rigged files, bypassing standard protections and enabling malware delivery.
Attackers are leveraging this in targeted campaigns, often via phishing emails with seemingly legitimate attachments. Once executed, it can lead to data theft, ransomware deployment, or system compromise. The vulnerability affects multiple Office versions, making it a widespread risk for businesses and individuals alike.
Users should apply the patch immediately via Windows Update, enable Protected View for untrusted documents, and use antivirus with behavioral detection. Organizations ought to train employees on phishing awareness and consider disabling OLE objects in policies. This zero-day serves as a reminder of the enduring appeal of Office as an attack vector—staying patched and vigilant is crucial to counter evolving exploits.
Critical RCE Flaws in n8n Workflow Tool Expose Users to Server Hijacking
Two severe vulnerabilities in the open-source workflow automation tool n8n (CVE-2026-1470, CVSS 9.9; CVE-2026-0863, CVSS 8.5) allow attackers to bypass sandbox protections and achieve full remote code execution (RCE). These flaws enable malicious workflows to execute arbitrary commands, steal credentials, and pivot to connected systems.
CVE-2026-1470 exploits deprecated JavaScript features to disguise malicious code, while CVE-2026-0863 targets Python execution on the server. Affecting both cloud and self-hosted instances, exploitation can lead to complete service takeover, data exposure, and API key theft. This is the second set of critical RCE bugs in n8n within a month, following “Ni8mare” (CVE-2026-21858), impacting over 100,000 servers.
Users must update to versions 1.123.17+, 2.4.5+, or 2.5.1+ immediately. Harden deployments by running in containerized environments, limiting user inputs, and monitoring for suspicious workflows. As low-code tools like n8n gain popularity for LLM integrations, these vulns underscore the risks of unvetted code execution—prioritize security audits and least-privilege principles.
WinRAR Vulnerability Fuels Malware Campaigns and Initial Access
A known vulnerability in WinRAR is being actively exploited in malware campaigns to gain initial access, as highlighted in recent threat intelligence reports. Added to CISA’s KEV catalog, this flaw allows attackers to deliver payloads via rigged archives, leading to persistent infections and network compromise.
Often combined with other tactics like PeckBirdy C2 frameworks used by China-linked APTs, it facilitates ransomware and data exfiltration. The ease of exploitation makes it a favorite for widespread attacks.
To defend, update WinRAR to the latest version, scan archives with antivirus before opening, and educate users on safe file handling. Implement endpoint detection and response (EDR) tools to catch post-exploitation activity. This ongoing abuse shows why even older vulns remain dangerous—proactive patching and threat hunting are essential.
Nike Data Breach Investigation Amid Retail Cyber Surge
Nike is investigating a claimed 1.4 TB internal data theft by “World Leaks,” part of a broader wave of retail breaches including Panera Bread and Under Armour. The leak allegedly includes source code, employee data, and customer info, tied to extortion demands.
This incident amplifies risks of phishing and fraud using stolen emails (e.g., 72 million from Under Armour). Retail sectors are prime targets due to vast data holdings.
Consumers should monitor accounts, enable MFA, and watch for suspicious communications. Companies need robust incident response, supply-chain vetting, and encryption. As breaches surge, zero-trust architectures and regular audits can help stem the tide.