Daily Signal Note: Inherited Trust Without Inherited Visibility

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ issues and preserves dated, bounded external cyber judgment.
Not news reaction. Not advisory opinion. Not consensus analysis.

—

Coverage spans ongoing CISO intelligence and versioned decision artifacts, depending on use context.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: AI-powered VS Code forks recommended phantom extensions from unclaimed Open VSX namespaces

Koi Security disclosed January 5, 2026 that Cursor, Windsurf, Google Antigravity, and Trae inherit VS Code's hardcoded extension recommendation lists but cannot use Microsoft's marketplace due to licensing restrictions. These IDEs recommend extensions that do not exist in the Open VSX registry, allowing anyone to register the namespace and upload arbitrary packages. Researchers registered placeholder extensions for ms-ossdata.vscode-postgresql, ms-azure-devops.azure-pipelines, and others. The PostgreSQL placeholder received 500+ installs from developers who trusted the IDE recommendation. Cursor patched December 1, 2025. Google Antigravity patched January 1, 2026. Windsurf has not responded. Source: Koi Security, BleepingComputer.

Signal 2: Android January 2026 security bulletin patches single vulnerability enabling zero-click code execution via audio files

Google released Android Security Bulletin January 5, 2026 addressing CVE-2025-54957, a critical out-of-bounds write in Dolby Digital Plus Unified Decoder versions 4.5 through 4.13. Google Project Zero researchers achieved zero-click remote code execution on Pixel 9 via RCS audio message. The vulnerability is rated critical on Android because the operating system auto-decodes incoming audio for transcription and preview generation, enabling exploitation without user interaction. The same vulnerability is rated medium severity on iOS, macOS, Windows, and ChromeOS where user action is required. Belgian CERT recommended disabling RCS as mitigation. Pixel devices patched December 2025. Source: Google AOSP, SecurityWeek, Dolby Security Advisory.

Signal 3: Full disclosure of Airoha Bluetooth chipset vulnerabilities enables smartphone compromise via headphones

ERNW researchers published full technical disclosure December 27, 2025 at 39C3 conference detailing CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702 in Airoha Bluetooth SDK. Vulnerabilities affect headphones from Sony, Marshall, JBL, Bose, Jabra, Beyerdynamic, Xiaomi, and others. Attackers within Bluetooth proximity can connect without authentication, exfiltrate flash memory containing Bluetooth Link Keys, and impersonate the headphones to connected smartphones. Impersonation enables eavesdropping on calls, extracting contact lists, and accessing phone via trusted peripheral position. Airoha released SDK patches June 2025. Vendor adoption inconsistent. RACE Toolkit released for user verification. Source: Insinuator, CyberInsider.

Signal 4: Dartmouth breach notification confirms 40,000+ affected in Clop Oracle E-Business Suite campaign

The Dartmouth newspaper reported January 7, 2026 that over 40,000 individuals had personal information compromised in an August 2025 cyberattack on Dartmouth College's Oracle E-Business Suite software. Attack occurred August 9-12, 2025 exploiting CVE-2025-61882. Clop claimed responsibility. Data stolen includes Social Security numbers and bank account information. Campaign has hit over 100 organizations worldwide including Harvard University, University of Pennsylvania, University of Phoenix (3.5M affected), The Washington Post, and Logitech. Source: The Dartmouth, BleepingComputer.