*ThreatWire* January 2026 Cybersecurity Roundup: California's DROP Law, Critical NATN Vulnerabilities, White Supremacist Site Hacks, and Libsodium's First CVE

The January 2026 edition of ThreatWire highlights several cybersecurity updates. California activated the DROP (Delete Request and Opt-Out Platform) law on January 1, 2026, allowing residents to request the universal deletion of their data from data brokers via a government platform. Brokers will have 45 days to comply starting August 2026. The 2024 Delete Act, which saw only 1% adoption due to its complexity, was deemed ineffective. Four critical vulnerabilities were discovered in NATN, a popular open-source automation tool since 2025. The CVEs include: CVE-2025-68613 (CVSS 9.9, arbitrary code execution via injection), CVE-2025-68668 (CVSS 9.9, remote code execution via Python/JS), CVE-2026-21877 (CVSS 10, arbitrary file write), and CVE-2026-21858 (CVSS 10, unauthenticated RCE via webhooks). Patches require frequent updates. A CCC 2025 conference revealed the hacking of three white supremacist dating sites by an anonymous hacker, Martha Root, who exfiltrated data, took control of the sites, and deleted them live. Finally, Libsodium, a renowned encryption library, announced its first CVE (CVE-2025-69277, CVSS 4.5) after 13 years, related to a missing verification in the Edwards25519 curve. A fix has been released.