In today’s cybersecurity news…
Unleash Protocol hackers drain millions
Hackers drained about $3.9 million from Unleash Protocol after gaining administrative control of its multisig governance and pushing an unauthorized smart contract upgrade, according to both Unleash and blockchain security firm PeckShieldAlert. The attacker withdrew multiple assets, bridged the funds to external addresses, and laundered roughly 1,337 ETH through Tornado Cash, a mixer previously sanctioned for laundering funds tied to North Korean hacking groups. Unleash paused operations and is investigating with external security firms, warning users not to interact with its contracts. (BleepingComputer)
DarkSpectre campaigns exposed
Koi Security researchers say a Chinese-linked threat actor they track as DarkSpectre has run three long-running malicious browser extension campaigns that together impacted more than 8.8 million users across Chrome, Edge, Firefox, and Opera. The campaigns, dubbed ShadyPanda, GhostPoster, and Zoom Stealer, used legitimate-looking extensions to hijack searches, commit ad fraud, and quietly collect sensitive corporate meeting data from platforms like Zoom, Google Meet, and Microsoft Teams. Koi describes the operation as infrastructure for large-scale corporate espionage, rather than consumer fraud. (The Hacker News)
Shai-Hulud attack led Trust Wallet heist
Trust Wallet says a supply chain attack linked to the Shai-Hulud malware led to a malicious update of its Chrome browser extension, resulting in about $8.5 million stolen from roughly 2,520 wallets. According to Trust Wallet’s post-incident analysis, attackers used exposed GitHub secrets to gain access to the Chrome Web Store API, bypass release controls, and publish a trojanized extension that harvested users’ wallet recovery phrases. The campaign is tied to the broader Shai-Hulud supply chain operation, which researchers at Upwind say continues to evolve. (SecurityWeek)
Disney settles data privacy lawsuit
Disney will pay a $10 million civil penalty to settle claims that it violated the Children’s Online Privacy Protection Act by mislabeling YouTube videos and allowing data collection for targeted ads. The Justice Department said Disney failed to mark kid-directed content as “Made for Kids,” enabling YouTube to collect personal data from children under 13. The settlement also requires Disney to notify parents before collecting kids’ data and ensure videos are properly designated. (BleepingComputer)
Huge thanks to our sponsor, ThreatLocker
RondoDox exploits React2Shell flaw
The RondoDox botnet is exploiting the critical React2Shell flaw to infect vulnerable Next.js servers with malware and cryptominers. It’s been active since December 8th and deploys coinminers, botnet loaders, and Mirai variants while targeting IoT devices hourly to expand its network. The botnet also removes competing malware and enforces persistence on infected hosts. Over 94,000 internet-exposed assets remain vulnerable. CloudSEK advises auditing and patching Next.js Server Actions, isolating IoT devices, and monitoring for suspicious processes to mitigate risk. (BleepingComputer)
MongoBleed: US, China, EU among top exploited GEOs
We’ve talked about MongoBleed, a critical vulnerability in MongoDB Server that allows remote memory leaks without authentication when zlib network compression is enabled. It affects all versions from 3.6 onward and can be exploited on internet-facing or internally reachable instances. The highest concentrations of exposed servers are in China, the U.S.,, and Germany, with global distribution across several other countries. CISA has added it to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate by January 19th. (Security Affairs)
Treasury removes sanctions for Intellexa execs
The U.S. Treasury Department removed sanctions on three executives previously linked to Intellexa, the maker of Predator spyware, reversing 2024 designations. The delisting followed a petition asserting the individuals had separated from Intellexa, which is known for zero- and one-click attacks on devices, including targeting over 50 U.S. government staffers. Digital rights advocates expressed concern that the move could signal leniency to spyware operators. Predator use reportedly slowed in 2025 but remains active globally, including in Iraq, Pakistan, and Mozambique. (The Record)
IBM warns of API Connect bug
IBM disclosed a critical authentication bypass vulnerability in API Connect, potentially allowing remote attackers to gain unauthorized access. Affected versions include 10.0.8.0–10.0.8.5 and 10.0.11.0. IBM advises applying the fix from Fix Central, or disabling self-service sign-up on the Developer Portal to reduce exposure. No evidence of exploitation has been reported. (The Hacker News)