⚠️ Attackers turned npm into phishing infrastructure over five months.

27 npm packages were used as CDN-hosted lures mimicking document sharing and Microsoft sign-in pages, targeting sales staff at 25 industrial and healthcare firms.

🔗 Read → https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

⚡ Cyber attacks did not slow down at the end of 2025.

⚠️ Bugs were used fast
🔓 Trusted software was misused
💸 Old breaches caused new losses
📱 Cloud, crypto, mobile, insiders all showed up

This weekly recap breaks down what mattered in the final week of 2025 and what carries into 2026.

Read: https://thehackernews.com/2025/12/weekly-recap-mongodb-attacks-wallet.html

🛑 Mustang Panda is deploying TONESHELL via a kernel-mode rootkit driver.

The signed driver loads before antivirus tools, injects the backdoor into system processes, and blocks security visibility.

🔗 Read → https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html

Silver Fox has shifted active phishing operations toward India, using income tax lures to deploy ValleyRAT.

The attack abuses legitimate Windows software and DLL sideloading to gain quiet, persistent access.

Researchers say the modular RAT enables role-based spying and credential theft.

🔗 Read → https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with.html

Singapore’s CSA warns of a critical flaw in SmarterMail email servers.

The bug allows unauthenticated remote code execution via arbitrary file upload, scoring a perfect 10.0 on CVSS.

Any exposed server could be taken over without login.

🔗 Read → https://thehackernews.com/2025/12/csa-issues-alert-on-critical.html

Most SOCs are already testing AI. The problem is how it’s used.

The 2025 SANS SOC Survey shows 40% of SOCs run AI tools outside defined operations, leaving output inconsistent and hard to trust.

AI helps only when scoped, tested, and reviewed like any other system.

🔗 Why AI fails without workflow discipline → https://thehackernews.com/2025/12/how-to-integrate-ai-into-modern-soc.html

The U.S. Treasury quietly removed three people linked to Intellexa’s Predator spyware from its sanctions list, without explanation.

Weeks earlier, the same spyware was tied to an attempted WhatsApp attack on a Pakistani human rights lawyer, highlighting continued risk.

🔗 Read → https://thehackernews.com/2025/12/us-treasury-lifts-sanctions-on-three.html

Researchers found a modified Shai-Hulud malware strain hidden in an npm package updated after years of inactivity.

The malicious release was downloaded 197 times, with no signs of further spread so far.

🔗 Read → https://thehackernews.com/2025/12/researchers-spot-modified-shai-hulud.html

IBM disclosed a critical flaw in API Connect that lets attackers bypass login and gain remote access.

The issue, CVSS 9.8, affects versions 10.0.8.0–10.0.8.5 and 10.0.11.0.

No active exploitation seen, but fixes are advised now.

🔗 Read → https://thehackernews.com/2025/12/ibm-warns-of-critical-api-connect-bug.html

Researchers linked three malicious browser extension campaigns to one Chinese threat actor.

Over 8.8 million users across Chrome, Edge, and Firefox were affected over seven years, with some extensions lying dormant for years before turning malicious.

🔗Read → https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html

⚠️ Trust Wallet links its Chrome extension hack to Sha1-Hulud, an industry-wide supply-chain attack abusing developer tools.

The breach led to a malicious update and $8.5M in crypto theft before users were told to update.

🔗 Details here → https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html

🔒 A botnet called RondoDox has been quietly expanding for nine months, now abusing React2Shell (CVSS 10.0) to compromise Next.js servers and IoT devices.

Over 90k systems stay exposed, mostly in the U.S. 🇺🇸 The malware kills rivals and maintains persistence.

🔗 Details → https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html

🔥 ThreatsDay Bulletin: First of 2026

• GhostAd drains phones
• GlassWorm hits Macs
• AWS key flaw
• DPRK fake devs
• Meta ad cleanup
• Proxy botnets
• Crypto heists
• Cloud exploits
• Android fraud
• Hacktivist ops
• OceanLotus malware
• Magecart upgrade
• Disney fined

Full recap ⬇️ https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html

🚨 A former Coinbase support agent was arrested in India after hackers bribed contractors to steal customer data.

The breach exposed 69,461 users and led to a $20M ransom demand. Coinbase cut ties with involved vendors and says more arrests are coming.

🔗 Details → https://thehackernews.com/2025/12/weekly-recap-mongodb-attacks-wallet.html#:~:text=Former%20Coinbase%20Customer%20Service%20Agent%20Arrested%20in%20India

Researchers uncovered phishing sent through Google Cloud’s built-in email feature. Emails came from google[.]com, not spoofed domains, making them harder to spot.

Clicks passed through Google-hosted pages before stealing Microsoft login credentials.

🔗 Read → https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

APT36 (Transparent Tribe) has been linked to new espionage attacks against Indian government and academic targets.

Emails deliver ZIP files with PDF-looking LNK shortcuts that run malware via mshta.exe and load the RAT in memory.

🔗 Technical details → https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html

Attack Surface Management usually proves visibility, not safety.

Teams count assets and alerts, but can’t show reduced exposure.

ROI only appears when risky assets get owned and fixed faster, not when inventories grow.

🔗 Why ASM feels busy but ineffective → https://thehackernews.com/2026/01/the-roi-problem-in-attack-surface.html

⚠️ Researchers disclosed VVS Stealer, a Python-based infostealer built to drain Discord tokens and browser data.

alerts to stay active. Obfuscated with PyArmor, it’s designed to slip past signature-based defenses.

🔗Read → https://thehackernews.com/2026/01/new-vvs-stealer-malware-targets-discord.html

Ilya Lichtenstein, sentenced in 2024 for laundering funds tied to the 2016 Bitfinex hack, says he was released early.

He credits the First Step Act after serving time for moving proceeds from 119,754 bitcoin stolen in the breach.

🔗 Read → https://thehackernews.com/2026/01/bitfinex-hack-convict-ilya-lichtenstein.html

🔥 No reset for cyber risk in 2026.

The latest recap shows steady pressure across common systems.

🖧 IoT botnets abusing React2Shell
🔐 Trust Wallet Chrome extension breach
🧩 Malicious browser extensions at scale
💸 Crypto scams via fake wallet updates
📡 Botnets targeting exposed routers
🧑‍💻 Phishing via legitimate services
🔄 Old flaws reused and re-exploited
🏗️ Supply chain gaps in plugins and tools

🔗 Read the latest weekly cyber recap → https://thehackernews.com/2026/01/weekly-recap-iot-exploits-wallet.html

Passwords, perimeter tools, and annual training are no longer enough on their own. Across SaaS, endpoints, and supply chains, attackers move faster by abusing trust and context.

The report shows how defenders are responding — from hardware-backed identity to binary verification. Identity is becoming the control plane.

🔗 Full analysis and expert insights → https://thehackernews.com/2026/01/the-state-of-cybersecurity-in-2025key.html