Latest Interesting Cybersecurity News of the Week Summarised – 05-01-2026

I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

1. MongoDB “MongoBleed” Memory-Leak Vulnerability (CVE-2025-14847) Under Active Exploitation

A critical zlib decompression flaw in MongoDB Server (CVSS 8.7) allows unauthenticated remote attackers to leak uninitialized heap memory, exposing credentials, API keys, and other sensitive data. Public proof-of-concept code has driven active exploitation across more than 87,000 internet-exposed instances worldwide, prompting CISA to add the defect to its catalog of known exploited vulnerabilities. 

Key Details

• Flaw in MongoDB’s zlib message decompression (message_compressor_zlib.cpp) leaks adjacent heap memory.
• Default zlib compression enabled; affects MongoDB versions 4.4.0–8.2.2; patches available in 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, 8.2.3.
• Exploit requires no authentication or user interaction to leak memory
• Over 87,000 exposed instances; 42% of cloud environments host vulnerable versions
• Open-source “MongoBleed Detector” tool now available for log-based hunting

Next Steps

• Upgrade to fixed MongoDB versions immediately.
• Restrict port 27017 access to trusted hosts only.
• Review MongoDB logs for high-volume pre-authentication connections.
• Run “MongoBleed Detector”

Read more at The Hacker News, SecurityWeek, Cybersecurity News, SiliconANGLE, CyberScoop, Phoenix Security, Shadowserver via Cybersecurity News, The Hacker News, SecurityWeek, Cybersecurity News (CISA alert), CyberScoop, Cybersecurity News (Detector Tool), Phoenix Security

2. China Proposes Draft Regulations for AI ‘Companion’ Apps

China’s CAC unveiled draft rules targeting AI-driven “companion” apps, requiring clear AI disclaimers, usage limits, emotional dependency checks and emergency human intervention for self-harm disclosures. The measures, open for public comment until Jan. 25, 2026, aim to curb addiction and safeguard users against harmful or manipulative AI behaviors.

Key Details

• Pop-ups to identify AI and prompts after two hours continuous use
• Systems must flag and restrict service for emotional dependency
• Emergency protocol for handoff when users signal self-harm or suicide
• Bans include national security risks, misinformation, obscenity and emotional manipulation

Read more at SiliconANGLE

3. Infostealer Malware Delivered via EmEditor Supply Chain Attack

Between Dec. 19–22, attackers modified EmEditor’s official download link to serve a malicious .msi
installer instead of the legitimate version, exposing users to an infostealer payload. The fake
installer carried a spoofed signature (WALSHAM INVESTMENTS LIMITED) and deployed PowerShell
and VBScript routines to harvest credentials, browser data, VPN settings, and more. 

Key Details

• Download button redirected to a malicious .msi on EmEditor’s own site for ~72 hours.
• Installer mimicked original size/name but bore a non-Emurasoft digital signature.
• Payload collected system info, Desktop/Documents/Downloads files, and app/browser credentials.
• Installed “Google Drive Caching” browser extension for persistence, cookie theft, keystroke logging, and crypto-address hijacking.
• Malware self-terminates on systems set to languages of former Soviet states or Iran.

Next Steps

• Verify installer signatures and SHA-256 checksums before deployment.
• Scan endpoints for indicators of compromise (IoCs) from Qianxin and Emurasoft.
• Reset credentials and review browser extensions on affected systems.
• Hunt for unusual PowerShell downloads and the “Google Drive Caching” extension.

Read more at SecurityWeek, Qianxin RedDrip Team, Emurasoft Notice, HackRead, SecurityWeek, Cybersecurity News, HackRead

4. Shai-Hulud Supply Chain Attack on Trust Wallet Chrome Extension Drains $8.5 Million

Trust Wallet’s Chrome extension (v2.68) was hijacked via leaked GitHub secrets and a stolen Chrome Web Store API key, enabling attackers to push a trojanized build that exfiltrated users’ wallet seed phrases.  
The backdoor, hosted on a bulletproof infrastructure under metrics-trustwallet[.]com, ran on every unlock and drained about $8.5 million from 2,520 wallets.  
Trust Wallet has released version 2.69, begun reimbursements, and strengthened its release pipeline controls. 

Key Details

• Attack traced to Shai-Hulud 2.0 worm exposure in late Nov 2025.
• Leaked GitHub secrets gave full Chrome Web Store API access.
• Malicious extension loots all configured wallets on each unlock.
• Infrastructure staged by Dec 8; malicious update pushed on Dec 24.
• 2,520–2,596 addresses were drained, impacting both new and long-used wallets.

Next Steps

• Immediately update to Trust Wallet Chrome extension v2.69.
• Rotate seed phrases and any exposed keys or tokens.
• Rotate and revoke Chrome Web Store API keys immediately.
• Audit and remove or upgrade npm dependencies vulnerable to Shai-Hulud.

Read more at The Hacker News, SecurityWeek, BleepingComputer, The Hacker News, SecurityWeek, BleepingComputer

5. RondoDox Botnet Hijacks 90,000+ Devices via React2Shell Flaw

The RondoDox group is exploiting CVE-2025-55182 in Next.js to compromise over 90,000 unpatched servers, routers, IP cameras, and IoT devices. Operators deploy multi-architecture Mirai variants, cryptominers, and botnet frameworks that purge rival malware and establish persistent control.  

Key Details

• Shadowserver reports 90,300+ vulnerable systems worldwide
• Targets include D-Link, Netgear, TP-Link routers and smart cameras
• The flaw allows unauthenticated RCE via a single HTTP request to React Server Function endpoints.
• RondoDox scanned for vulnerable Next.js servers between Dec. 8–16 and began payload drops on Dec. 13.
• Payloads include a coin miner (/nuts/poop), Mirai variant (/nuts/x86), and a “health checker” that removes competing malware (/nuts/bolts).

Next Steps

• Apply the React2Shell patch in Next.js (upgrade to v19.1.1+).
• Monitor for unusual processes named “nuts/poop” or “nuts/bolts.”

Read more at HackRead, SecurityWeek, SecurityWeek, HackRead, BleepingComputer

6. Coupang to Issue $1.17 B in Vouchers After Insider Breach, Recovers Smashed Laptop in Probe

South Korea’s Coupang confirmed a former employee accessed 33.7 million customer accounts,
stealing names, phone numbers, addresses and some order histories. The retailer will
spend 1.685 trillion won (~$1.17 billion) on one-time vouchers starting January 15, 2026,
while forensic teams recovered the perpetrator’s smashed MacBook Air from a river to
complete evidence collection under government oversight.

Key Details

• Former employee accessed names, phone numbers, addresses of up to 33.7 M accounts.
• Forensic team retrieved a smashed MacBook Air weighted in a river and were able to recover evidence from the laptop. 
• Analysis shows data from ~3,000 accounts retained then deleted; no evidence of sale.

Next Steps

• Audit and tighten insider access controls and data-wipe procedures.
• Enhance insider access monitoring and offboarding controls
• Audit privileged insider access and tighten controls
• Implement egress monitoring for unusual device downloads

Read more at SecurityWeek, The Record, HackRead, CybersecurityNews.com, The Record, Cybersecurity News, SecurityWeek, SecurityWeek, CybersecurityNews, The Record

7. Security Flaws Expose 2.3M WIRED Subscriber Records; 40M More at Risk in Condé Nast Breach

Hackers exploited insecure direct object references and broken access controls in Condé Nast’s shared identity platform to dump 2.3 million WIRED subscriber records and threaten release of 40 million additional profiles from Vogue, The New Yorker and others. Exposure of names, email addresses, physical addresses and phone numbers heightens phishing, doxing and regulatory notification risks across multiple publications.

Key Details

• Data leaked: 2.3 million emails, 285,936 names, 102,479 home addresses, 32,426 phone numbers
• Records span account creation dates from 2011–2022; recent activity through Sep 2025
• Flaws exploited: IDOR and broken access controls on unauthenticated account APIs

Next Steps

• Audit all API endpoints for IDOR and access-control weaknesses
• Harden centralized identity system permissions and session handling

Read more at Cybersecurity News, SiliconANGLE, SecurityWeek

8. European Space Agency Confirms Breach of External Servers After Hacker Offers 200 GB of Data for Sale

The European Space Agency has confirmed that a small number of its external science servers were compromised after a hacker using the alias “888” offered 200 GB of allegedly stolen data for sale. 
Initial findings show only unclassified collaborative engineering environments outside the core corporate network were affected, with no evidence of classified system intrusion. 
Exposed source code, API tokens, configuration files and credentials pose supply-chain and espionage risks for ESA and its partners. 

Key Details

• Hacker “888” claimed mid-December access, posted screenshots on BreachForums/DarkForums.
• Affected systems support unclassified collaboration tools (Bitbucket, CI/CD pipelines, issue trackers).
• Stolen assets allegedly include source code, access tokens, credentials and confidential engineering docs.
• Actor “888” has a history of high-profile breaches (Shopify, Decathlon) and demands payment in Monero.
• Data for sale reportedly includes source code, documentation, Terraform and SQL files.

Read more at SecurityWeek, SiliconANGLE, Hackread.com, SecurityWeek, HackRead, SiliconANGLE, BleepingComputer

9. Ciminals Exploit Google Cloud’s Application Integration for Multi-Stage Phishing

Attackers are abusing Google Cloud’s Application Integration “Send Email” task to dispatch phishing messages from a genuine Google-owned address, enabling them to bypass SPF/DMARC checks and land in inboxes.  
Over 9,300 emails targeted roughly 3,200 organizations worldwide in December 2025, luring recipients through trusted-looking voicemail and file-access alerts into a multi-stage redirect that culminates in a fake Microsoft login page. 

Key Details

• 9,394 phishing emails sent over 14 days to targets in the US, APAC, Europe, Canada and Latin America.
• Messages originate from “noreply-application-integration@google.com,” mimicking Google voicemail/file-share notifications.
• Attack chain: storage.cloud.google.com → googleusercontent.com CAPTCHA → fake Microsoft login on a non-Microsoft domain.
• Primary sectors hit: manufacturing, technology, finance, professional services, retail (plus media, education, healthcare, energy, government, travel, transportation).

Next Steps

• Audit all Application Integration “Send Email” tasks for unauthorized configurations.
• Enforce multi-factor authentication on mailboxes to limit credential theft impact.
• Update phishing training to include trusted-sender and cloud-service abuse scenarios.

Read more at The Hacker News, Cyber Security News

10. Former Cybersecurity Experts Plead Guilty to BlackCat Ransomware Extortion

Two US-based incident-response professionals from Sygnia and DigitalMint admitted they leveraged their trusted roles to deploy ALPHV/BlackCat ransomware against at least five American companies, extorting $1.2 million from a Florida medical device firm. 

Their guilty pleas underscore an emerging insider-threat vector within ransomware negotiation services and prompt urgent reassessment of third-party vetting and oversight.

Key Details

• Defendants: Ryan Goldberg (former Sygnia incident-response manager) and Kevin Martin (ex-DigitalMint ransomware negotiator).
• Timeline: Attacks carried out April–December 2023 against a medical device maker, pharma firm, doctor’s office, drone manufacturer, and engineering company.
• Proceeds: $1.2 million in Bitcoin from one Tampa-area victim; 20% paid to ALPHV administrators.
• Broader impact: BlackCat/ALPHV knocked out systems at over 1,000 organizations before its December 2023 takedown.

Next Steps

• Implement background checks for all IR and negotiation vendors.
• Continuously audit third-party access to critical networks.
• Mandate immediate reporting of any suspicious or unethical IR behavior.

Read more at The Record, SecurityWeek

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.