WEEKLY TOP TEN: December 29, 2025, 16:00 GMT
- Historic “Mega Leak” of 16 Billion Credentials
A massive data aggregation, labeled the most extensive password exposure in history, was analyzed this week following its discovery. The dataset contains over 16 billion login credentials affecting users of Google, Apple, Facebook, and GitHub. While not a direct breach of these tech giants, the collection represents a “credential buffet” compiled from years of infostealer malware logs and previous leaks. Security professionals warned that the sheer scale of this leak facilitates industrial-level credential stuffing attacks, putting any business with poor password hygiene or a lack of multi-factor authentication at extreme risk. - React2Shell Zero-Day Hits Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a CVSS 10.0 vulnerability in Meta’s React Server Components to its Known Exploited Vulnerabilities catalog. Known as “React2Shell” (CVE-2025-55182), this flaw enables unauthenticated remote code execution via insecure deserialization. Within hours of disclosure, threat actors associated with Chinese hacking groups began targeting organizations to deploy cryptominers and persistent backdoors. Because React is foundational to modern web applications, the attack surface is vast, requiring urgent updates from federal agencies and private enterprises alike by the December 26 deadline. - Nissan Targeted in Red Hat Supply Chain Incident
Nissan confirmed that thousands of its customers were impacted by a security incident originating from a breach at Red Hat. This supply-chain-related event allowed unauthorized access to data through compromised third-party dependencies. While the primary breach occurred at the software provider level, the downstream impact on Nissan highlights the critical need for automotive manufacturers to monitor their software bills of materials (SBOMs) more closely. The incident is part of a broader trend in which attackers target widely used enterprise Linux environments to reach high-value corporate targets. - FortiGate Authentication Bypass Threats
Critical vulnerabilities in FortiGate appliances (CVE-2025-59718 and CVE-2025-59719) were highlighted this week as attackers began attempting to bypass authentication via compromised Single Sign-On (SSO) workflows. Security firms observed a rise in malicious login attempts targeting internet-facing infrastructure. Because FortiGate devices often serve as the perimeter defense for corporate networks, an authentication bypass allows for immediate lateral movement. Professionals are urged to audit authentication logs and restrict exposure of the management interface to prevent unauthorized network access. - MENA Region Hit by Coordinated Fake Job Scams
A major coordinated campaign was identified targeting the Middle East and North Africa (MENA) region with fake online job advertisements. Attackers impersonated recruitment agencies to target professionals at significant energy and finance companies, including Aramco. These ads lead to the installation of infostealer malware that exfiltrates corporate VPN credentials. This incident underscores the rising use of social engineering on professional networking platforms to bypass technical perimeters and gain a foothold in critical infrastructure sectors. - Active Exploitation of “MongoBleed” Vulnerability
Security researchers confirmed that a critical memory-leakage flaw in MongoDB, tracked as CVE-2025-14847 and dubbed “MongoBleed,” is under active exploitation. The vulnerability allows unauthenticated attackers to extract sensitive data, including user credentials and session tokens, directly from a server’s memory. This flaw is particularly dangerous for self-hosted instances, with data indicating that nearly 42% of cloud environments harbor at least one vulnerable instance. While MongoDB Atlas users are automatically protected, administrators of on-premise deployments are urged to patch immediately to prevent unauthorized database access. - Spotify Investigates Massive Metadata Scraping
Spotify launched an investigation after a “pirate activist” group claimed to have scraped and released metadata for approximately 256 million music tracks and 86 million audio files. While the company stated that corporate systems were not breached, the third party reportedly used illicit tactics to bypass digital rights management (DRM) and access audio files. The incident highlights the ongoing battle between streaming services and sophisticated scrapers who exploit legitimate APIs and web interfaces to exfiltrate massive volumes of proprietary data for secondary markets. - WatchGuard Firebox Critical RCE Exploitation
On December 22, over 115,000 WatchGuard Firebox devices remained unpatched against a critical remote code execution (RCE) vulnerability (CVE-2025-14733). The flaw affects theikedprocess and allows unauthenticated attackers to execute arbitrary code remotely if the device is configured for IKEv2 VPN. CISA immediately added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch by December 26. Data from Shadowserver indicates that despite the high-risk level, nearly 120,000 instances were still exposed globally as of the holiday weekend, making them prime targets for initial network entry. - MacSync Malware Bypasses Apple Gatekeeper
A new macOS stealer named “MacSync” was discovered using a signed application to bypass Apple’s Gatekeeper security feature. This malware targets browser cookies, saved passwords, and cryptocurrency wallets. The discovery challenges the common perception that macOS is inherently more secure than Windows against infostealers. Businesses with mixed-OS environments should ensure that their endpoint detection and response (EDR) tools are tuned to detect the specific behavioral signatures of MacSync, which mimics legitimate system synchronization processes. - React 19 Source Code Exposure Vulnerability
Beyond the RCE flaws, new vulnerabilities in React 19 (CVE-2025-67779) were disclosed that can lead to unintended source code exposure. While not as immediately damaging as code execution, exposing frontend source code can reveal sensitive API keys, logic flaws, and backend endpoints to attackers. Security teams are encouraged to review their dependencies and update to the latest React versions to prevent “reconnaissance-in-depth,” where attackers use exposed code to plan more complex subsequent attacks.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.