WEEKLY TOP TEN: January 05, 2025, 16:00 GMT
- LastPass 2022 Breach Continues to Fuel Crypto Theft
In a report released on January 2, 2026, blockchain investigators traced a new wave of high-value cryptocurrency thefts back to the 2022 LastPass data breach. Threat actors are successfully cracking encrypted vault backups stolen years ago, gaining access to private keys and seed phrases. The stolen funds are being laundered through Russian-based exchanges to evade international sanctions. This ongoing incident serves as a stark reminder for security professionals that the “tail” of a data breach can last years. Businesses should advise employees to rotate all credentials stored in legacy vaults prior to the 2022 incident. - RondoDox Botnet Exploiting Next.js React2Shell Flaw
Security researchers identified a new campaign by the RondoDox botnet on December 31, 2025, targeting a critical vulnerability (CVE-2025-55182) known as “React2Shell.” This flaw allows for remote code execution on servers running specific versions of the Next.js framework. The botnet leverages the exploit to install persistent backdoors and cryptocurrency miners. For businesses relying on modern JavaScript stacks, this incident highlights the volatility of web framework security. Professionals should prioritize auditing their web application dependencies and ensuring that production environments are updated to the latest patched versions of Next.js to prevent unauthorized server takeover. - Unleash Protocol $3.9M Hijack
On December 31, 2025, the decentralized intellectual property platform Unleash Protocol suffered a $3.9 million loss due to a multisig hijack. Attackers executed an unauthorized contract upgrade, bypassing the protocol’s governance controls to drain assets directly. The incident appears to stem from a compromise of the private keys associated with the platform’s multi-signature wallet. This highlights the inherent risks posed by “admin-key” vulnerabilities in DeFi and decentralized organizations. For security professionals in the fintech space, this reinforces the need for hardware-based security modules and decentralized governance structures that a single point of failure cannot subvert. - GlassWorm Malware Targets macOS Developers
A new wave of the “GlassWorm” campaign was detected on January 1, 2026, specifically targeting macOS developers through malicious VSCode and OpenVSX extensions. These extensions deliver trojanized versions of popular cryptocurrency wallets, designed to exfiltrate seed phrases and session tokens. By targeting the development environment, attackers gain a foothold in the software supply chain. Businesses should implement strict extension whitelisting policies and use endpoint detection and response (EDR) tools that monitor suspicious child processes spawned by IDEs. This attack highlights the growing sophistication of threat actors targeting non-Windows platforms. - Inotiv Pharma Ransomware Attack
Inotiv, a Pharmaceutical research firm, fell victim to a ransomware attack in late December 2025, resulting in the theft of data belonging to nearly 10,000 individuals. The attackers accessed internal systems to exfiltrate names, addresses, and Social Security numbers. This breach is particularly concerning given the sensitive nature of pharmaceutical R&D and the potential for long-term extortion. For security professionals, this case illustrates that even mid-sized specialized firms are high-value targets for ransomware cartels. Proactive measures such as regular penetration testing and network segmentation are critical to limiting the blast radius of such intrusions. - DeadLock Ransomware BYOVD Campaign
Cisco Talos released an analysis on December 29, 2025, detailing a new DeadLock ransomware campaign that utilizes a “Bring Your Own Vulnerable Driver” (BYOVD) loader. The attackers exploit a vulnerability in a Baidu Antivirus driver to gain kernel-level access and disable EDR defenses before deploying the ransomware. This technique effectively blinds security teams, making the attack nearly impossible to stop once the driver is loaded. Security professionals should monitor for unauthorized driver installations and use tools that block known vulnerable drivers from loading onto the system, regardless of their legitimate digital signatures. - Petco Customer Data Misconfiguration
Petco recently reported a data exposure incident caused by a software application misconfiguration. The error allowed unauthorized access to sensitive customer records without adequate restrictions. Data exposed included full names, Social Security numbers, driver’s license numbers, and financial account information for customers across several states, including California and Massachusetts. While the company has since resolved the configuration error, the incident emphasizes the danger of “shadow” or improperly tested software deployments. Security teams should implement automated configuration monitoring and data discovery tools to ensure sensitive PII does not reside in unprotected, internet-facing environments. - Fortinet Firewalls 2FA Bypass Exploitation
A report from January 2, 2026, revealed that over 10,000 internet-exposed Fortinet firewalls remain vulnerable to a legacy five-year-old two-factor authentication (2FA) bypass flaw. Despite patches being available for years, threat actors continue to scan for and exploit unpatched devices to gain initial access to corporate networks. This underscores the persistent “patching gap” that continues to plague enterprise security. Security professionals should immediately verify the firmware versions of all perimeter devices and ensure that legacy vulnerabilities are not left open, as they remain the primary targets for opportunistic attackers. - ManageMyHealth Patient Portal Data Breach
ManageMyHealth, New Zealand’s primary patient portal serving nearly 1.8 million users, disclosed a significant data breach following unauthorized access discovered on December 30, 2025. The incident affected approximately 126,000 users, or roughly 7% of its user base. While Health NZ confirmed its own systems remained secure, the breach at ManageMyHealth exposed sensitive patient interactions. The company is currently working with the Office of the Privacy Commissioner to determine the full scope of the PII leaked. This incident underscores the critical nature of securing third-party healthcare platforms that bridge the gap between patients and providers. - Silk Typhoon Targeting U.S. Government Entities
Intelligence reports from late December 2025 identified a targeted campaign by the Chinese state-sponsored group Silk Typhoon against the U.S. Congressional Budget Office. The attackers successfully exfiltrated internal emails, policy analyses, and economic forecasts. This state-sponsored activity highlights the continued focus of advanced persistent threats (APTs) on intellectual property and policy-related data. For businesses, this is a signal that any organization involved in government contracting or high-level economic research must fortify its defenses against sophisticated phishing and credential-stealing malware often deployed by these nation-state actors.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.