Google is now tracking at least five Chinese cyber-espionage groups that are exploiting the React2Shell vulnerability for initial access.

The groups are UNC6600, UNC6586, UNC6588, UNC6595, and UNC6603. This is up from two at the beginning.

cloud.google.com/blog/topics/t…

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

Widespread exploitation of the React2Shell vulnerability (CVE-2025-55182) by multiple threat actors, including China and cyber criminals.

^{Google Threat Intelligence Group (Google Cloud)}

A report on Weyhro C2, a new offensive toolkit advertised on underground forums.

The toolkit appears to be the work of the individual behind the (now-failed) Weyhro ransomware from March this year.

lumma-labs.com/weyhro-c2-becau…

SABATO 20 DICEMBRE 2025 ORE 20:45 IL CORO LA PIEVE PRESENΤΑ NELLA PIEVE ROMANICA DI SAN FLORIANO IL CONCERTO di NATALE

AL TERMINE MOMENTO CONVIVIALE CON SCAMBIO DI AUGURI

E c'è anche @matz @matteo che dirige

agcverona.it/eventi/concerto-d…

@verona

An activist was charged with destruction of evidence after resetting his phone to factory settings

techspot.com/news/110560-man-a…

RE: techhub.social/@Techmeme/11571…

This is another unneeded action from the Trump administration and is just another way for defence contractors to siphon money from the US govt at inflated prices

Techmeme

2025-12-13 15:30:52

Sources: The Trump administration is drafting a new cyber strategy that would enlist private companies to mount offensive cyberattacks on foreign adversaries (Jamie Tarabay/Bloomberg)

bloomberg.com/news/articles/20…
techmeme.com/251213/p9#a251213…

Sources: The Trump administration is drafting a new cyber strategy that would enlist private companies to mount offensive cyberattacks on foreign adversaries

By Jamie Tarabay / Bloomberg. View the full context on Techmeme.

^Techmeme

The Dutch NCSC on the Notepad++ update hijack attacks:

"Currently, as far as is known, only organizations with interests in East Asia are victims of targeted attacks"

cc: @GossiTheDog

ncsc.nl/actueel/nieuws/2025/12…

Kwetsbaarheid Notepad ++

Er is een kwetsbaarheid in Notepad++ gevonden waarmee het mogelijk is om malafide updates naar gebruikers te pushen. Momenteel zijn voor zover bekend uitsluitend organisaties met belangen in Oost-Azië slachtoffer van gerichte aanvallen.

^www.ncsc.nl

Can you please correct the naming of your Fedidevs.com starter packs?

@filippodb @amministratore dear Mastodon.uno administrators,
I've noticed that some starter packs you've uploaded to the site have incorrect descriptions: they almost seem designed to promote ONLY USERS of your instance, while ignoring all other instances in the #fediverse. In fact, they were all created by service accounts on the mastodon.uno instance.

This seems understandable, but I think it's urgent to rename the descriptions of those starter packs to specify that they are exclusively for users of your instance, otherwise they could mislead other users.

The starter packs in question are as follows:

• Satira vignette e meme (created by the @satira account, a mastodon.uno service account)
• Retrogames (created by the @kickoffworld account, a mastodon.uno service account)
• Profili Free Open Source su Mastodon on Mastodon (created by the @opensource account, a mastodon.uno service account)
• Ambiente Mobilità sostenibile e giustizia climatica (created by the @ambiente account, a mastodon.uno service account)
• Fedilug Account Linux Italiani Account Italian Linux Accounts (created by the @linux account, a mastodon.uno service account)
• Sicurezza digitale (created by the @sicurezza account, a Mastodon.uno service account)
• Fediverso e Social network (created by the @socialnetwork account, a Mastodon.uno service account)

I repeat: it's right to advertise to your users, but it's important to explain that it's self-promotional advertising. For example, the Mastodon UNO & Official Devol Accounts starter pack clearly specifies that it refers to the users of your instance.

This is out of respect for all Italian users of the Fediverse and for the developers who created and made the fantastic Fedidevs resource available for free.

Thank you for your attention and have a good evening

@anze3db @fedidevs

"Germany has accused Russia of a cyber-attack on air traffic control and attempted electoral interference, and summoned the Russian ambassador. "

bbc.com/news/articles/cvgrrnyl…

Germany accuses Russia of 2024 cyber attack and election disinformation campaign

The Russian ambassador is summoned over a cyber attack on air traffic control and attempted electoral interference.

^{Bethany Bell (BBC News)}

-EU has a problem attracting and retaining cyber talent
-Coupang CEO resigns following breach
-NoName057 and CARR member charged in the US
-Chrome and Gogs zero-days
-UK sanctions Chinese hacking firms
-Coupang hacker was a cyber employee
-Petco takes down leaky Vetco site
-UK fines LastPass over breach
-Ransomware at HSE Ireland, again
-Russia denies military registry hack
-New PowerShell security feature

Newsletter: news.risky.biz/risky-bulletin-…
Podcast: risky.biz/RBNEWS507/

MITRE has published the list of Top 25 most common software vulnerabilities of 2025, also known as the CWE Top 25

cwe.mitre.org/top25/archive/20…

Looks like Notepad++ has fixed its update system: community.notepad-plus-plus.or…

This is after reports that users received malicious Notepad++ updates containing malware: doublepulsar.com/small-numbers…

Notepad++ v8.8.9: Vulnerability-fix

Notepad++ release 8.8.9 is available: https://notepad-plus-plus.org/news/v889-released/ Notepad++ v8.8.9 new security enhancement, new features, regression f...

^Community

Some phishers have taken inspiration from Russian cyber-espionage group UTA0355 and are using a technique that tricks users into sharing their OAuth material in a web page (UAT0355 did it via email replies)

pushsecurity.com/blog/consentf…

Google is rolling out a new feature for Android users that will let them share live video with emergency services.

The new feature is being rolled out in the US and some regions in Mexico and Germany.

It will be available for Android 8 (2017) devices or higher

blog.google/products/android/e…

Share live video with emergency services to get the help you need

During an emergency call or text, a dispatcher can send a request to your Android phone to share live video.

^{Alastair Breeze (Google)}

RE: mastodon.social/@campuscodi/11…

More research of this type

Intruder found 43k secrets across 5 million single-page apps: businesswire.com/news/home/202…

Bitsight has found more than 1,000 MCP servers exposed on the internet with no authorization in place and exposing sensitive data: bitsight.com/blog/exposed-mcp-…

It’s 2 AM. Do You Know Which AIs Your MCP Server Is Talking To?

Bitsight TRACE research team found roughly 1,000 exposed MCP servers with no authorization in place, revealing new AI vulnerabilities. Read the report now.

^{João Cruz (BitSight)}

Catalin Cimpanu

2025-12-11 11:10:59

Security firm Flare has scanned the Docker Hub portal and found secrets and tokens, including for production systems, in more than 10,000 images

flare.io/learn/resources/docke…

Thousands of Exposed Secrets Found on Docker Hub - Flare

In a month, we found Docker Hub images that contained leaked secrets (including live credentials to production systems) from over 100 companies.

^Flare

CA/B Forum to sunset 11 domain validation methods used to issue TLS certificates

security.googleblog.com/2025/1…

UK ICO fines LastPass £1.2m for 2022 data breach

ico.org.uk/about-the-ico/media…

Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

^ico.org.uk

Looks like Twitter finally took down the NoName057 account after yesterday's indictment

x.com/Safety/status/1998528342…

SOAPwn -- new bugs that can lead to RCE in .NET apps

Vulnerable applications include the Umbraco CMS, Barracuda's Service Center, the Ivanti Endpoint Manager, and more

Microsoft did not fix them

labs.watchtowr.com/soapwn-pwni…

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL

Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee.

^{Piotr Bazydlo (@chudyPB) (watchTowr Labs)}

Dutch prosecutors are seeking an eight-month prison sentence for a man who launched DDoS attacks against the country's 112 emergency line.

The suspect allegedly tried to frame some business partners for the attack

om.nl/actueel/nieuws/2025/12/1…

Zakelijk conflict leidt tot DDoS-aanval 112-centrale: celstraf geëist

Het Landelijk Parket (LP) van het Openbaar Ministerie (OM) heeft woensdag een onvoorwaardelijke gevangenisstraf van acht maanden en een geldboete geëist tegen een 47-jarige man uit Delft.

^www.om.nl

There's this image on social media about how most of the Red Bull team that helped Verstappen win his titles are now gone... but few people posting this remember this drama started from the Verstappens.

This is the definition of shooting yourself in the nuts. You should have 0 sympathy for him

The Paxful cryptocurrency exchange has pleaded guilty to laundering crypto-assets linked to scams, fraud, and extortions

Will pay a $4mil fine only

justice.gov/opa/pr/virtual-ass…

Virtual Asset Trading Platform Pleads Guilty to Violating the Travel Act and Other Federal Criminal Charges

Paxful Holdings Inc., an online virtual currency trading platform, agreed to plead guilty yesterday to a three-count information filed in the Eastern District of California and agreed to pay a criminal penalty of $4 million based on its ability to pa…

^{www.justice.gov}

This constant stream of malicious VSCode extensions won't end anytime soon....

This batch hid its payload, a Rust-based trojan, as PNG files inside the dependencies folder

reversinglabs.com/blog/malicio…

VS Code extensions contain trojan-laden fake image | ReversingLabs

RL researchers have identified 19 malicious extensions on the VS Code Marketplace — the majority containing a malicious file posing as a PNG.

^{ReversingLabs}

A popular reverse proxy and ingress controller shipped misconfigured versions for the past five months.

The Traefik setting that enabled TLS verification was actually disabling it across the board.

aisle.com/blog/cve-2025-66491-…

CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off

Learn how CVE-2025-66491 exposed a critical TLS verification flaw in Traefik, where "Verify=On" accidentally disabled security for 5 months.

^AISLE

Pffff... the Coupang insider, who allegedly stole the company's data, was apparently a cybersecurity employee

koreajoongangdaily.joins.com/n…

Alleged Coupang data leaker had only worked at company for two years, say police

The former Coupang employee accused of leaking 33.7 million customer data had worked at the company for just two years, according to police on Thursday.

^{Korea JoongAng Daily}

Security firm Flare has scanned the Docker Hub portal and found secrets and tokens, including for production systems, in more than 10,000 images

flare.io/learn/resources/docke…

Thousands of Exposed Secrets Found on Docker Hub - Flare

In a month, we found Docker Hub images that contained leaked secrets (including live credentials to production systems) from over 100 companies.

^Flare