Executive Summary A critical vulnerability has been identified in the n8n open-source workflow automation platform, tracked as CVE-2025-68613 and assigned a CVSS score of 9.9. This flaw allows authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. The impact of this vulnerability is severe, as it can lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement within affec

Executive Summary A Russia-aligned threat actor, tracked as UAC-0184 (also known as Hive0156 ), has been observed orchestrating a sophisticated cyber-espionage campaign targeting Ukrainian military and government entities. This operation leverages the Viber messaging platform as a delivery channel for malicious payloads, marking a significant evolution in adversarial tactics away from traditional email-based phishing. The attackers distribute weaponized ZIP archives contain

Executive Summary On January 5, 2026, Ledger disclosed that a subset of its customers’ personal data was exposed due to a breach at its third-party payment processor, Global-e . The incident was caused by unauthorized access to a Global-e cloud-based information system, facilitated by a misconfigured API key on the Ledger website. The exposed data includes customer names, email addresses, postal addresses, and phone numbers for those who made purchases on Ledger.com using

Executive Summary As of January 5, 2026, a coordinated cybercrime campaign attributed to the Zestix (also known as Sentap ) group has resulted in significant data breaches across multiple sectors by targeting cloud file-sharing platforms. Attackers leveraged credentials stolen via info-stealer malware, such as RedLine , Lumma , and Vidar , to access corporate accounts on platforms including ShareFile , Nextcloud , and OwnCloud . The breaches were not the result of software v

Executive Summary The Kimwolf Android botnet represents a significant escalation in the threat landscape for Android-based devices, having infected over 2 million endpoints globally by exploiting exposed Android Debug Bridge (ADB) interfaces and leveraging residential proxy networks. This campaign, first identified by QiAnXin XLab and corroborated by multiple security research teams, demonstrates a sophisticated blend of large-scale automated exploitation, advanced evasion

Executive Summary The MongoBleed vulnerability, officially tracked as CVE-2025-14847 , represents a critical, actively exploited memory disclosure flaw in the MongoDB Server ’s implementation of zlib-compressed network protocol headers. This vulnerability enables unauthenticated, remote attackers to extract arbitrary fragments of server memory, including highly sensitive data such as database credentials, API keys, cloud provider secrets, and potentially personally identifia

Executive Summary The ClickFix attack represents a significant escalation in social engineering and malware delivery tactics, leveraging highly convincing fake Windows Blue Screen of Death (BSOD) and Windows Update screens to coerce users into executing malicious commands. This campaign, also known as JackFix , is distributed primarily through fake adult websites and malvertising, and is characterized by advanced obfuscation, multi-stage payload delivery, and the simultane

Executive Summary On January 3, 2026, multiple threat actors, self-identified as Scattered Lapsus$ Hunters (SLH), publicly claimed to have breached the systems of cybersecurity firm Resecurity and exfiltrated sensitive internal data. The attackers released screenshots on Telegram, purporting to show access to employee data, internal communications, threat intelligence reports, and client information. However, Resecurity responded with a detailed statement and technical evi

Executive Summary Transparent Tribe (also known as APT36 ), a persistent and highly adaptive state-sponsored threat actor, has initiated a sophisticated campaign targeting Indian government and academic institutions with new Remote Access Trojan (RAT) attacks. This campaign is characterized by the use of advanced spear-phishing techniques, weaponized Windows shortcut ( LNK ) files, and custom malware payloads designed for stealth, persistence, and data exfiltration. The att

Executive Summary A newly identified, highly sophisticated phishing campaign is actively exploiting the Google Cloud Application Integration email feature to deliver multi-stage phishing attacks. Cybercriminals are leveraging the trusted Google infrastructure to send phishing emails from legitimate Google domains, effectively bypassing traditional email security controls such as SPF, DKIM, and DMARC. The campaign employs a multi-stage redirection chain, utilizing both Goog

Executive Summary On May 26, 2025, Covenant Health detected unauthorized activity within its IT environment, later attributed to the Qilin ransomware group . The breach, which began on May 18, 2025, resulted in the compromise of sensitive data belonging to nearly 478,188 patients across multiple facilities. Exposed information included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment details, and health insurance information. The Q

Executive Summary The Kimwolf botnet represents a critical and rapidly evolving threat to enterprise and consumer networks worldwide. This Android-based malware ecosystem has infected over 1.8 million devices, with a focus on Android TV boxes , digital photo frames , and other IoT devices that are often shipped with weak security controls or pre-installed malicious software. Kimwolf leverages residential proxy networks to bypass traditional perimeter defenses, enabling atta

Executive Summary The Shai-Hulud 2.0 supply chain attack represents a critical escalation in cloud-native ecosystem threats, leveraging malicious modifications to hundreds of widely used npm packages to compromise developer environments, CI/CD pipelines, and cloud-connected workloads. Attackers exploited the npm package supply chain by injecting malicious scripts into the preinstall phase, enabling credential harvesting and exfiltration before security controls could interv

Executive Summary IBM has issued a critical security advisory regarding a severe vulnerability in its API Connect platform, identified as CVE-2025-13915 . This vulnerability enables remote, unauthenticated attackers to bypass authentication controls, granting them unauthorized access to sensitive management interfaces and APIs. With a CVSS v3.1 base score of 9.8 (Critical) , this flaw represents a significant risk to organizations leveraging IBM API Connect for API managem

Executive Summary The RondoDox botnet has rapidly emerged as a significant threat to organizations leveraging Next.js and React Server Components , exploiting the critical React2Shell vulnerability (CVE-2025-55182). This pre-authentication remote code execution (RCE) flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers via a single HTTP request. Since early December 2025, threat actors have orchestrated large-scale, automated exploitation

Executive Summary IBM has issued a critical security advisory regarding a severe authentication bypass vulnerability in IBM API Connect , identified as CVE-2025-13915 . This vulnerability enables remote, unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. With a CVSS v3.1 base score of 9.8 (Critical) , this flaw poses a significant risk to organizations leveraging IBM API Connect for enterprise

Executive Summary The European Space Agency (ESA) has confirmed a cybersecurity breach affecting a small number of external servers used for collaborative engineering activities. The incident, first reported on December 26, 2025, and publicly acknowledged by ESA on December 29 and 30, 2025, involved unauthorized access to servers outside the core ESA corporate network. The threat actor, using the alias “888,” claims to have exfiltrated over 200GB of data, including source co

Executive Summary The emergence of the ErrTraffic service marks a significant escalation in the industrialization of ClickFix attacks, leveraging fake browser glitches to deceive users into executing malicious commands. This report provides a comprehensive analysis of the technical, security, and supply chain implications of ErrTraffic , synthesizing findings from authoritative sources including BleepingComputer , InfoStealers , and the Microsoft Security Blog . The report

Executive Summary On December 29, 2025, Korean Air disclosed a significant data breach affecting approximately 30,000 employee records, including names and bank account numbers. The breach originated from a cyberattack on KC&D Service , a former in-flight catering subsidiary of Korean Air that was sold to private equity firm Hahn & Company in 2020. According to official statements, no customer data was compromised, and the incident was limited to employee information. Kore

Executive Summary A threat actor using the alias Lovely has publicly leaked a database containing over 2.3 million subscriber records from WIRED , a publication owned by Condé Nast . The leak, first posted on December 20, 2025, includes sensitive personal information such as email addresses, names, physical addresses, phone numbers, and account activity data. The threat actor claims this is only the initial release, with up to 40 million additional records from other Condé N