Apple patched two bugs hackers were already using. New updates fix active attacks across iPhone, iPad, Mac, Safari, Watch, TV, and Vision Pro.

⚠️ One bug lets attackers run code from bad web pages.
⚠️ Another breaks memory.
🌐 All iPhone and iPad browsers were affected.
🕵️ Apple says the attacks were highly targeted.

This is Apple’s 9th zero-day fix in 2025.

🔗 Update now — read here ↓ https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html

🖥️⚠️ A six-year-old router flaw is being used right now.

U.S. cyber officials warn that hackers are actively attacking Sierra Wireless AirLink routers. The bug lets attackers upload a bad file and take full control of the device.

🔗 Read → https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html

🚨 Poland Police detained three Ukrainian nationals after finding hacking 💻 and spying tools in their car.

Authorities say the gear could be used to attack key IT and telecom 📡 systems tied to national defense.

Charges include fraud and computer-related crimes.

🔗 Read: https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html#vaas-crackdown-nets-193-arrests

⚠️ Notepad++ fixes a bug that was actively abused.

Notepad++ released version 8.8.9 to patch a critical updater flaw. Attackers hijacked update traffic and tricked users into installing malware instead of real updates.

🔗 Read: https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html#update-closes-hijack-flaw

🤦 Hackers built #ransomware — then left the key behind.

CyberVolk’s new VolkLocker targets 💻 Windows and 🐧 Linux.

The flaw? the lock key is hard-coded and saved as a plain file on the system.

Files can be unlocked for free — but after 48 hours, it can wipe 🗑️ personal folders.

🔗 Read: https://thehackernews.com/2025/12/volklocker-ransomware-exposed-by-hard.html

🚨 Active phishing attacks in Russia spread Phantom Stealer.

Fake bank transfer emails use ISO attachments. The malware steals browser data, crypto wallets, passwords, and files, then sends them out via Telegram or Discord.

Finance, payroll, accounting, and legal teams are the main targets.

🔗 Read: https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html

⚡ Your SaaS wasn’t hacked. It was impersonated via the browser.

Attackers ran clean, verified Chrome and Edge extensions for years. Millions of installs. One silent update flipped them into spyware.

Not a device attack. Not a cloud breach. Both at once. The browser sat in the middle, unseen, holding the keys.

🔗 Learn more: https://thehackernews.com/2025/12/a-browser-extension-risk-guide-after.html

Sensitive data is everywhere: SaaS, cloud, AI pipelines, and most teams can’t see it.

That’s why DSPM is becoming a top security priority for 2026.

Next-gen DSPM goes beyond visibility→ real-time context, automation, and AI-aware protection.

Learn more: https://thn.news/dspm-top-tools

FreePBX’s worst flaw isn’t a bug — it’s a legacy setting.

If AUTHTYPE is set to webserver, attackers can fake a login header and get admin access. From there, they can add their own user and run code on the system.

Default configs are safe. Old tweaks aren’t.

🔗 Read: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html

🚨 WARNING: A “Featured” Chrome extension was silently copying everything users typed into ChatGPT and other AI tools.

Prompts. Responses. Sent off-device by default after an auto-update.

It even warned users about sharing sensitive info, while exporting the full chats itself.

🔗 Read: https://thehackernews.com/2025/12/featured-chrome-browser-extension.html

🔐 Google is shutting down its dark web monitoring tool less than two years after launch.

Google admitted the tool surfaced breached data but didn’t give people clear next steps. Alerts without action paths don’t change outcomes.

🔗 Read here: https://thehackernews.com/2025/12/google-to-shut-down-dark-web-monitoring.html

Attackers are abusing React2Shell to plant Linux backdoors like KSwapDoor and ZnDoor.

This hits orgs that left React and Next.js servers unpatched.

Microsoft saw reverse shells, Cobalt Strike, and stolen cloud tokens tied to CVE-2025-55182, and Shadowserver tracks over 111,000 exposed IPs.

🔗 Details → https://thehackernews.com/2025/12/react2shell-vulnerability-actively.html

🚨 Fortinet FortiGate devices are under active attack via SSO authentication bypass flaws.

CVE-2025-59718 and CVE-2025-59719 both have CVSS scores of 9.8 and exploit the FortiCloud SSO feature.

Disable FortiCloud SSO until systems are fully updated.

🔗 Details → https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html

⚠️ Most privacy risks aren't malicious.
It’s accidental.

A log statement. A helper function. An AI SDK someone added on Friday.

If you only look in production, you’re blind by design.

Read more → https://thehackernews.com/2025/12/why-data-security-and-privacy-need-to.html

⚡ Amazon confirms a Russian GRU unit hacked Western energy and infrastructure networks for years.

The threat wasn’t malware, it was silent credential theft from live traffic.

From 2021–2025, APT44 relied less on zero-days and more on exposed routers and VPN gateways.

🔗 Read → https://thehackernews.com/2025/12/amazon-exposes-years-long-gru-cyber.html

💰 A fake NuGet package stole crypto wallets for more than five years.

It copied a popular .NET tracing library and hid as a normal dependency. One extra letter in the author name led to about 2,000 downloads since 2020.

It exfiltrated Stratis wallet JSON files and passwords to a Russian IP.

🔗 Read: https://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.html

🛑 Amazon flagged a new AWS crypto-mining campaign using custom persistence techniques.

Attackers validate permissions with DryRun, deploy miners across ECS and EC2, then enable instance termination protection to block cleanup.

🔗 Learn more: https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html

Researchers uncover GhostPoster malware hidden in 17 Firefox add-ons with 50,000+ downloads.

Disguised as VPNs, translators, and ad blockers. 50k+ installs.

JavaScript was hidden inside logo images, activated after days, then hijacked links, tracked browsing, and ran ad fraud.

🔗 Read here → https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html

🛡️ Ink Dragon, a China-aligned hacking group, is focusing on European government targets while staying active in Asia and South America.

It exploits SharePoint and IIS flaws to drop web shells and maintain long-term access using ShadowPad and FINALDRAFT malware.

🔗 Learn more → https://thehackernews.com/2025/12/china-linked-ink-dragon-hacks.html

Most SOCs still respond after attackers move. That delay costs time and raises breach risk.

ANYRUN says proactive teams use live threat intelligence to see campaigns forming, not just alerts firing. Industry and geo context helps analysts focus on threats that actually matter.

🔗 How SOCs move from reactive to proactive → https://thehackernews.com/2025/12/fix-soc-blind-spots-see-threats-to-your.html

Kaspersky linked a new phishing wave to Operation ForumTroll.

The Russia-focused APT shifted from organizations to individual academics, using fake eLibrary emails and personalized downloads to deploy a remote-access framework on Windows systems.

🔗 Find how the attack chain worked → https://thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html