ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs into Spyware

Article link: https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html

• Threat actor ShadyPanda operated a multiyear effort involving repurposed Chrome and Edge browser extensions that amassed over 4.3 million installations. ShadyPanda developed legitimate and verified extensions and later modified them with attacker-controlled JavaScript to harvest browsing history, fingerprints, and user activity.
• This campaign shows how browser ecosystems remain vulnerable to trust erosion, especially when malicious code can be injected through seemingly routine updates. The presence of previously verified extensions highlights the challenge in distinguishing legitimate behavior from covert surveillance.
• The article details the shift over time from affiliate fraud to full browser control, showing an evolution of attacker tradecraft and revealing how monetization and data theft go hand in hand. Additionally, the use of dynamic subdomains and hourly remote code execution complicates typical detection.
• While users are advised to maintain the latest updates of their browsers, enterprise admins must strengthen extension review processes, utilize allow/block lists, and adopt controls that better detect behavioral anomalies in extension updates, as those gaps have now proven exploitable at scale.

University of Pennsylvania Joins Victims of Clop’s Oracle EBS Raid

Article link: https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/

• The University of Pennsylvania joined the growing list of organizations compromised through Clop’s exploitation of an Oracle E-Business Suite zero-day. Attackers accessed data tied to procurement and financial operations, prompting notification to 1,488 residents in Maine and an ongoing investigation.
• The case reflects a broader pattern in which a single enterprise platform vulnerability creates ripple effects across numerous institutions, especially those that depend on the same financial processing systems. The redaction of affected data categories adds to uncertainty around the scope.
• Security experts view Clop’s campaign as one of the largest industrial-scale exploitation events this year, capitalizing on unpatched environments before Oracle released fixes. The group’s history of leaking samples lends weight to concerns about potential downstream misuse.
• It will be especially critical moving forward for higher education institutions to strengthen patching governance and vendor oversight around similar systems to Oracle’s, as these platforms hold sensitive financial records and have become high-value targets.

Beazley Steps Back from Cyber Coverage as Attacks and Claims Rise

Article link: https://paymentweek.com/beazley-steps-back-from-cyber-coverage/

• Beazley is deliberately reducing its cyber insurance exposure after a rise in costly ransomware claims coincided with falling premium rates. Despite strong market demand, the insurer reported an 8% decline in cyber gross written premiums and highlighted concerns about long-term profitability.
• This retreat reflects ongoing tension in the cyber insurance market, where escalating attack severity and frequency strain underwriting models. The disconnect between rising claims and declining prices illustrates competitive pressures that challenge sustainable coverage.
• Industry observers view Beazley’s shift as a cautious recalibration rather than a withdrawal, in contrast to peers like Chubb and AIG who are maintaining or expanding portfolios despite volatility. Concerns about AI-related risks and supply-chain exposure further complicate actuarial modeling.
• Businesses should expect stricter underwriting, higher scrutiny of controls, and potential pricing shifts in 2026 as carriers adapt their strategies to the realities of cyber risk economics.

Google Expands Android Scam Protection Feature to Chase, Cash App in U.S.

Article link: https://www.bleepingcomputer.com/news/security/google-expands-android-scam-protection-feature-to-chase-cash-app-in-us/

• Google expanded its in-call scam protection feature to major U.S. financial apps, including Cash App and JPMorgan Chase, after earlier pilots in the U.K., Brazil, and India. The feature warns users when they launch financial apps while on a call with an unknown number.
• The capability aims to interrupt impersonation scams in which attackers pressure victims to screen-share or transfer funds. The 30-second mandatory pause is designed to break urgency-driven manipulation, a common tactic in high-pressure financial fraud.
• Researchers view this as an example of platform-level safety design that disrupts social engineering by altering user behavior rather than attempting to detect all malicious calls. Tying alerts to app launches helps contextualize risk in real time.
• Financial institutions and mobile security teams will likely be watching the results of the U.S. rollout to gauge whether such interventions meaningfully reduce mobile-based fraud and inform future in-platform protections.

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Article link: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

• A maximum-severity flaw in React Server Components, tracked as CVE-2025-55182 (CVSS: 10.0), enables unauthenticated remote code execution through unsafe deserialization in the React Flight protocol. The issue affects several React server-related packages and multiple versions of Next.js.
• Because attackers need only send a crafted HTTP request to exploit the vulnerable endpoint, the exposure introduces significant risk across cloud environments that rely on modern JavaScript frameworks. The vulnerability’s reach extends to ecosystems that embed RSC functionality.
• Security analysts emphasize that the flaw turns trusted server-side structures into execution paths for malicious code, creating a “master key” effect across web applications. Cloud providers responded quickly by deploying WAF rules to filter malicious payloads.
• Development teams must prioritize patching and monitoring for abnormal HTTP traffic, recognizing that vulnerabilities embedded in default configurations can magnify attack surface and complicate remediation across distributed architectures.
• Link to NVD’s CVE Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-55182

CISA Issues New Guidance for Secure AI Deployment in Critical Operational Technology (OT) Systems

Article link: https://cybernews.com/security/cisa-ai-operational-technology-critical-infrastructure-risk  

• CISA and allied cybersecurity agencies published the first joint framework guiding secure AI integration into operational technology, outlining four core principles, including understanding unique risks and potential impacts of AI, considering AI use in OT, establishing AI governance and assurance frameworks, and embedding safety and security practices into AI and AI-enabled OT systems.
• The guidance acknowledges that AI is rapidly entering critical infrastructure, where safety and availability demands differ sharply from traditional IT settings. OT environments require deterministic behavior, human oversight, and reliable fallback options to prevent cascading failures.
• Floris Dankaart, Lead Detection and Response Product Manager at NCC Group, notes that the coordinated release signals a rare level of global alignment and reinforces how important it is to get AI guidance on critical OT systems correct.
• CISA looks to provide much needed insight to owners and operators on how to adapt AI governance, monitoring, and lifecycle controls to their environments, recognizing that, as the guide states, continuous validation and manual override capabilities remain essential for safe deployment.
• Link to CISA’s Publication: https://media.defense.gov/2025/Dec/03/2003834257/-1/-1/0/JOINT_GUIDANCE_PRINCIPLES_FOR_THE_SECURE_INTEGRATION_OF_AI_IN_OT.PDF

Windows Shortcuts’ Use as a Vector for Malware May be Cut Short

Article link: https://www.csoonline.com/article/4101085/windows-shortcuts-use-as-a-vector-for-malware-may-be-cut-short.html   

• A longstanding issue with Windows LNK shortcut files, where attackers could hide malicious arguments beyond the visible character limit, has been partially addressed by Microsoft and purportedly more comprehensively by third-party provider 0patch. Both now expose previously concealed commands.
• Because LNK files remain a common delivery vector for malicious scripts, improving transparency in the Target field reduces opportunities for hidden payload execution. Microsoft framed the fix as a functional change rather than a vulnerability correction.
• 0patch claims that Microsoft’s update improves visibility but does not block execution of lengthy malicious commands, whereas 0patch’s solution, available for Windows versions 7 through 11 22H2 and Windows Server from 2008 R2 through 2022, truncates suspicious entries to 260 characters and alerts users.
• Organizations monitoring this change will be watching how endpoint tools adapt, as preventing execution rather than relying on user scrutiny is likely to produce stronger long-term protection.

‘End-to-end encrypted’ Smart Toilet Camera is Not Actually End-to-End Encrypted

Article link: https://techcrunch.com/2025/12/03/end-to-end-encrypted-smart-toilet-camera-is-not-actually-end-to-end-encrypted/  

• Kohler’s Dekoda smart toilet camera, marketed as offering end-to-end encryption, was found to rely on standard TLS encryption rather than user-to-user cryptographic protections. Researchers highlighted how this mislabeling could mislead customers about data access.
• The distinction matters because data processed on Kohler’s servers is not shielded from company access, raising concerns about potential secondary uses such as AI model training. Privacy fears intensify when devices capture sensitive physiological information.
• Analysts note that confusion between TLS and true end-to-end encryption is common, but in health-related applications the terminology carries heightened weight. Kohler maintains that users may opt in to de-identified data use.
• As connected health devices proliferate, regulators and privacy advocates must more closely scrutinize how manufacturers communicate encryption claims and how transparent they are about server-side data handling practices.