Major Incidents or Breaches

  • Coupang, South Korea’s largest retailer, suffered a data breach impacting 33.7 million customers, exposing personal information.
  • The CodeRED Emergency Alert Platform was shut down following a cyberattack attributed to the Inc ransomware gang, which claims to have stolen sensitive subscriber data.
  • The open-source SmartTube YouTube app for Android TV was compromised after an attacker accessed the developer’s signing keys, resulting in a malicious update being distributed to users.
  • OpenAI experienced a data breach that resulted in exposure of sensitive information, as reported in recent threat intelligence updates.

Newly Discovered Vulnerabilities

  • CVE-2025-61260: A command injection vulnerability was disclosed in OpenAI Codex CLI, allowing malicious project-local configuration files to execute arbitrary commands.
  • CISA added CVE-2021-26829, a vulnerability in ScadaBR (an open-source industrial control system), to its Known Exploited Vulnerabilities catalog following a hacktivist ICS attack.
  • A new variant of the Shai-hulud self-replicating npm-package poisoning worm was identified, capable of stealing credentials and secrets from AWS, Google Cloud Platform, and Azure.
  • Glassworm malware has returned in a third wave, with 24 new malicious packages uploaded to the OpenVSX and Microsoft Visual Studio Code marketplaces.

Notable Threat Actor Activity

  • ShadyPanda, a threat actor, has been linked to a seven-year-long campaign using malicious Chrome and Edge browser extensions, amassing over 4.3 million installs. Initially legitimate, these extensions evolved into spyware for data exfiltration.
  • The Russian-speaking Tomiris group is conducting a cyber-espionage campaign targeting government and diplomatic entities in CIS member states and Central Asia, deploying new tools and tactics.
  • The Inc ransomware gang claimed responsibility for the CodeRED platform attack, stating it exfiltrated sensitive subscriber data.
  • Russian cybercriminals have developed and are distributing Albiriox, a new Android banking trojan offered as malware-as-a-service (MaaS), targeting over 400 financial apps and enabling on-device fraud and remote control.

Trends, Tools, or Tactics of Interest

  • Increase in holiday-themed scams, particularly targeting mobile-first shoppers, as reported by Malwarebytes.
  • Attackers are leveraging trusted software supply chains, including code packages and browser extensions, to deliver malware (e.g., Glassworm, ShadyPanda).
  • The emergence of AI-powered browsers is raising new security concerns due to their novel architectures and integration with AI agents.
  • Threat actors are using deepfakes, fake resumes, and stolen identities to infiltrate organisations via hiring pipelines, increasing insider threat risks.
  • Law enforcement in Switzerland and Germany dismantled the Cryptomixer cryptocurrency mixing service, which facilitated laundering of over €1.3 billion in Bitcoin for cybercriminals. Approximately $29 million in Bitcoin was seized.
  • Albiriox malware is being marketed as a MaaS solution for $720 per month, reflecting the ongoing professionalisation of cybercrime services.

Regulatory or Policy Developments Affecting the Security Industry

  • India’s telecommunications ministry has mandated that all new mobile devices must come pre-installed with the government-backed cybersecurity app Sanchar Saathi within 90 days, aiming to combat telecom fraud.