VulnHub

A newly discovered vulnerability in React Native has been exploited in the wild, allowing attackers to disable security protections and deliver malware to affected devices. This flaw, which was previously thought to be a theoretical risk, has now raised alarms among developers and users of applications built with React Native. The impact of this vulnerability can be significant, as it compromises the integrity and security of applications, potentially affecting millions of users. Developers are urged to take immediate action to secure their applications and protect user data from malicious exploitation.

A serious security vulnerability, identified as CVE-2025-11953 and nicknamed Metro4Shell, has been discovered in the Metro Development Server, which is part of the '@react-native-community/cli' npm package. This flaw, rated 9.8 on the CVSS scale, allows remote attackers to execute arbitrary code without authentication. Researchers from VulnCheck first detected active exploitation of this vulnerability on December 21, 2025. This poses a significant risk for developers and organizations using this package, as it could lead to unauthorized control over their systems. Users of the affected npm package need to take immediate action to protect their applications.

Recent reports indicate that several threat groups, including UNC6661, UNC6671, and UNC6240, have intensified their cyber attacks under the ShinyHunters name. These attacks primarily target cloud-based software-as-a-service (SaaS) applications, employing tactics such as voice phishing and creating fake websites to steal user credentials. This surge in extortion-themed intrusions poses a significant risk to organizations relying on SaaS platforms, as attackers aim to exploit vulnerabilities for financial gain. Businesses and users need to be vigilant about potential phishing attempts and ensure their security practices are up to date to safeguard sensitive information.

Ukraine's Computer Emergency Response Team (CERT) has reported that Russian hackers are taking advantage of a newly patched vulnerability in Microsoft Office, identified as CVE-2026-21509. This flaw affects multiple versions of the software, which could leave users open to various cyberattacks. The exploitation of this vulnerability is concerning, especially as Microsoft Office is widely used in both personal and professional settings. Users and organizations are urged to ensure that their systems are updated with the latest security patches to mitigate the risk of being targeted. The situation underscores the need for vigilance in maintaining software security, especially with ongoing geopolitical tensions.

A new wave of automated data extortion attacks is targeting exposed MongoDB instances. Cybercriminals are scanning for these unsecured databases and demanding low ransoms from their owners to restore access to the data. This trend raises concerns for businesses and individuals who may not have secured their databases properly, leaving them vulnerable to these attacks. The attackers exploit the lack of security measures in place, making it crucial for database administrators to implement proper configurations and safeguards. Without these protections, organizations risk losing important data and facing financial repercussions from ransom demands.

Mandiant has reported a rise in data theft attacks by the hacking group ShinyHunters, which are now being facilitated by targeted voice phishing (vishing) and fraudulent company-branded phishing websites. These attacks aim to capture single sign-on (SSO) credentials and multi-factor authentication (MFA) codes from unsuspecting users. Organizations that utilize SSO for accessing cloud services are particularly at risk, as attackers exploit these systems to gain unauthorized access to sensitive data. This trend is concerning for companies that rely on cloud platforms for their operations, as it highlights the dangers of social engineering tactics and the importance of securing user credentials. Businesses should be vigilant and enhance their security measures to protect against these types of threats.

Marquis Software Solutions, a financial services provider based in Texas, has linked a ransomware attack that compromised its systems in August 2025 to a subsequent security breach involving SonicWall's cloud backup services. This incident impacted several U.S. banks and credit unions, raising concerns about the security of financial data and the potential for widespread disruption in banking services. The breach reportedly allowed attackers to exploit vulnerabilities in SonicWall's systems, leading to the ransomware attack on Marquis. This situation not only emphasizes the interconnected nature of cybersecurity risks but also highlights the importance of robust security measures for third-party services that handle sensitive financial information. As organizations increasingly rely on cloud solutions, ensuring their security is crucial to protect against similar incidents in the future.

TA584, a known threat actor, is currently using compromised email accounts to distribute malicious content through services like SendGrid and Amazon SES. Their attack method incorporates tools such as Tsundere Bot and XWorm, which are designed to gain unauthorized access to networks. This tactic raises concerns for organizations that rely on these email services, as attackers can exploit trusted channels to deliver malware. The use of legitimate platforms for malicious purposes complicates detection and prevention efforts. Companies need to be vigilant and enhance their security measures to protect against such sophisticated email-based attacks.