A malicious NPM package named 'Lotusbail', with over 56,000 downloads, has been found stealing WhatsApp credentials and installing backdoors. This supply chain attack targets developers and applications integrating WhatsApp Web API functionality.
Business impact
Organizations using this library face immediate credential theft and unauthorized access to corporate communication channels, potentially violating HIPAA and SOX compliance mandates regarding data privacy.
Recommended action
Ask your Development team: Do any of our applications depend on the 'Lotusbail' or 'Baileys' NPM packages? If so, have we removed them and rotated all associated WhatsApp credentials?
The pro-Russian hacking group Noname057 has claimed responsibility for a cyberattack that knocked La Poste's digital banking and online services offline. This incident highlights the continued targeting of national infrastructure and financial services by politically motivated groups.
Business impact
Service outages in banking and logistics result in immediate revenue loss, customer dissatisfaction, and potential contractual penalties for service level agreement (SLA) failures.
Recommended action
Ask your Security team: Are our DDoS mitigation strategies stress-tested against current volumetric attack patterns used by groups like Noname057?
Trust Wallet has confirmed a security incident affecting version 2.68 of its Chrome extension, leading to $7 million in losses. The breach involves malicious code injection that exfiltrates user funds.
Business impact
Corporate wallets or assets managed via this extension are at immediate risk of total loss. This also damages trust in browser-based wallet management for enterprise treasury operations.
Recommended action
Ask your IT team: Do we have the Trust Wallet Chrome extension installed on any corporate devices? If so, is it updated beyond version 2.68 immediately?
A high-severity flaw (CVSS 8.7) in MongoDB allows unauthenticated attackers to read uninitialized heap memory due to improper handling of length parameters. This could expose sensitive data residing in memory without requiring login credentials.
Business impact
Exploitation could lead to the leakage of sensitive customer data, encryption keys, or authentication tokens, triggering data breach notification requirements under GDPR and SOX.
Recommended action
Ask your Database Administrators: Have we patched our MongoDB instances to address CVE-2025-14847, specifically focusing on internet-facing clusters?
The China-linked APT group Evasive Panda is conducting a targeted espionage campaign using DNS poisoning to deliver the MgBot backdoor. Victims in TΓΌrkiye, China, and India are being targeted via manipulated update channels.
Business impact
Successful compromise allows persistent espionage and data exfiltration, threatening intellectual property and sensitive communications for organizations operating in the targeted regions.
Recommended action
Ask your Network Security team: Do we monitor for DNS anomalies and have we blocked known indicators associated with the MgBot backdoor?
Tenable's year-end analysis highlights the critical need for governing autonomous AI agents and managing exposure in cloud and OT environments. The report emphasizes that shadow AI usage remains a top governance challenge for 2026.
Paul Mockapetris, architect of DNS, discusses the evolution of DNS from a directory to a security tool. He argues that modern networking requires DNS that can intentionally "not work" to block malicious traffic, a concept vital for Zero Trust architectures.
Unlike traditional SCA tools that only check for known CVEs, Socket analyzes the *behavior* of open-source packages to detect malicious intent, such as the backdoor and credential theft capabilities seen in the 'Lotusbail' NPM package. Socket's platform inspects package code for risky APIs (network access, file system writes) before they are installed, effectively neutralizing zero-day supply chain attacks.
Actionable Platform Guidance: Implement Socket's GitHub app to block pull requests introducing packages with "install scripts" or "network access" capabilities that are not required. Specifically for the 'Lotusbail' threat, configure Socket to flag any dependency connecting to the WhatsApp Web API endpoints unexpectedly.
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Socket
// Example Socket.dev configuration (socket.yml) to block risky behaviors seen in 'Lotusbail'
version: 2
projectIgnorePaths:
- "test/**"
issueRules:
# Block packages that contain install scripts (common malware vector)
- action: error
issue: install-scripts
# Block packages that exfiltrate data (network access)
action: error
issue: network-access
# Block packages with high entropy strings (potential obfuscated code)
action: warn
issue: high-entropy-strings
2. YARA Rule for Trust Wallet Extension Malicious Indicators
rule Malicious_TrustWallet_Extension_Artifacts {
meta:
description = "Detects artifacts associated with the compromised Trust Wallet Chrome Extension v2.68"
author = "Threat Rundown"
date = "2025-12-27"
reference = "https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"
severity = "high"
tlp = "white"
strings:
$s1 = "/upload" ascii wide
$s2 = "/v1/gate" ascii wide
$s3 = "chrome-extension://" ascii wide
$s4 = "Trust Wallet" ascii wide
condition:
($s3 and $s4) and any of ($s1, $s2)
}
3. SIEM Query β Evasive Panda DNS Poisoning Activity
index=security sourcetype="stream:dns" OR sourcetype="bro:dns"
query_type="A" OR query_type="AAAA"
| eval risk_score=case(
match(answer, "^10\.") OR match(answer, "^192\.168\."), 0,
isnotnull(malicious_flag), 100,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, query, answer, risk_score
| sort -_time
4. PowerShell Script β Detect Trust Wallet Extension Version
$computers = "localhost"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$extensions = Get-ChildItem "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -ErrorAction SilentlyContinue
foreach ($ext in $extensions) {
# Trust Wallet ID check (generic placeholder, verify specific ID)
if ($ext.Name -eq "egjidjbpglichdcondbcbdnbeeppgdph") {
$manifest = Get-Content "$($ext.FullName)\*\manifest.json" -Raw | ConvertFrom-Json
if ($manifest.version -eq "2.68") {
Write-Warning "CRITICAL: Compromised Trust Wallet version 2.68 found on $env:COMPUTERNAME"
}
}
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
Finance (SOX)
ELEVATED
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT