The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit.
This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions, logins, messages — the things people click without thinking. That’s where damage starts now.
This recap pulls those signals together. Not to overwhelm, but to show where attention slipped and why it matters early in the year.
⚡ Threat of the Week
RondoDox Botnet Exploits React2Shell Flaw — A persistent nine-month-long campaign has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 84,916 instances that remain susceptible to the vulnerability as of January 4, 2026, out of which 66,200 instances are located in the U.S., followed by Germany (3,600), France (2,500), and India (1,290).
🔔 Top News
- Trust Wallet Chrome Extension Hack Traced to Shai-Hulud Supply Chain Attack — Trust Wallet revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” The unknown threat actors are said to have registered a domain to exfiltrate users’ wallet mnemonic phrases. Koi’s analysis found that directly querying the server to which the data was exfiltrated returned the response “He who controls the spice controls the universe,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. There is evidence to suggest that preparations for the hack were underway since at least December 8, 2025.
