Daily Brief

Coupang, South Korea's largest online retailer, experienced a significant data breach affecting 33.7 million customers, revealing personal data such as names, emails, addresses, and order information. The breach was traced to a former employee who retained access to internal systems post-departure, highlighting potential internal security oversight. The breach occurred in June 2025 but was only discovered in November, prompting an internal investigation and subsequent police involvement. The Seoul Metropolitan Police Agency conducted a raid on Coupang's offices, gathering evidence to determine the breach's extent and the company's potential liability. Coupang's CEO resigned following the incident, marking it as the most severe cybersecurity breach in South Korean history and raising questions about corporate accountability. The breach has led to increased phishing activity, affecting a significant portion of the population, with numerous reports of Coupang impersonation attempts. Authorities continue to investigate, focusing on internal documents, logs, and access histories to understand the breach mechanics and prevent future incidents.

Recent vulnerabilities in React Server Components include two denial-of-service flaws and a source-code exposure issue, affecting versions 19.0.0 to 19.2.2, necessitating immediate updates. CVE-2025-55184 and CVE-2025-67779, both high-severity DoS bugs, can hang servers through crafted HTTP requests, impacting performance and accessibility. CVE-2025-55183, a medium-severity flaw, risks exposing hardcoded secrets via malicious HTTP requests, though runtime secrets remain secure. These vulnerabilities were discovered by researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson, who reported them to Meta, the library's creator. The earlier React2Shell vulnerability, CVE-2025-55182, remains a concern despite previous patches, with ongoing exploitation by actors from North Korea and China. Organizations must update to the latest patches as previous fixes are incomplete, similar to the widespread impact seen with the Log4Shell vulnerability. Over 50 organizations have been affected by React2Shell, with potential for further compromise if immediate action is not taken to address these new vulnerabilities.

Bitdefender researchers identified a fake torrent for "One Battle After Another" containing malware hidden in subtitle files, exploiting interest in the newly released film. The torrent file includes a malicious PowerShell script embedded within subtitle files, which activates upon executing a shortcut file disguised as a movie launcher. Once activated, the script reconstructs additional PowerShell scripts that check for Windows Defender, install Go, and deploy the Agent Tesla RAT payload. Agent Tesla, active since 2014, is a Windows-based Remote Access Trojan used to steal credentials and capture screenshots, known for its reliability and ease of use. The infection chain is noted for its complexity and stealth, making it difficult for users to detect the malicious activity until it's too late. Bitdefender advises against downloading torrents from unknown sources due to the high risk of malware, as seen in similar cases with other popular movie titles. This incident serves as a reminder of the persistent threat posed by cybercriminals exploiting popular media content to distribute malware.

Kali Linux has released its final update for the year, version 2025.4, featuring three new tools and significant desktop environment enhancements. The update includes improvements to GNOME 49, KDE Plasma 6.5, and Xfce, enhancing user experience with refreshed themes and new functionalities. GNOME now operates exclusively on Wayland, removing X11 support, and introduces a new Showtime video player and reorganized app grid. Kali NetHunter expands device support for Android 16 and 15, enhancing compatibility with popular devices like Samsung Galaxy S10 and OnePlus Nord. The update enhances VirtualBox, VMware, and QEMU support, improving virtual machine guest utilities for better integration and performance. Users can upgrade to Kali Linux 2025.4 via existing installations or download ISO images for fresh installs, with guidance provided for Windows Subsystem for Linux users. This release continues to cater to cybersecurity professionals and ethical hackers, offering a robust platform for penetration testing and security assessments.

Shadow spreadsheets emerge when employees bypass official tools, often due to limitations in existing systems, creating potential security vulnerabilities within organizations. These spreadsheets can contain sensitive data and are frequently shared with inadequate access controls, posing risks of unauthorized access and data leakage. Oversharing and spreadsheet sprawl are common issues, leading to multiple versions circulating without clear ownership or audit trails. Shadow spreadsheets create an untraceable attack surface, complicating efforts to track data access and changes, especially in the presence of malicious actors. Traditional security measures like DLP and file-sharing restrictions may drive employees to use even less secure methods, such as personal cloud storage. Grist Labs proposes a solution combining spreadsheet flexibility with robust security controls, offering granular permissions and audit logging to mitigate these risks. Implementing secure, structured data applications that mimic spreadsheet functionality can enhance security while maintaining user productivity and satisfaction.

Cybersecurity researchers identified four advanced phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—capable of large-scale credential theft and MFA bypass, posing significant threats to organizations globally. BlackForce employs Man-in-the-Browser attacks to capture one-time passwords, sold on Telegram for up to $351, and impersonates brands like Disney and Netflix. GhostFrame's architecture uses iframes to stealthily redirect victims to phishing pages, targeting Microsoft 365 and Google accounts, complicating detection efforts. InboxPrime AI leverages artificial intelligence to automate phishing campaigns, mimicking human emailing behavior, and is marketed under a malware-as-a-service model for $1,000. Spiderman targets European banks, creating pixel-perfect replicas of login pages, and captures credentials, OTPs, and cryptocurrency wallet data. The emergence of these kits reflects a trend towards more sophisticated, industrialized phishing operations, lowering entry barriers for cybercriminals. Organizations are urged to enhance their security measures, including advanced threat detection and employee training, to mitigate these evolving phishing threats.

Microsoft is revamping its bug bounty program to reward discoveries of critical vulnerabilities across all products, including third-party and open-source applications. The "in scope by default" model will incentivize researchers to focus on high-risk areas that threat actors may target, enhancing Microsoft's security posture. This initiative aims to cover vulnerabilities in new products and services that lack dedicated bounty programs, broadening the scope of eligible discoveries. Microsoft paid over $17 million in bug bounty awards last year and anticipates increased spending under the new program structure. The shift addresses previous criticisms of the program's prescriptive nature and aims to improve response times and triage processes. By embracing diverse insights from the security research community, Microsoft seeks to proactively strengthen defenses against evolving cyber threats, particularly in cloud and AI domains. The program's evolution reflects Microsoft's commitment to addressing vulnerabilities promptly, regardless of code ownership, to safeguard its extensive digital ecosystem.

The U.S. government has filed a lawsuit against Danielle Hillmer, a former Accenture manager, for allegedly misrepresenting the security compliance of an Army cloud platform. Hillmer is accused of deceiving federal auditors about the Nonappropriated Fund Integrated Financial Management System's security capabilities between March 2020 and November 2021. The platform, used by multiple government entities, was falsely claimed to meet FedRAMP High and DoD Impact Levels 4 and 5 security standards. Despite internal and external warnings, Hillmer allegedly filed false applications to elevate the platform's compliance level, potentially securing lucrative government contracts. Accenture's contract required a DoD Impact Level 4 assessment, and Hillmer's alleged actions could have influenced contract awards worth approximately $250 million. Accenture has cooperated with the investigation, proactively reporting the issue to the government and emphasizing its commitment to ethical standards. The Justice Department has initiated civil and criminal proceedings, and Accenture continues to comply with the ongoing investigation.

Civil society groups have called for an investigation into the UK Home Office's digital-only eVisa scheme, citing potential GDPR violations and systemic data errors affecting migrants. The eVisa system, which replaces physical immigration documents with real-time online records, has reportedly led to data breaches and operational failures, impacting migrants' access to essential services. A documented incident involved the incorrect disclosure of a Canadian citizen’s sensitive information to a Russian individual, raising serious data protection concerns. The digital-only nature of the eVisa scheme leaves migrants without a physical fallback, complicating their ability to prove legal residency during system outages. Critics argue the Home Office's Data Protection Impact Assessment inadequately addresses risks, particularly for vulnerable groups such as the elderly and digitally excluded individuals. Concerns have been raised about the handling of biometric data, with claims that privacy risks have not been properly evaluated or mitigated. The Information Commissioner's Office is being urged to assess whether the eVisa system aligns with GDPR requirements or if it is fundamentally flawed.

Wiz reports that half of internet-facing React servers remain unpatched against the critical CVE-2025-55182 vulnerability, known as "React2Shell," posing significant security risks. The vulnerability allows for remote code execution through unsafe deserialization in React's server-side packages, affecting frameworks like Next.js. At least 15 distinct attack clusters have been identified, ranging from cryptomining operations to state-linked intrusion attempts. Attackers are employing sophisticated anti-forensics techniques, including timestamp manipulation and log minimization, to evade detection and maintain persistence. Palo Alto Networks' Unit 42 has linked some exploit activities to North Korean and Chinese threat groups, although no formal attribution has been made. The widespread use of React in modern web stacks, especially in cloud environments, amplifies the potential impact of these attacks. Organizations are urged to prioritize patching and implement robust monitoring to mitigate the risk of exploitation and data compromise.

ACROS Security has issued free unofficial patches for a newly discovered Windows zero-day vulnerability affecting the Remote Access Connection Manager (RasMan) service. The vulnerability allows attackers to crash the RasMan service, which is critical for managing VPN and remote network connections, potentially leading to privilege escalation attacks. This flaw affects all Windows versions, from Windows 7 to Windows 11, and Windows Server 2008 R2 through Server 2025, remaining unpatched by Microsoft. The vulnerability is due to a coding error involving circular linked lists, where a null pointer causes the service to crash instead of exiting the loop. ACROS Security's 0patch micropatching platform offers these patches until Microsoft releases an official fix, requiring users to install the 0Patch agent for automatic updates. Microsoft has been informed of the issue and is expected to provide an official patch in future updates, but no immediate comment was available. Organizations are advised to implement the unofficial patches to mitigate the risk until an official solution is provided by Microsoft.

Enterprises are increasingly using GenAI tools in browsers, raising concerns about data security as sensitive information is often inputted into these platforms. Traditional security measures are inadequate for managing the unique risks posed by GenAI, necessitating new strategies focused on browser-level controls. A comprehensive GenAI security strategy should include clear policies that define safe data use, categorizing tools by risk and enforcing technical controls. Isolation techniques, such as dedicated browser profiles and per-site controls, help contain risks without compromising employee productivity. Data Loss Prevention (DLP) measures at the browser edge are crucial for monitoring user actions and preventing unauthorized data sharing. Continuous monitoring and management of GenAI browser extensions are essential to prevent them from becoming data exfiltration channels. Identity and session management, including single sign-on, enhance security by ensuring data is tied to corporate accounts, preventing cross-access risks. Effective GenAI security programs require robust visibility, telemetry, and analytics to identify usage patterns and refine security measures over time.

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed U.S. federal agencies to patch a critical GeoServer vulnerability, CVE-2025-58360, now actively exploited in cyberattacks. This vulnerability involves an XML External Entity (XXE) flaw in GeoServer 2.26.1 and earlier, enabling attackers to execute denial-of-service attacks or access sensitive data. Over 14,000 GeoServer instances are exposed online, with 2,451 IP addresses currently tracked by the Shadowserver group for potential exploitation. Federal Civilian Executive Branch agencies must patch affected systems by January 1, 2026, as per Binding Operational Directive 22-01. CISA advises network defenders to prioritize patching this vulnerability, warning of its frequent use in malicious cyber activities. In 2024, an unpatched GeoServer vulnerability was exploited to breach an unnamed U.S. government agency, highlighting the importance of timely updates. Agencies are urged to apply vendor-recommended mitigations, follow BOD 22-01 guidance, or discontinue the product if necessary.

The React team has addressed two new vulnerabilities in React Server Components (RSC) that could lead to denial-of-service (DoS) attacks or source code exposure. These issues emerged as the security community tested patches for CVE-2025-55182, a critical bug with a CVSS score of 10.0, already exploited in the wild. Successful exploitation of CVE-2025-55183 requires a Server Function that exposes an argument in string format, affecting specific versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Security researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson reported these vulnerabilities through the Meta Bug Bounty program, highlighting the importance of collaborative security efforts. Users are urged to update to versions 19.0.3, 19.1.4, and 19.2.3 promptly, especially given the active exploitation of CVE-2025-55182. The React team emphasized that additional vulnerability disclosures, while frustrating, indicate a robust response cycle and are common across the software industry. This incident underscores the need for continuous vigilance and timely updates to mitigate potential security threats in widely-used software frameworks.

The React2Shell vulnerability, CVE-2025-55182, is being actively exploited globally, affecting React Server Components and other frameworks like Next.js and Vite. CISA has mandated federal agencies to patch the vulnerability by December 12, 2025, due to its critical nature and a CVSS score of 10.0. The flaw allows attackers to execute arbitrary, privileged JavaScript on affected servers without authentication or user interaction, posing significant risks. Cloudflare and Wiz have observed widespread attacks, particularly targeting internet-facing Next.js applications and Kubernetes workloads, with some regions being excluded from scans. Threat actors have focused on networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand, aligning with geopolitical intelligence priorities. Kaspersky reported over 35,000 exploitation attempts in a single day, with attackers deploying cryptocurrency miners and botnet malware like Mirai variants. An open directory containing a proof-of-concept exploit script has been discovered, facilitating further exploitation attempts by unidentified threat actors. Over 137,200 internet-exposed IP addresses are running vulnerable code, with the majority located in the U.S., highlighting the widespread impact and urgency for remediation.