A novel ClickFix-style attack has been identified, utilizing JavaScript to hijack cryptocurrency swaps on Swapzone.io. This is one of the first known instances where JavaScript is used to alter webpage functionality for malicious purposes.

The Lazarus Group, a North Korean APT, has launched a sophisticated campaign using malicious npm and PyPI packages. This operation, known as 'graphalgo', targets developers through fake recruitment schemes.

A malicious campaign involving 30 Chrome extensions, known as AiFrame, has been identified, affecting over 300,000 users. These extensions masquerade as AI assistants to steal credentials, email content, and browsing information.

World Leaks, a notorious cyber-criminal group, has enhanced its attack arsenal with a new malware named 'RustyRocket'. This sophisticated toolset is a critical component of World Leaks' operations.

CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2024-43468, CVE-2025-15556, CVE-2025-40536, and CVE-2026-20700. These vulnerabilities are actively exploited and pose significant risks to organizations.

CISA has released two new ICS advisories on December 30, 2025. These advisories address vulnerabilities in WHILL C2 Wheelchairs and AzeoTech DAQFactory, providing critical information on current security issues and exploits.

Apple has addressed a zero-day vulnerability, CVE-2026-20700, in its Dynamic Link Editor (dyld), which was exploited in highly sophisticated attacks targeting specific individuals. This marks the first zero-day fix in 2026.

ZeroDayRAT is a sophisticated mobile spyware platform targeting Android and iOS devices, offering cybercriminals full remote control. It poses significant risks to both individuals and enterprises

The Phorpiex malware is being used in a high-volume phishing campaign to deliver Global Group ransomware. Attackers use Windows shortcut files with double extensions (e.g., Document.doc.lnk) and visual cues to disguise malicious files.

Attackers are exploiting a decade-old EnCase driver to disable 59 endpoint security products. The driver's certificate, issued on December 15, 2006, allows it to load on modern Windows systems due to Microsoft's backward compatibility policies.