Cybersecurity Week in Review: December 31, 2025

Introduction

The first week of 2026 opened with a surge of high-impact cyber incidents, critical vulnerabilities, and government advisories. This review covers the period from Tuesday, December 31, 2025, through Monday, January 6, 2026, highlighting the most significant developments across data breaches, cyberattacks, vulnerabilities, and regulatory responses. The week was marked by the rapid exploitation of newly disclosed flaws, major ransomware campaigns, and a continued focus on supply chain and cloud security.

Major Data Breaches

Coupang: Massive Insider Breach Exposes 33.7 Million Accounts

South Korea’s largest online retailer, Coupang, confirmed a data breach affecting 33.7 million customer accounts—potentially up to 65% of the country’s population. The breach exposed names, contact details, addresses, and order histories, but payment and login credentials were reportedly not compromised. Authorities are investigating a suspected insider attack linked to a former employee, with police seizing data and devices from Coupang’s headquarters. The incident underscores the persistent risk of insider threats and the need for robust access controls and monitoring1.

Organization: Coupang (South Korea)
Data Exposed: Names, contact details, addresses, order histories
Attack Vector: Suspected insider (former employee)
Discovery Date: Early January 2026
Response: Ongoing investigation, law enforcement involved

University of Phoenix: Third-Party Breach Impacts 3.5 Million

The University of Phoenix disclosed a breach after unauthorized access was detected in a system operated by a third-party service provider. The incident affected data linked to students, applicants, and employees. The university was alerted after the provider detected suspicious activity, highlighting the risks associated with third-party vendors2.

Organization: University of Phoenix (USA)
Data Exposed: Student, applicant, and employee records
Attack Vector: Third-party service provider compromise
Discovery Date: Late December 2025
Response: Notification of affected individuals, review of vendor security

Korean Air: Employee Data Compromised in Oracle EBS Hack

A breach at Korean Air’s former subsidiary, KC&D, led to the theft of data belonging to approximately 30,000 employees. The attack exploited vulnerabilities in Oracle E-Business Suite, emphasizing the importance of timely patching and monitoring of enterprise applications3.

Organization: Korean Air (South Korea)
Data Exposed: Employee personal information
Attack Vector: Oracle EBS vulnerability
Discovery Date: December 30, 2025
Response: Investigation and remediation underway

Significant Cyberattacks

MongoDB “MongoBleed” Vulnerability Exploited at Scale

A critical vulnerability in MongoDB (CVE-2025-14847, CVSS 8.7) was actively exploited, with over 87,000 potentially vulnerable instances identified worldwide. The flaw, dubbed “MongoBleed,” allows unauthenticated attackers to leak sensitive data from server memory by sending malformed network packets. The majority of exposed instances were found in the U.S., China, Germany, India, and France. Security researchers noted that 42% of cloud environments had at least one vulnerable MongoDB instance. Patches were released, and organizations were urged to update immediately4.

Vulnerability: CVE-2025-14847 (“MongoBleed”)
Type: Unauthenticated memory disclosure
Affected Versions: MongoDB with zlib compression enabled (default)
Exploitation: Active, global scale
Mitigation: Update to patched versions, disable zlib compression as a workaround

Trust Wallet Chrome Extension Hack Results in $7 Million Loss

Trust Wallet, a popular cryptocurrency wallet, suffered a security incident involving its Chrome extension. Attackers exploited a leaked Chrome Web Store API key to publish a malicious version (2.68), leading to the theft of approximately $7 million. Trust Wallet urged users to update to version 2.69 and offered refunds to affected users. The attack did not impact mobile-only users or other browser extension versions5.

Organization: Trust Wallet
Impact: $7 million in cryptocurrency stolen
Attack Vector: Malicious Chrome extension update
Response: Urgent update, reimbursement for victims

Ransomware: LockBit 5 and Qilin Lead Global Campaigns

Ransomware activity remained elevated, with LockBit 5 responsible for over a third of all reported incidents globally during the week. Other active groups included Qilin, SafePay, Play, and DragonForce. These campaigns targeted organizations across multiple sectors and regions, reflecting the persistent and evolving nature of ransomware threats6.

Dominant Groups: LockBit 5 (35%), Qilin (15.8%), SafePay (10.7%), Play (7.3%), DragonForce (5%)
Tactics: Multi-victim operations, leak-site publications, rapid exploitation

Critical Vulnerabilities

React2Shell (CVE-2025-55182): Critical RCE in React Server Components

A critical remote code execution vulnerability (CVSS 10.0) in React Server Components, known as React2Shell, was actively exploited by multiple China-linked threat groups. The flaw allows unauthenticated attackers to execute arbitrary shell commands on affected servers by exploiting insecure deserialization in the Flight protocol. Security teams warned that millions of websites were at risk, and urgent patching was advised7.

Vulnerability: CVE-2025-55182 (“React2Shell”)
Type: Unauthenticated remote code execution
Affected Products: React Server Components, Next.js
Exploitation: Highly active, weaponized within 30 hours of disclosure
Mitigation: Upgrade to React 19.0.1 or Next.js 15.1+, rotate environment secrets

MongoDB “MongoBleed” (CVE-2025-14847): Memory Disclosure

As detailed above, MongoDB’s “MongoBleed” vulnerability was one of the most widely exploited flaws of the week, with attackers able to extract sensitive data from unpatched servers4.

Government Responses

CISA Adds MongoDB “MongoBleed” to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent patching for federal agencies and strongly recommending immediate action for all organizations. CISA also released new advisories for industrial control systems, reflecting the ongoing threat to critical infrastructure8.

Advisory: CISA KEV update for MongoDB “MongoBleed”
Action: Urgent patching required for federal systems

International Law Enforcement: Crackdown on African Cybercrime Syndicates

Law enforcement agencies in 19 countries coordinated a major crackdown on African cybercrime syndicates, resulting in hundreds of arrests. The operation targeted groups involved in business email compromise, ransomware, and financial fraud, highlighting the growing international focus on disrupting cybercriminal infrastructure1.

Miscellaneous

New Malware: ClickFix and XWorm

ClickFix: A new social engineering attack technique that tricks users into performing keyboard combinations, leading to malware installation. It is commonly integrated into phishing campaigns and mimics CAPTCHAs or error pages6.
XWorm: A remote access trojan (RAT) and malware loader, increasingly used in attacks to provide full remote control over victim systems. XWorm is sold on dark web forums, often disguised as a legitimate tool6.

Cybersecurity M&A: 30 Deals Announced in December

December 2025 saw a flurry of cybersecurity-related mergers and acquisitions, with 30 deals announced, including eight valued at over $1 billion. This trend reflects ongoing consolidation and investment in the cybersecurity sector9.

Conclusion

The week spanning December 31, 2025, to January 6, 2026, demonstrated the relentless pace and complexity of the modern threat landscape. From massive data breaches and rapid exploitation of critical vulnerabilities to coordinated government action and new malware strains, organizations must remain vigilant and proactive. Timely patching, robust third-party risk management, and cross-sector collaboration are more crucial than ever as we move further into 2026.

Sources: