As the year draws to a close, the cyber threat landscape is as active and unpredictable as ever. Rather than being dominated by one headline-grabbing incident, the final week of 2025 saw multiple concurrent cyber risks unfold — from mass exploitation of a newly disclosed database flaw to wallet breaches, espionage campaigns, malicious software packages, and legacy vulnerabilities resurfacing in alarming ways. A theme ran clearly through these developments: attackers are operating faster than defensive patches can keep up, and threat actors are increasingly creative in blending old vulnerabilities with new tactics. This comprehensive weekly recap brings together the most important cybersecurity developments from the past week so you can understand what shaped the threat environment and what organizations and users should prioritize heading into 2026. Threat of the Week — MongoDB Vulnerability Under Active Exploitation At the center of this week’s coverage is a high-severity vulnerability in MongoDB (tracked as CVE-2025-14847) that has rapidly become a real-world security problem — affecting over 87,000 instances worldwide and actively exploited by adversaries. What Is MongoBleed? The flaw — nicknamed “MongoBleed” by researchers — affects the way MongoDB’s zlib compression handles input data. Due to a flaw in handling certain decompress operations, an attacker with no authentication can induce the server to leak portions of memory, potentially exposing sensitive information like user credentials, API keys, and other confidential data stored in RAM. Key takeaways from the vulnerability include: Severity: Rated 8.7/10 (High) due to the ease of exploitation. Scope: More than 87,000 vulnerable instances globally, including in the U.S., China, India, Germany, and France. Risk: Both internet-exposed servers and internal cloud instances could be targeted. Because this flaw does not require credentials to exploit, defenders are urgently urged to update MongoDB to the patched versions listed by the vendor. Trust Wallet Chrome Extension Breach — $7M Lost in Malicious Update Another significant incident this week involved the Trust Wallet Chrome extension, a browser add-on used by roughly 1 million users to manage crypto assets. What Happened? Trust Wallet confirmed that a security incident impacted version 2.68 of its Chrome extension, allowing attackers to distribute malicious code that led to losses estimated at around $7 million in cryptocurrency. Key points: Version 2.68 was likely published with a leaked Chrome Web Store API key, enabling the attacker to push it as an “update.” Users are urged to update immediately to version 2.69 to mitigate further theft. The incident highlights how third-party extension ecosystems can become serious security liabilities when ownership credentials are compromised. Trust Wallet has stated it will help refund affected users, but the episode underscores the growing risk against browser extensions and the importance of supply-chain security in software distribution. Evasive Panda DNS Poisoning Campaign Delivers MgBot Malware Cybersecurity analysts attributed a prolonged, highly targeted espionage campaign to the China-linked APT group known as Evasive Panda, in which the attackers used DNS poisoning to deliver the MgBot backdoor against select targets in Türkiye, China, and India. What Was the Attack Pattern? Threat actors manipulated DNS responses for certain domains so that victims seeking legitimate software updates were instead routed to attacker-controlled servers. The campaign, which spanned nearly two years (Nov 2022–Nov 2024), employed adversary-in-the-middle techniques to deliver trojanized updates for popular applications. The MgBot implant provided extensive data exfiltration and surveillance capabilities. The sophisticated use of DNS poisoning — a relatively uncommon but powerful tactic — highlights how advanced threat actors can evade traditional defenses to maintain long-term persistence. LastPass 2022 Breach Continues to Fuel Crypto Thefts Long-standing consequences from the 2022 LastPass breach came back into focus this week, with blockchain intelligence firm TRM Labs reporting fresh cryptocurrency thefts enabled by the stolen encrypted vault backups. Full Situation Although LastPass’s zero-knowledge design means attackers did not initially access decrypted passwords, weak master passwords enabled threat actors to eventually crack some vaults offline. Stolen crypto assets linked to the breach are estimated in the tens of millions with continued laundering activity in 2025. Wallets associated with this activity showed links to the Russian cybercriminal ecosystem in laundering patterns. This long-tail abuse of breach data illustrates how encryption without strong password practices can still lead to significant losses over time. Fortinet Warns of Renewed Exploitation of Old VPN Flaw Security vendor Fortinet issued an advisory noting “recent abuse” of an older vulnerability in FortiOS SSL VPN (CVE-2020-12812) — a flaw first disclosed five years ago. Key Risk Details Under specific configurations, this flaw can allow a user to authenticate without second-factor authentication if username case is changed. Fortinet has not provided details on whether successful intrusions occurred, but advised customers to reset credentials and audit access logs if unexpected logins are observed. This development is a reminder that old vulnerabilities can remain dangerous threats when overlooked in patching and configuration reviews. Malicious npm Package ‘lotusbail’ Harvests WhatsApp Messages Open-source software repositories, while invaluable, continue to be attractive targets for supply-chain abuse. This week, security researchers flagged a malicious npm package named lotusbail that masqueraded as a WhatsApp API tool. What It Did The package functioned as a legitimate WhatsApp API but also intercepted every user message, linking the attacker’s device to the victim’s WhatsApp account. It was downloaded more than 56,000 times before npm removed it. Even after uninstall, the attacker’s device remains linked unless manually unlinked from WhatsApp settings. This raises serious concerns for developers relying on third-party libraries and emphasizes the importance of code vetting and dependency auditing. Recurring Themes from This Week Attackers Move Faster Than Patches A common narrative throughout this week’s incidents is the rapid weaponization of vulnerabilities soon after disclosure — including the MongoDB flaw being actively attacked while details were still emerging. Tools and Services Trusted Daily Are Abused Whether it is widely used databases (MongoDB), browser extensions (Trust Wallet), open-source libraries (npm), or VPN services (Fortinet), attackers are increasingly finding ways to subvert technologies people depend on. Old Vulnerabilities Can Come Back to Bite The resurfacing of exploit activity around years-old Fortinet VPN issues shows that unpatched or misconfigured technology continues to be a persistent threat vector. Recommendations for Organizations and Users To mitigate risks emerging from this wave of threats, experts recommend: ✔ Prioritize Patch Management Ensure that systems like MongoDB, VPN appliances, and all connected services are updated promptly to close exploitable holes. ✔ Treat Extensions and Dependencies with Caution Review third-party browser extensions and software libraries carefully, and consider implementing code-signing and monitoring policies. ✔ Strengthen Authentication Enable multi-factor authentication (MFA) everywhere possible to reduce the risk posed by credential theft or VPN bypasses. ✔ Audit Cryptographic Practices For applications holding sensitive data, enforce strong master passwords, secure key management, and encryption to reduce the impact of stolen vaults or backup data. ✔ Define Incident Response Plans Organizations should refine response procedures not only for big breaches, but also for simultaneous, smaller incidents that, taken together, can cause major operational impacts. Final Thoughts The end of 2025 demonstrated that cyberattacks are not slowing down even as defenders and vendors scramble to fix flaws and patch software. Instead of one big breach dominating headlines, this week’s roundup highlights many smaller but meaningful cracks appearing across technology stacks and services — each representing an opportunity for attackers to infiltrate, exfiltrate data, or disrupt operations. Staying ahead in cybersecurity increasingly means adopting proactive defenses — patching early, enforcing strict authentication, auditing third-party dependencies, and maintaining visibility across systems to stop attackers before they escalate. As we enter 2026, this multi-faceted threat environment will require resilience, vigilance, and speed to deal with both new vulnerabilities and the risks resurrected from the past. Post navigation Italy Fines Apple €98.6 Million Over App Tracking Transparency Rules — Antitrust Authority Says Privacy Policy Restricts Competition MongoDB “MongoBleed” Vulnerability (CVE-2025-14847) Under Active Exploitation – What You Need to Know
