⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More
Monday, December 29, 2025
What
The end of 2025 was marked by a series of simultaneous cyber incidents rather than a single major event. A critical new MongoDB vulnerability (CVE-2025-14847, MongoBleed) allowing unauthenticated data leakage came under active exploitation, affecting over 87,000 instances globally. Concurrently, a "security incident" involving a malicious Trust Wallet Chrome extension (version 2.68) led to approximately $7 million in user losses, likely due to a leaked Chrome Web Store API key. Furthermore, the China-linked APT group Evasive Panda conducted highly targeted cyber espionage using DNS poisoning to distribute its MgBot backdoor, while the 2022 LastPass data breach continued to facilitate cryptocurrency theft, totaling at least $35 million by September 2025, by cracking weak master passwords. Fortinet also warned of renewed exploitation of a five-year-old FortiOS SSL VPN flaw (CVE-2020-12812), and a malicious npm package named `lotusbail` was found to act as a functional WhatsApp API while intercepting messages and linking attacker devices.
Where
Affected entities include MongoDB servers globally (U.S., China, Germany, India, France), Trust Wallet Chrome extension users, victims in Türkiye, China, and India targeted by Evasive Panda, individuals impacted by the 2022 LastPass data breach, Fortinet FortiOS SSL VPN users, and developers who downloaded the malicious `lotusbail` npm package.
When
The MongoDB vulnerability was newly disclosed and under active exploitation in late 2025. The Trust Wallet incident occurred recently, with the malicious extension uploaded in May 2025. Evasive Panda's activity spanned from November 2022 to November 2024. Crypto theft from the 2022 LastPass breach continued as recently as late 2025, with $35 million stolen by September 2025. Fortinet observed renewed abuse of a five-year-old flaw in late 2025, and the malicious npm package was uploaded in May 2025 and recently removed.
Key Factors
- •The MongoBleed vulnerability (CVE-2025-14847), with a CVSS score of 8.7, allows an unauthenticated attacker to remotely leak sensitive data from MongoDB server memory, impacting versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
- •The Trust Wallet Chrome extension hack, which resulted in a $7 million loss, was likely facilitated by an attacker publishing a malicious version (2.68) using a leaked Chrome Web Store API key, specifically affecting Chrome extension users and not mobile or other browser versions.
- •Evasive Panda's highly targeted cyber espionage campaign utilized adversary-in-the-middle (AitM) attacks through DNS poisoning to deliver trojanized updates for popular tools like SohuVA and Tencent QQ, ultimately deploying the modular MgBot backdoor, with suspected compromise of ISPs or victim network devices.
- •The 2022 LastPass data breach continued to be exploited as recently as late 2025, with threat actors, potentially linked to the Russian cybercriminal ecosystem, leveraging stolen encrypted vault backups to crack weak master passwords and drain over $35 million in cryptocurrency assets.
Takeaways
- →Organizations and users must prioritize immediate patching and updates for critical software, including MongoDB to specified versions and Trust Wallet Chrome extensions to version 2.69, to mitigate actively exploited and newly disclosed vulnerabilities.
- →The persistence of threats from old breaches and resurfacing vulnerabilities underscores the critical need for robust security hygiene, including strong, unique passwords, multi-factor authentication (MFA), and regular credential resets, especially for administrative and VPN accounts.
- →Supply chain security is paramount; organizations must implement stringent vetting processes for third-party software components (e.g., npm packages) and secure API keys to prevent malicious code injection and compromise of trusted distribution channels.
- →Proactive threat intelligence and attack surface management are crucial for identifying and addressing potentially vulnerable instances, both internet-exposed and internal, to stay ahead of rapidly evolving attack methodologies and APT group activities.
Opens original article on The Hacker News
