🔥 Major Breaches & Incidents – Oracle higher-ed campaign, Cerner’s slow-mo health breach

🚨 Emerging Threats & Vulnerabilities – React2Shell mega-vuln, Android banking malware, “system alert” phishing

👁️ Privacy Watch – MFA bypass via Evilginx, fake copyright/X scams

🕵️‍♂️ APTs & State Sponsored Attacks – DPRK’s npm games, PRC’s BRICKSTORM backdoor

🤖 AI in Cyber – Malicious LLMs for wannabe hackers, AI “kidnapping” scam

📊 Story Follow-Ups / Threat Intel – Ransomware’s monster month

🧑‍🎓🍽️ Oracle Zero-Day Campaign Snags University of Phoenix and UPenn
A broader exploitation campaign against Oracle E-Business Suite zero-day CVE-2025-61882 led to data theft at both the University of Phoenix and the University of Pennsylvania. Attackers accessed documents containing personal and institutional data, as part of a Clop-linked spree hitting Oracle EBS customers. The story here isn’t just “two schools got popped” — it’s that a shared ERP platform quietly turned into a common blast radius.
👉️ If your ERP is old, complex, and “too critical to touch,” it’s also probably your biggest liability.

🏥💾 Patients Are Only Now Hearing About a January Cerner/Oracle Health Breach
A legacy Cerner (Oracle Health) system was breached back in January, but some patients in Missouri are just receiving notification letters now. Lawyers say it may be one of the biggest U.S. healthcare breaches this year, involving sensitive health and personal data. The delay highlights how slow some providers are to coordinate breach investigations, vendor communications, and patient notifications.
👉️ The incident response might be “contained,” but reputational damage is still very much in progress.

🔥🧩 Critical React2Shell RCE in React/Next.js Is Being Actively Exploited
A CVSS 10.0 bug (CVE-2025-55182, nicknamed “React2Shell”) in React Server Components and Next.js lets unauthenticated attackers execute arbitrary JavaScript on backend servers via crafted RSC payloads. The React team has confirmed the issue and shipped patches, while ecosystem coverage shows that common frameworks (Next.js, Expo, various Node stacks) are widely exposed if not updated. AWS reports that China-nexus threat groups began targeting unpatched workloads within hours of disclosure, and Help Net Security warns exploitation attempts are ramping up across internet-facing apps. Default configurations are impacted, so this isn’t a “weird edge case” — it’s a platform-level fire drill.
👉️ If your app says “React” and “server” anywhere in the same sentence, someone should already be patching.

📱💸 New Android Malware Lets Criminals Drain Your Bank Account
Researchers found a new Android banking trojan that targets hundreds of financial apps and gives attackers full remote control over infected devices. Once on the phone, criminals can view screens, capture credentials, and execute banking transactions as if they were the legitimate user. Combined with weak mobile hygiene and side-loading, the barrier to large-scale fraud is getting lower.
👉️ If your mobile fleet policy is “just don’t install weird stuff,” you don’t have a policy.

📨🛑 Phishing Emails Masquerading as “Spam Filter Alerts” Are Stealing Logins
A phishing campaign is impersonating automated spam-filter or quota notifications, warning users about “held” or “blocked” messages. Victims who click through are taken to fake login pages where credentials and MFA codes are captured in real time. Because the emails mimic internal IT tooling and look routine, they’re slipping past people who’d normally ignore obvious phishing.
👉️ User training that only focuses on “unexpected” emails misses the fact that attackers now copy the boring ones.

🔐🎭 Attackers Have a New Way to Slip Past Your MFA
Using Evilginx phishing proxies, attackers intercept credentials and session cookies from users at educational institutions, allowing them to hijack authenticated sessions without ever touching the MFA step again. Even “strong” MFA doesn’t help once the attacker has your valid session token in hand. It’s another proof point that phishing-resistant mechanisms and hardened login flows matter more than checkbox “we have MFA” security.
👉️ MFA is the floor, not the ceiling — especially when your users will happily log into a fake SSO page.

⚖️📨 Bogus Copyright Warnings Are Stealing X (Twitter) Accounts
Scammers are sending fake copyright or DMCA-style notices claiming your X account violated content rules, complete with urgent language and takedown threats. The links lead to phishing pages that snag X usernames, passwords, and sometimes additional personal information. It’s a clever abuse of creator-platform anxiety, targeting people who fear losing reach or monetization.
👉️ “Yes, legal is mad at you” is a very effective phish subject line.

🇰🇵📦 North Korean Hackers Deploy 197 Malicious npm Packages at Web3 Devs
DPRK-linked operators pushed nearly 200 malicious npm packages as part of the “Contagious Interview” campaign, targeting blockchain and Web3 developers. The packages are seeded through fake coding tests and typosquats, aiming to steal crypto assets, keys, and developer credentials from compromised environments. Software supply chains remain one of North Korea’s favorite indirect revenue streams.
👉️ If you’re building Web3 apps and “npm install” is your only security gate, you’re basically speed-running compromise.

🇨🇳🧱 PRC Hackers Using BRICKSTORM Backdoor Against VMware/Windows Environments
CISA says Chinese state actors are deploying a Golang-based backdoor dubbed BRICKSTORM to compromise VMware vSphere and Windows systems. The malware provides shell access, file operations, and credential theft, enabling long-term persistence deep in virtual infrastructure. It’s the kind of access that lends itself to both espionage and potential sabotage.
👉️ Your hypervisor is now officially part of your threat surface — not just “boring plumbing” for the SOC to ignore.

🤖🧨 Malicious LLMs Are Power-Ups for Low-Skill Attackers
Underground LLMs like WormGPT 4 and KawaiiGPT are churning out working ransomware lockers, phishing kits, and lateral movement scripts for attackers with minimal technical ability. These tools remove much of the trial-and-error barrier that used to slow down would-be cybercriminals, letting them iterate quickly on working payloads and infrastructure. Instead of copy-pasting shell scripts from random forums, they’re now asking a model to generate tailored tools for their target environment.
👉️ Assume “script kiddie” now comes with an AI co-pilot — and adjust your threat models accordingly.

📞🧬 AI-Generated Voice “Kidnapping” Scam Triggers Real Police Response
Scammers used AI-cloned voice audio to impersonate a woman’s mother, claiming she’d been kidnapped and demanding money — realistic enough to trigger a full police response before anyone realized it was fake. The incident shows how synthesized voices can shortcut normal skepticism and overwhelm both victims and first responders. It also hints at a future where emergency calls, extortion attempts, and even internal “CEO” instructions may all be generated on demand.
👉️ If you’re relying on “I recognized their voice” as an auth factor, you’re already behind.

💰🦠 Ransomware Attacks Hit 640 Organizations in November — Second-Highest Month of 2025
Cyble tracked 640 ransomware incidents in November, making it the second-busiest month of 2025 after February. IT services, manufacturing, healthcare, and professional services topped the victim list, showing how broadly opportunistic most crews have become. The report underscores that while we’re all obsessing over AI and supply chains, “classic” ransomware remains the default monetization path for many threat groups.
👉️ Ransomware is not last year’s problem — it’s still the baseline failure mode for weak controls.