Two Chrome extensions. 900,000 users. Every ChatGPT and DeepSeek conversation stolen. Sent to attacker servers every 30 minutes. Google gave one of them a Featured badge. The extensions are still live in the Chrome Web Store right now. 🤔

This is the third major case in three weeks. First the sleeper extensions that waited 7 years before activating. Then Urban VPN selling 8 million users’ AI chats to data brokers. Now this. Security researchers have a name for it: “Prompt Poaching.” And it’s becoming a gold rush.

$5 buys two months of complete access to someone’s computer. Keylogging, webcam, passwords, files. The malware is called DCRat. The delivery method: a fake Blue Screen of Death that tricks people into hacking themselves. 😱

ClickFix attacks surged 517% in six months. Now the second most common attack vector after phishing. 8% of all blocked attacks. The campaign is called PHALT#BLYX. Securonix published their analysis January 5, 2026.

An email arrives with subject “Reservation Cancellation.” Sender appears to be Booking.com. The message mentions a refund over €1,000 and urges the recipient to click and review. Booking.com has been a popular target before, with similar campaigns in 2023 and 2024.

€7.68 billion budget. 3,000 staff. A brand new Cyber Security Operations Centre opened. A hacker spent 7 days inside their systems downloading 200GB of data. Data for sale on FBI honeypot 😏 On December 18, a hacker using the alias “888” got into ESA servers. JIRA project management. Bitbucket code repositories. Internal documentation systems. For seven days, nobody noticed.

On December 26, screenshots appeared on BreachForums. On December 30, ESA finally confirmed the breach.

A botnet just fired 1.7 billion DDoS commands in 72 hours. Attack capacity: nearly 30 Terabits per second. 2 million Android TV boxes sitting in living rooms across 222 countries and regions. And now we know how the attackers built it so fast. 🧐

The attackers didn’t send phishing emails. They didn’t trick anyone into downloading malware. They just bought access to a proxy service and walked right into home networks.

A 16-year-old built an AI that mass-hunts memory bugs. It found 6 vulnerabilities in FFmpeg in December. One was a heap buffer overflow in the EXIF parser. The code that reads your photo metadata. 😎

FFmpeg processes media on billions of devices. VLC. Chrome. Firefox. YouTube. Blender. OBS Studio. Plex. Even NASA’s Perseverance rover uses FFmpeg.

The vulnerability: CVE is still pending.

Important nuance: this bug was in FFmpeg’s development branch, not in a public release. It existed for three days before it was caught. Three days. FFmpeg called the researcher “a model security researcher” for catching it before it shipped.

Your headphones just became a backdoor to your phone. No pairing. No popup. Just Bluetooth range. 70 million chips. Sony. Bose. Marshall. JBL. A debug protocol active on production devices. Attackers can dump your Bluetooth keys, impersonate your headphones, and hijack your phone. 🤔

Three CVEs. Zero authentication required. Full technical disclosure: December 27, 2025 at 39C3.

The vulnerabilities

→ CVE-2025-20700: No authentication on Bluetooth Low Energy → CVE-2025-20701: No authentication on Bluetooth Classic → CVE-2025-20702: Debug protocol exposed that should never be accessible

RondoDox added React2Shell to its arsenal. 90,000+ servers. 56 vulnerabilities. 30+ vendors. They call it the “exploit-shotgun” approach. Fire everything, see what hits. 😱

Once inside, RondoDox doesn’t just sit there. It launches DDoS attacks. Mines Monero. Turns infected devices into proxies to hide other attacks. And it breaks the tools needed to fight back.

The botnet has been running for 9 months. Three distinct phases. March to April 2025 was reconnaissance. April to June was daily probing of WordPress, Drupal, Struts2, and IoT devices. July onward became hourly automated attacks at scale.

The crypto library behind Discord, WordPress, and Zcash just got its first CVE. After 13 years. 😏 libsodium. You’ve probably never heard of it. But it’s everywhere.

libsodium is one of the most trusted cryptographic libraries in the world. Discord secures voice chat with it. WordPress validates updates with it. Zcash processes transactions with it. Stellar powers financial apps with it.

13,300+ GitHub stars. Bindings in every programming language you can think of. From PHP to Rust to Python to Go.

WIRED magazine got hacked. 2.3 million subscriber records leaked. And this is just the beginning. 😏 A hacker called “Lovely” dumped the database on Christmas Day. Called it a “Christmas Lump of Coal.”

The vulnerability? IDOR. Insecure Direct Object Reference. That’s OWASP Top 10. Basic web security. A flaw that’s been documented since 2007. Companies still get it wrong.

IDOR happens when a website uses a number to identify your data, but doesn’t check if you’re actually allowed to see it. Your profile lives at /api/user/12345. Change that to /api/user/12346? You see someone else’s profile. No password needed. The server just hands it over.

You log into your game. Suddenly, you got $13.3 million in your account. 🥳 You didn’t earn it. Neither did 30 million other players. December 27, 2025. Hackers broke into Rainbow Six Siege and gave every player 2 billion R6 Credits.

At Ubisoft’s prices, that’s $13.3 million per account. Total damage across the player base: $339 trillion in fake money.

But they didn’t stop there.

The attackers had full control of the game’s backend. They banned players at random, including high-profile streamers. Unbanned others. Unlocked every skin in the game, including the ultra-rare Glacier skins and stuff only developers should have. They even took over the ban ticker, a system Ubisoft says was already turned off in a previous update, and used it to mock the CEO.