All stories in this roundup are sourced from reporting by The Hacker News (thehackernews.com), one of the most widely followed cybersecurity news platforms. Full original articles are linked under each story. Ṣọ Email Security provides this summary as a weekly digest for our community.
What Happened in Cybersecurity This Week?
It was a dense week across the threat landscape. Chinese state-linked hackers exploited a perfect-score React vulnerability within hours of its disclosure, three new Android malware families surfaced targeting banking customers and crypto wallet holders, a critical WordPress plugin flaw triggered over 131,000 attack attempts, and a security researcher uncovered more than 30 vulnerabilities in the AI coding tools that millions of developers use every day. Here is what you need to know.
Chinese Hackers Exploited React2Shell Within Hours of Disclosure
The week's most urgent story was the near-instant exploitation of CVE-2025-55182, a critical remote code execution vulnerability in React Server Components carrying a perfect CVSS score of 10.0. Reported to Meta by researcher Lachlan Davidson on November 29 and publicly disclosed on December 3, the flaw — nicknamed React2Shell — was being actively exploited by Chinese state-linked threat actors within hours of the patch release.
Amazon Web Services reported that its threat intelligence teams observed exploitation attempts from infrastructure tied to two Chinese hacking groups: Earth Lamia and Jackpot Panda. The Shadowserver Foundation tracked nearly 78,000 vulnerable IP addresses on December 5, dropping to around 29,000 by December 7 as organizations patched. Cloud security firm Wiz estimated that 39% of cloud environments contained vulnerable React instances at the time of disclosure.
Patches are available for React versions 19.0.1, 19.1.2, and 19.2.1. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog shortly after exploitation began.
Read the full story: The Hacker News — Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability
Three New Android Malware Families Are Targeting Banking and Crypto Users
Cybersecurity researchers from Intel 471, CYFIRMA, and Zimperium disclosed details of three Android malware families — FvncBot, SeedSnatcher, and an upgraded variant of ClayRat, all of which are actively gaining stronger data theft capabilities.
FvncBot is a completely custom-built banking trojan, not derived from any previously leaked code. It disguises itself as a security app from the Polish bank mBank and abuses Android's Accessibility Services to perform keylogging, screen streaming, web-inject attacks, and hidden remote device control.
SeedSnatcher, distributed through Telegram under the name "Coin," is designed specifically to steal cryptocurrency wallet seed phrases and intercept SMS-based two-factor authentication codes. Researchers at CYFIRMA assess the operators are likely Chinese-speaking, based on Telegram channel content and the malware's control panel language.
The upgraded ClayRat now leverages Accessibility Services to achieve full device control, including screen recording, keystroke capture, and persistent overlay attacks that prevent the user from detecting or removing the infection.
Read the full story: The Hacker News — Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features
A Critical WordPress Plugin RCE Is Being Exploited at Scale
A critical remote code execution vulnerability in the Sneeit Framework plugin for WordPress — tracked as CVE-2025-6389 with a CVSS score of 9.8 — is being actively exploited in the wild, according to Wordfence. The plugin has over 1,700 active installations.
The flaw exists in the sneeit_articles_pagination_callback() function, which accepts user input and passes it directly to call_user_func(), allowing unauthenticated attackers to execute arbitrary PHP code on affected servers. Active exploitation began on November 24, 2025, the same day the vulnerability was publicly disclosed. Wordfence blocked over 131,000 attack attempts, with more than 15,000 recorded in a single 24-hour window.
Attack chains observed in the wild include the creation of unauthorized admin accounts, the upload of malicious PHP backdoor files, and directory scanning tools being planted on compromised servers. The patch is available in version 8.4 of the plugin, released August 5, 2025. If your site uses Sneeit Framework version 8.3 or earlier, update immediately.
A separate but related story: a critical vulnerability in ICTBroadcast (CVE-2025-2611, CVSS 9.3) is being exploited to distribute a DDoS botnet binary called Frost, which bundles 14 exploits across 15 CVEs.
Read the full story: The Hacker News — Sneeit WordPress RCE Exploited in Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
Over 30 Flaws Found in AI Coding Tools Used by Millions of Developers
Security researcher Ari Marzouk published findings on a vulnerability class called IDEsaster — a set of more than 30 security flaws spanning popular AI-powered coding environments including Cursor, Windsurf, GitHub Copilot, Kiro.dev, Zed.dev, Roo Code, JetBrains Junie, and Cline. Of the 30-plus vulnerabilities identified, 24 were assigned CVE identifiers.
The attack chains combine prompt injection with an AI agent's legitimate tool access, enabling attackers to exfiltrate sensitive files or execute arbitrary code without any user interaction in agent mode. What makes IDEsaster significant is that the attacks exploit the IDE's own trusted features — read and write tools, project search, file access — rather than requiring a separate vulnerability in the AI model itself.
Additional disclosures this week included a command injection flaw in OpenAI Codex CLI (CVE-2025-61260) and multiple indirect prompt injection vulnerabilities in Google Antigravity that could allow credential harvesting and remote code execution via poisoned web content.
"All AI IDEs effectively ignore the base software in their threat model," Marzouk told The Hacker News.
Read the full story: The Hacker News — Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks
Retailers Face Elevated Cyber Risk During Peak Shopping Seasons
A timely analysis from The Hacker News examined how the holiday shopping window concentrates cyber risk into a compressed, high-stakes period for retailers. Bot-driven fraud, credential stuffing, and account takeover attempts intensify sharply around Black Friday and Christmas, when systems are running at peak load and security teams are stretched thin.
The report highlights that attackers pre-stage automated attack scripts before major sale events to ensure maximum access during peak traffic. Credential stuffing is particularly damaging because it scales easily: leaked username and password combinations are tested automatically across retail login portals, with successful logins unlocking stored payment tokens, loyalty balances, and shipping addresses for immediate monetization.
Recommended controls include blocking compromised and common passwords, enforcing multi-factor authentication with documented failover procedures, and load-testing authentication infrastructure before peak periods.
Read the full story: The Hacker News — How Can Retailers Cyber-Prepare for the Most Vulnerable Time of the Year?
Weekly Threat Recap: USB Malware, WhatsApp Worms, and More
The Hacker News weekly recap for the first week of December also covered a broad sweep of additional threats worth noting.
Brazilian users were targeted by campaigns using WhatsApp Web as a malware distribution vector, deploying the Casbaneiro and Astaroth banking trojans via malicious ZIP archives delivered through WhatsApp chat links. Sophos tracked one cluster under the name STAC3150 and identified PowerShell-based second-stage payloads targeting WhatsApp user data.
The week's notable CVE list included flaws in Apache Tika (CVE-2025-66516, CVSS 10.0), Microsoft Windows (CVE-2025-9491), OpenVPN, Apache Struts, Google Android, Angular, Django, Dell ControlVault, and NVIDIA Triton, among many others.
Read the full recap: The Hacker News — Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More
What Does This Mean for Your Inbox and Your Business?
Three of this week's six stories share a common thread: attackers exploited trust. They trusted React's server-side rendering. They trusted Android's Accessibility Services. They trusted an AI coding tool's legitimate file read access. The attack surface is expanding rapidly, and it is no longer limited to obvious entry points like phishing links.
Email remains the most reliable delivery mechanism for the initial compromise in most of these attack chains, whether the payload is a malicious APK, a WhatsApp lure, or a credential stuffing campaign targeting your retail login portal.
Trust Aside: Ṣọ Email Security processes every threat signal - URLs, attachments, sender authentication — locally on your device. Your emails never leave your machine to be analyzed by external servers. No servers. No storage. No humans reading your mail. Just protection.
Sources: All original reporting by The Hacker News (thehackernews.com). Additional context from SecurityWeek, The Record by Recorded Future, Wordfence, and AWS threat intelligence disclosures.