Weekly Cybersecurity Roundup: Botnets, Browser Attacks, and Data Breaches

The first week of 2026 brought no shortage of cybersecurity incidents. From massive botnets infecting millions of devices to browser extensions stealing credentials, this week's headlines reinforce a consistent theme: attackers continue exploiting trust in everyday tools.

Here's what you need to know.

Massive botnets make headlines

Kimwolf botnet infects over 2 Million Android devices

The Kimwolf botnet has compromised more than 2 million Android devices by exploiting exposed Android Debug Bridge (ADB) services and tunneling through residential proxy networks. According to research from Synthient, the botnet monetizes infections through app installs, selling residential proxy bandwidth, and DDoS capabilities.

The majority of infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia. Perhaps most concerning: 67% of compromised devices had ADB enabled by default, with many being unofficial Android smart TVs and set-top boxes that may have come pre-infected with proxy provider SDKs.

Security teams should lock down any devices running unauthenticated ADB shells and audit IoT devices on their networks.

Source: The Hacker News, Hackread

RondoDox botnet exploits critical react2Shell vulnerability

A nine month campaign has been enrolling IoT devices and web applications into the RondoDox botnet by exploiting React2Shell (CVE-2025-55182), a critical vulnerability with a perfect CVSS score of 10.0 affecting React Server Components and Next.js.

As of early January, approximately 84,916 instances remain vulnerable, with 66,200 of those located in the United States alone.

Source: The Hacker News

Browser extension attacks continue

DarkSpectre campaign impacts 8.8 Million users

A Chinese threat group dubbed DarkSpectre has been linked to one of the most widespread browser extension malware operations ever discovered. The campaign compromised over 8.8 million users across Chrome, Edge, Firefox, and Opera over seven years through multiple interconnected malware clusters.

The operation includes:

• ShadyPanda: 5.6 million infections focused on surveillance and e-commerce affiliate fraud
• GhostPoster: Over 1 million users affected via Firefox and Opera extensions that hide payloads in PNG images using steganography
• Zoom Stealer: 2.2 million users exposed to corporate espionage

Source: The Hacker News

Chrome extensions caught stealing credentials

Two Chrome extensions were discovered secretly stealing credentials from over 170 websites. These attacks highlight the ongoing risk of malicious browser extensions that appear legitimate but harvest sensitive data in the background.

Source: The Hacker News

VS Code forks expose users to extension attacks

Security researchers found that VS Code IDE forks expose users to recommended extension attacks, creating potential supply chain vulnerabilities for developers who rely on these popular code editors.

Source: BleepingComputer, The Hacker News

Supply Chain and Wallet Breaches

Trust Wallet chrome extension compromised

Trust Wallet confirmed that the Shai-Hulud supply chain attack was responsible for compromising its Chrome extension, resulting in approximately $8.5 million in stolen crypto assets.

The attackers gained access to developer GitHub secrets, which provided full Chrome Web Store API access. This allowed them to upload malicious builds directly, bypassing Trust Wallet's standard release process.

The attackers registered a domain to exfiltrate wallet mnemonic phrases. When queried, the server returned "He who controls the spice controls the universe," a Dune reference consistent with the Shai-Hulud npm incident branding.

Source: The Hacker News, Hackread

Ledger confirms global-e Partner breach

Hardware wallet maker Ledger confirmed a data breach through its e-commerce partner Global-e. While no passwords, payment details, or crypto recovery phrases were leaked, exposed records included names, contact information, and order histories.

Cybercriminals wasted no time launching phishing attacks impersonating both companies, using fake security alerts, malicious QR codes, and offers of replacement devices as bait.

Ledger has warned users that it will never ask for recovery phrases, request users to scan codes, or send unsolicited hardware.

Source: Hackread, BleepingComputer

Critical vulnerabilities

n8n Vulnerability Scores 9.9 CVSS

A critical vulnerability in n8n, the popular workflow automation platform, received a CVSS score of 9.9. The flaw enables arbitrary code execution across thousands of instances, making immediate patching essential for organizations using this tool.

Source: The Hacker News, Hackread

Legacy D-Link routers under active attack

A new vulnerability in legacy D-Link DSL routers is being actively exploited in attacks. Organizations still running these devices should consider immediate replacement, as legacy hardware often lacks vendor support for security patches.

Source: The Hacker News, BleepingComputer

MongoDB under active exploitation

The MongoBleed vulnerability is being actively exploited worldwide, prompting urgent calls to patch affected MongoDB instances.

Source: Dark Reading

Phishing and social engineering

Fake booking Emails target hotels

A phishing campaign is redirecting hotel staff through fake booking confirmation emails. These attacks exploit the high volume of legitimate booking communications hotels receive, making malicious messages harder to identify.

Source: The Hacker News

ClickFix attack uses fake BSOD screens

A new attack variant called ClickFix uses fake Windows Blue Screen of Death (BSOD) screens to push malware. Users encountering unexpected system errors should be cautious about following any on screen instructions.

Source: BleepingComputer

Cloud file sharing sites targeted for data theft

Corporate data theft attacks are increasingly targeting cloud file sharing sites, exploiting the trust organizations place in these platforms.

Source: BleepingComputer

Other notable incidents

Jaguar Land Rover reports 43% volume drop after cyberattack

The ongoing impact of cyberattacks on business operations was highlighted by Jaguar Land Rover reporting a 43% drop in wholesale volumes following a security incident.

Source: BleepingComputer

NordVPN denies breach claims

NordVPN denied breach claims, stating that attackers only obtained dummy data. Organizations should monitor for any credential exposure regardless of vendor statements.

Source: BleepingComputer, Hackread

Russia-aligned hackers abuse viber

Threat actors aligned with Russia have been observed abusing the Viber messaging platform as part of their operations.

Source: The Hacker News

US cyber professionals plead guilty to ransomware activity

In a reminder that insider threats remain a concern, US cyber professionals pleaded guilty to involvement in ransomware activity.

Source: Dark Reading

Key takeaways

This week reinforces several persistent themes in cybersecurity:

Trust continues to be the primary attack vector. Whether it's browser extensions, supply chain dependencies, or partner integrations, attackers are exploiting the trust we place in everyday tools.

IoT remains a massive attack surface. Millions of devices with default configurations or pre-installed questionable software create easy entry points for botnets.

Patch management is non-negotiable. Critical vulnerabilities like React2Shell and the n8n flaw require immediate attention. Legacy devices without vendor support should be replaced.

Phishing evolves but the defense stays the same. Verification through known channels stops most social engineering attacks. Never trust, always verify.

Stay vigilant, patch promptly, and verify everything.

---

This roundup was compiled from reports by The Hacker News, BleepingComputer, Dark Reading, and Hackread. Follow these sources for detailed coverage of each story.

Ṣọ Email Security helps freelancers, nonprofits, and small businesses detect email threats before they cause damage. Learn more about protecting your inbox.