Top 5 Cybersecurity News Stories December 05, 2025

Cybersecurity threats are constantly evolving as threat actors seek access to your data and money. To help you stay secure, we have searched the internet for the top five cybersecurity news stories of the week that we think you should be aware of.  No story is too big or small as we look at threats from espionage to security flaws in everyday devices:

1. Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Researchers have disclosed severe vulnerabilities in React Server Components (RSC) and Next.js that could allow unauthenticated remote code execution. Rated CVSS 10.0, these flaws stem from improper input validation and insecure component rendering, enabling attackers to inject malicious code into applications.

 

Exploitation could compromise sensitive data and escalate privileges across environments. Developers are urged to apply the latest patches and review security configurations immediately. The incident underscores the growing risks in modern web frameworks and the need for rigorous dependency management.
Read more on The Hacker News

2. Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft has quietly addressed a critical Windows shortcut (LNK) vulnerability exploited in targeted attacks. The flaw allowed malicious actors to craft weaponized shortcut files that execute arbitrary code when viewed in Explorer, bypassing security controls. Attackers leveraged this technique for stealthy malware delivery, particularly in spear-phishing campaigns.

While Microsoft issued a fix without public disclosure, experts recommend applying December updates promptly and monitoring for suspicious shortcut files. This case highlights the importance of timely patching and vigilance against file-based exploits that often evade detection.
Read more on The Hacker News

3. Glassworm malware returns in third wave of malicious VS Code packages

The Glassworm malware campaign has resurfaced, targeting developers through malicious Visual Studio Code extensions. This third wave introduces trojanized packages that exfiltrate credentials, inject backdoors, and compromise development environments. Attackers exploit trust in popular extensions, spreading through official marketplaces and GitHub repositories.

Security researchers advise developers to scrutinize extension sources, monitor network activity, and implement endpoint protection. The resurgence of Glassworm emphasizes the growing threat of supply chain attacks in software development and the need for rigorous code integrity checks.
Read more on Bleeping Computer.

4. University of Phoenix Discloses Data Breach After Oracle Hack

The University of Phoenix has confirmed a data breach following Oracle’s cloud compromise, exposing sensitive student and faculty information. Attackers accessed personal data, including names, contact details, and academic records, raising concerns about identity theft and fraud.

The breach originated from vulnerabilities in Oracle’s systems, prompting urgent remediation and forensic investigations. Impacted individuals are being offered credit monitoring and identity protection services. This incident underscores the cascading risks of third-party service breaches and the critical need for robust vendor security assessments.
Read more on Bleeping Computer.

5. ShadyPanda Infects 4.3M Chrome and Edge Users via Extensions

A seven-year campaign by threat actor ShadyPanda exploited Chrome and Edge extensions to infiltrate 4.3 million users. Initially legitimate, these extensions introduced malicious updates enabling remote code execution and data exfiltration. Attackers leveraged hourly JavaScript payloads to steal credentials and browsing histories, with one extension alone infecting millions.

Security experts urge immediate removal of compromised extensions and adoption of strict extension vetting policies. This case highlights the persistent risks of browser-based attacks and the importance of continuous monitoring for supply chain threats.
Read more on Infosecurity Magazine

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.

For more information, please contact us now!