Security news weekly round-up - 26th December 2025
Source: Dev.to
Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns
If you take anything away from this report, it’s to always be suspicious of emails with attachments—especially when the files have unusual extensions. PDF files are not inherently safe.
Key excerpt:
The operation’s sophistication is further evidenced by the use of steganography and the trojanization of open‑source libraries. Adding their stealth is a custom‑engineered, four‑stage evasion pipeline designed to minimize their forensic footprint.
By masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access Trojans (RATs) and Infostealers.
NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data
A seemingly benign npm package can be malicious. This particular library, while appearing to provide legitimate functionality, hijacks WhatsApp authentication.
Key excerpt:
When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.
Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
Browser extensions can be a vector for credential theft. These extensions masquerade as VPN services but perform malicious operations.
Key excerpt:
“Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they’re purchasing a legitimate VPN service, but both variants perform identical malicious operations,” Socket security researcher Kush Pandya said.
“Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man‑in‑the‑middle proxies, and continuously exfiltrate user data to the threat actor’s C2 [command‑and‑control] server.”
Credits
Cover photo by Debby Hudson on Unsplash.