At least one IoT device compromised
December 31, 2025
•[ botnet, iot, vulnerability ]
Security researchers reported that the RondoDox botnet successfully exploited a critical vulnerability to take control of at least one internet-connected networking device, enrolling it into a botnet for malicious activity.
At least one user of Notepad++
December 12, 2025
•[ vulnerability, supply chain attack, software update attack ]
PCGuia reported that a critical vulnerability in Notepad++s automatic update mechanism was actively exploited, allowing attackers to intercept update traffic and distribute compromised/malicious versions of the software to users of versions prior to 8.8.9. The article states developers urged users to avoid the built-in updater and instead manually download the installer from the official site or trusted repositories. It also cites reporting that several organizations suffered serious breaches shortly after updating, and notes that the mitigations in version 8.8.9 included forcing the update URL to GitHub and improvements related to certificate/signature verification. The specific attacker identity, the full list of affected downstream organizations, and whether any sensitive data was exfiltrated from victims are not detailed in the article.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
At least one undisclosed e-commerce site (running Adobe Commerce / Magento 2)
October 22, 2025
•[ vulnerability, account takeover, skimming ]
Observed active attempts to hijack Magento/Adobe Commerce sessions via the SessionReaper flaw weeks after patches, enabling account takeover, checkout abuse, and skimmer deployment on e-commerce sites. This is broad criminal monetization activity against many sites; no single named victim with a confirmed primary effect, so not recorded as a discrete event.
Envoy Air (American Airlines)
October 17, 2025
•[ ransomware, data leak, vulnerability ]
Envoy Air confirmed it was hit in a broader Clop campaign abusing an Oracle EBS zero-day. Reuters notes a small amount of Envoy business information may have been accessed; Clop listed American Airlines, but the target was Envoy, AAs regional carrier. Primary impact: unauthorized access/data theft for extortion, not operational outage.
ICTBroadcast
October 11, 2025
•[ vulnerability, exploit ]
Researchers warn ICTBroadcast CVE-2025-2611 actively exploited to gain shells via cookie
Cox Enterprises, Inc.
August 9, 2025
•[ vulnerability, zero-day, data leak ]
Hackers exploited a zeroday vulnerability in Oracle EBusiness Suite, breached Cox Enterprises network, and exfiltrated personal data of about 9,479 individuals; Cl0p group later published stolen files on darkweb leak site
GMX (decentralized exchange)
July 30, 2025
•[ theft, vulnerability ]
The Record reports theft from the GMX exchange with attackers stealing cryptocurrency through an exploit path still under investigation.
National Institutes of Health; National Nuclear Security Administration
July 20, 2025
•[ data leak, vulnerability ]
NIH and the National Nuclear Security Administration were impacted in a global Microsoft SharePoint breach; no classified information reported compromised; scope and severity under investigation.
U.S. National Nuclear Security Administration (NNSA)
July 18, 2025
•[ data breach, vulnerability, zero-day ]
Breach of NNSA systems through a Microsoft SharePoint zero-day vulnerability. DOE stated a small number of systems were impacted and are being restored. Attack was later linked to Chinese state hacking groups Linen Typhoon and Violet Typhoon.
Gravity Forms (Rocketgenius)
July 14, 2025
•[ vulnerability, malware ]
Patchstack reported malicious code in official Gravity Forms installers affecting versions 2.9.11.1 and 2.9.12, enabling command execution on sites using the installers.
Kurdish forces
May 14, 2025
•[ espionage, vulnerability, zero-day ]
Turkey-linked espionage operators exploited a zero-day in Output Messenger to surveil Iraq-based Kurdish forces, collecting communications and device data; Microsoft attributed the activity to a Turkey-aligned group focused on intelligence collection.
Juan F. Luis Hospital
April 26, 2025
•[ ransomware, vulnerability ]
Ransomware accessed two local servers via an overlooked vulnerability and forced the hospital into prolonged downtime, manual workflows, and a wholesale technology rebuild. CEO reports weekly cash flow impact of $750k$800k due to delayed electronic billing yet maintains no patient or staff data was stolen; operations gradually restored as systems returned.
Tj-Actions
March 14, 2025
•[ data leak, supply chain attack, credential exposure ]
A popular GitHub Action called tj-actions/changed-files was compromised: an attacker modified its code and version tags so that when used in CI/CD workflows it executed a script that dumped runner memory and exposed secrets (AWS keys, GitHub PATs, npm tokens, private RSA keys) in publicly accessible logs. The incident, tracked as CVE-2025-30066 (and linked to CVE-2025-30154 for a related Action), affected thousands of repositories across many organizations. Users are advised to stop using the impacted versions, rotate all credentials, and review any workflows that ran between March 1415, 2025.
Serbian Student Activist
February 28, 2025
•[ vulnerability, zero-day, surveillance ]
Amnesty reported Cellebrite zero-day used to unlock Serbian activists Android device.
Commvault
February 20, 2025
•[ vulnerability, unauthorized access ]
A zero-day vulnerability (CVE-2025-3928) in Commvaults cloud backup platform was exploited, allowing unauthorized access to internal systems and credentials. Commvault stated that customer backup data was not impacted, and no data theft has been confirmed.
Cardex
February 18, 2025
•[ vulnerability, theft, data leak ]
Abstract reported a session key vulnerability in Cardex that allowed an attacker to perform unauthorized transactions and drain funds from thousands of wallets.
India Post
February 17, 2025
•[ data leak, vulnerability, idor ]
IDOR flaw allowed retrieval of KYC documents by altering IDs in URLs; reports indicate thousands of records were exposed.
Cocospy & Spyic
February 14, 2025
•[ data leak, stalkerware, vulnerability ]
Vulnerability allowed unauthenticated access to servers exposing stalkerware customer lists and victims uploaded data.
Undisclosed software and services company (South Asia)
February 12, 2025
•[ data exfiltration, vulnerability, APT ]
A China-linked group known as Emperor Dragonfly exploited a Palo Alto PAN-OS vulnerability (CVE-2024-0012) to compromise an undisclosed medium-sized software and services company in South Asia. The attackers exfiltrated d
