Nation-State Attack or Compromised Government? [Guest Diary]
An IP address associated with the Indonesian Government attacked one of our interns' honeypots.
https://isc.sans.edu/diary/Nation-State%20Attack%20or%20Compromised%20Government%3F%20%5BGuest%20Diary%5D/32536
React Update
Working exploits for the React vulnerability patched yesterday are not widely available
Array Networks Array AG Vulnerablity
A recently patched vulnerability in Array Networks Array AG VPN gateways is actively exploited.
https://www.jpcert.or.jp/at/2025/at250024.html

Attempts to Bypass CDNs
Our honeypots recently started receiving scans that included CDN specific headers.
https://isc.sans.edu/diary/Attempts%20to%20Bypass%20CDNs/32532
React Vulnerability CVE-2025-55182
React patched a critical vulnerability in React server components. Exploitation is likely imminent.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Unveiling 3 PickleScan Vulnerabilities
The PyTorch AI model security tool, PickleScan, has patched three critical vulnerabilities.
https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/

SmartTube Android App Compromise
The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version.
https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826
https://github.com/yuliskov/SmartTube/releases/tag/notification
Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners
Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection.
https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes
Angular fixed a store XSS vulnerability.
https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Hunting for SharePoint In-Memory ToolShell Payloads
A walk-through showing how to analyze ToolShell payloads, starting with acquiring packets all the way to decoding embedded PowerShell commands.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Hunting%20for%20SharePoint%20In-Memory%20ToolShell%20Payloads/32524
Android Security Bulletin December 2025
Google fixed numerous vulnerabilities with its December Android update. Two of these vulnerabilities are already being exploited.
https://source.android.com/docs/security/bulletin/2025-12-01
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
A group or individual released several browser extensions that worked fine for years until an update injected malicious code into the extension
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix
The latest variant of ClickFix tricks users into copy/pasting commands by displaying a fake blue screen of death.
https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/
B2B Guest Access Creates an Unprotected Attack Vector
Users may be tricked into joining an external Teams workspace as a guest, bypassing protections typically enabled for Teams workspaces.
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
Geoserver XXE Vulnerability CVE-2025-58360
Geoserver patched an external XML entity (XXE) vulnerability.
https://helixguard.ai/blog/CVE-2025-58360

Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications
Spyware attacks messaging applications in part by triggering vulnerabilities in messaging applications but also by deploying tools like keystroke loggers and screenshot applications.
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
Stop Putting Your Passwords Into Random Websites Yes. Just Stop!
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/
Fluentbit Vulnerability
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
Happy Thanksgiving. Next podcast on Monday after Thanksgiving.

Conflicts between URL mapping and URL based access control.
Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps.
https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518
Sha1-Hulud, The Second Coming
A new, destructive variant of the Shai-Hulud worm is currently spreading through NPM/Github repos.
https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
Hacklore: Cleaning up Outdated Security Advice
A new website, hacklore.org, has published an open letter from former CISOs and other security leaders aimed at addressing some outdated security advice that is often repeated.
https://www.hacklore.org

Use of CSS stuffing as an obfuscation technique?
Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines
https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510
Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day
Early exploit attempts for the vulnerability were part of Searchlight Cyber s research effort
https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/
ClamAV Cleaning Signature Database
ClamAV will significantly clean up its signature database
https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html

Oracle Identity Manager Exploit Observation from September (CVE-2025-61757)
We observed some exploit attempts in September against an Oracle Identity Manager vulnerability that was patched in October, indicating that exploitation may have occurred prior to the patch being released.
https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506
https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
DigitStealer: a JXA-based infostealer that leaves little footprint
https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/
SonicWall DoS Vulnerability
Sonicwall patched a DoS vulnerability in SonicOS
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016
Adam Wilson: Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing

Unicode: It is more than funny domain names.
Unicode can cause a number of issues due to odd features like variance selectors and text direction issues.
https://isc.sans.edu/diary/Unicode%3A%20It%20is%20more%20than%20funny%20domain%20names./32472
FortiWeb Multiple OS command injection in API and CLI
A second silently patched vulnerability in FortiWeb is already being exploited in the wild.
https://fortiguard.fortinet.com/psirt/FG-IR-25-513
DLink DIR-878 Vulnerability
DLink disclosed four different vulnerabilities in its popular DIR-878 router. The router is end-of-life and DLink will not release patches
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10475
Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router
A new report, Operation WrtHug, has uncovered a massive, coordinated effort that has compromised thousands of ASUS routers worldwide.
https://securityscorecard.com/blog/operation-wrthug-the-global-espionage-campaign-hiding-in-your-home-router/

KongTuke Activity
This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack.
https://isc.sans.edu/diary/KongTuke%20activity/32498
Cloudflare Outage
Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service
https://x.com/dok2001
Google Patches Chrome 0-Day
Google patched two vulnerabilities in Chrome. One of them is already being exploited.
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html