Cyware Daily Threat Intelligence, December 02, 2025
For seven years, a massive surveillance operation has been hiding in the browser extensions we use every day. The group ShadyPanda has infected 4.3 million Chrome and Edge users by pushing spyware-laden updates to extensions that initially appeared safe. Some of these malicious tools, including one with millions of installs, remain active and are sending sensitive user data back to servers in China.
Malware is once again infiltrating the very marketplaces developers trust to build their software. The Glassworm malware has resurfaced for a third wave, introducing 24 new malicious packages to OpenVSX and Visual Studio that use invisible Unicode characters to evade detection.
Your smartphone is the target of active attacks, making this month's security patch vital. Google has released its December 2025 Android updates to address 107 vulnerabilities. The update also fixes a critical remote DoS bug that could render devices completely inoperable without any user interaction.
Top Malware Reported in the Last 24 Hours
Malicious extensions infect millions of users
A seven-year campaign by the group ShadyPanda has led to the infection of 4.3 million users of Google Chrome and Microsoft Edge through malicious browser extensions. Initially appearing legitimate, these extensions gained user trust before pushing updates that introduced spyware and backdoors. Five extensions, which infected 300,000 users, allowed for remote code execution, while another five remain active in the Edge marketplace, with one, WeTab, boasting three million installs. The malware enables comprehensive browser surveillance and data theft, sending sensitive information to servers in China. Earlier campaigns included extensions that tracked user behavior and monetized browsing data.
Glassworm malware: The third wave
The Glassworm malware has resurfaced in its third wave, introducing 24 new malicious packages on the OpenVSX and Microsoft Visual Studio marketplaces. Initially detected in October, Glassworm employs invisible Unicode characters to conceal its code and targets developers by stealing credentials from GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data. It also establishes a SOCKS proxy for routing malicious traffic and installs an HVNC client for remote access. Despite previous containment efforts, the malware returned with new extensions and publisher accounts, targeting popular frameworks like Flutter and React Native. The latest wave demonstrates an evolution in its technical capabilities, now utilizing Rust-based implants while continuing to manipulate download counts to appear trustworthy and confuse users in search results.
Top Vulnerabilities Reported in the Last 24 Hours
Google patches 107 Android vulnerabilities
Google has released December 2025 security updates for Android, addressing a total of 107 vulnerabilities across various components, including Framework, System, and Kernel. Among these, two high-severity vulnerabilities, CVE-2025-48633 and CVE-2025-48572, have been actively exploited in the wild. A critical vulnerability in the Framework, CVE-2025-48631, poses a risk of remote DoS attacks without requiring additional execution privileges, potentially rendering devices inoperable. The updates include two patch levels, 2025-12-01 and 2025-12-05, allowing manufacturers to address common vulnerabilities more efficiently.
New bug identified in Apache Struts
A critical vulnerability, tracked as CVE-2025-64775, has been discovered in Apache Struts, a popular open-source web application framework. This flaw enables attackers to exploit improper cleanup of temporary files during multipart requests, potentially leading to disk exhaustion attacks. By generating numerous large temporary files, an attacker can fill a server’s disk space, causing significant disruptions such as slow performance or complete unavailability of the application. The vulnerability affects several versions of Struts, including those that are no longer supported.