Cyber Bites

* Notepad++ Releases Security Update to Address Traffic Hijacking Vulnerability* Google Links Additional Chinese Hacking Groups to Widespread Exploitation of Critical React2Shell Vulnerability* Scammers Abuse PayPal Subscriptions to Send Fake Purchase Notification Emails* Massive Chrome Extension Caught Harvesting Millions of Users’ AI Chat Conversations* Google to Discontinue Its Dark Web Report Security Feature in 2026Notepad++ Releases Security Update to Address Traffic Hijacking Vulnerabilityhttps://notepad-plus-plus.org/news/v889-released/The popular text editor Notepad++ has released version 8.8.9 to address a critical security vulnerability affecting its updater, WinGUp. According to security experts, incidents of traffic hijacking have been reported, where the traffic between the updater client and the Notepad++ update infrastructure was being redirected to malicious servers, resulting in the download of compromised executables.The vulnerability was found to be a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. Exploiting this weakness, an attacker could intercept the network traffic and prompt the updater to download and execute an unwanted binary instead of the legitimate Notepad++ update. To mitigate this issue, the new release introduces a security enhancement that verifies the signature and certificate of the downloaded installers during the update process, and aborts the update if the verification fails.The investigation into the exact method of the traffic hijacking is ongoing, and users will be informed once tangible evidence is established. In the meantime, Notepad++ recommends that users who have previously installed the root certificate should remove it, as the binaries, including the installer, are now digitally signed using a legitimate certificate issued by GlobalSign. Google Links Additional Chinese Hacking Groups to Widespread Exploitation of Critical React2Shell Vulnerabilityhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/Google’s threat intelligence team has identified five more Chinese cyber-espionage groups joining the ongoing attacks exploiting the critical “React2Shell” remote code execution vulnerability, tracked as CVE-2025-55182. This flaw, which affects the React open-source JavaScript library, allows unauthenticated attackers to execute arbitrary code on React and Next.js applications with a single HTTP request.The list of state-linked threat actors now includes UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, which have been deploying a variety of malware such as the MINOCAT tunneling software, the SNOWLIGHT downloader, the COMPOOD backdoor, and an updated version of the HISONIC backdoor. According to Google, the vulnerability has a significant number of exposed systems due to the widespread use of React Server Components in popular frameworks like Next.js.In addition to the Chinese hacking groups, Google’s researchers have also observed Iranian threat actors and financially motivated attackers targeting the React2Shell vulnerability, with some deploying XMRig cryptocurrency mining software on unpatched systems. Internet watchdog groups have tracked over 116,000 vulnerable IP addresses, primarily located in the United States, highlighting the widespread impact of this critical flaw. Scammers Abuse PayPal Subscriptions to Send Fake Purchase Notification Emailshttps://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/Cybersecurity researchers have uncovered a new email scam that abuses PayPal’s “Subscriptions” billing feature to send legitimate-looking PayPal emails containing fake purchase notifications. The emails, which appear to come from the legitimate service[at]paypal.com address, state that the recipient’s “automatic payment is no longer active” and include a customer service URL field that has been modified to display a message about a large, expensive purchase.The goal of these scam emails is to trick recipients into believing their account has been used to make an expensive purchase, such as a Sony device, MacBook, or iPhone, and prompt them to call a provided phone number to “cancel or dispute the payment.” This tactic is commonly used to convince victims to engage in bank fraud or install malware on their computers.Investigations have revealed that the scammers are able to send these emails directly from PayPal’s servers by exploiting the company’s Subscriptions feature. When a merchant pauses a subscriber’s subscription, PayPal automatically sends a notification email to the subscriber, which the scammers are then modifying to include the fake purchase information. PayPal has stated that they are actively working to mitigate this method and urge customers to be vigilant and contact their customer support directly if they suspect they have been targeted by this scam.Massive Chrome Extension Caught Harvesting Millions of Users’ AI Chat Conversationshttps://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collectionA Google Chrome extension with over 6 million users has been observed silently collecting every prompt entered by users into popular AI-powered chatbots, including OpenAI’s ChatGPT, Anthropic’s Claude, Microsoft’s Copilot, and others. The extension in question, Urban VPN Proxy, is advertised as a secure VPN service but has been updated to include a tailored script that intercepts and exfiltrates users’ chat conversations to remote servers.The extension, which also has 1.3 million installations on Microsoft Edge, overrides the browser’s network request APIs to capture the user’s prompts, the chatbot’s responses, conversation identifiers, timestamps, and session metadata. This data is then sent to two remote servers owned by Urban Cyber Security Inc., the Delaware-based company behind the extension. The company claims the data is collected for “marketing analytics purposes” and that it will be anonymised, but it also shares the raw, non-anonymised data with an affiliated ad intelligence firm, BIScience.Despite the extension’s “Featured” badge on the Chrome Web Store, which implies it meets the platform’s “best practices and high standards,” researchers have discovered that the data harvesting occurs regardless of whether the extension’s “AI protection” feature is enabled. This feature is designed to warn users about sharing personal information, while the developers fail to disclose that the extension is simultaneously exfiltrating the entire chat conversation to its own servers. This type of data collection and sharing without user consent poses a serious risk to users’ privacy and security.Google to Discontinue Its Dark Web Report Security Feature in 2026Google has announced that it will be shutting down its “dark web report” security tool, which notifies users if their email address or other personal information has been found on the dark web. The tech giant stated that it wants to focus on other tools it believes are more helpful to users in protecting their online security and privacy.According to their email notification, Google will stop monitoring for new dark web results on January 15, 2026, and the data will no longer be available from February 16, 2026. The company acknowledged that while the dark web report feature provided general information, feedback showed that it did not offer clear, actionable steps for users to protect their data.Going forward, Google will continue to invest in other security tools, such as the Google Password Manager, Password Checkup, and the “Results about you” feature, which allows users to find and request the removal of their personal information from Google Search results. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

* Widespread Exploitation of React2Shell Flaw Compromises Dozens of Organisations* Gartner Recommends Ban on AI-Powered Browser Extensions Amid Growing Security Risks* Cybercriminals Pivot to Points, Taxes, and Fake Retailers in Surge of SMS Phishing Scams* Cybercriminals Exploit Google Ads and AI Platforms to Spread macOS Infostealer Malware* Thousands of Exposed Secrets on Docker Hub Put Organisations at Serious Risk This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

* Fake Calendly Invites Hijack Ad Manager Accounts by Spoofing Top Brands* Widespread Npm Malware Attack Exposes Thousands of Developer Secrets* WA Man Responsible for In-Flight “Evil Twin” WiFi Attacks Sentenced to 7 Years in Prison* Thousands of Developer Secrets Exposed in Public GitLab Repositories* ASX Outage Caused by Security Software Upgrade, Raising Concerns Over Technological Resilience This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

* Singapore Orders Apple, Google to Prevent Government Spoofing on Messaging Platforms* Massive Cyberattack Targets Real Estate Loan Vendor, Exposing Customer Data of Major Banks* Beware of Android TV Streaming Boxes Linked to Cybercrime Activities* The Rise of Agentic Bots and the Need for Robust Bot Management* FBI Warns of Soaring Account Takeover Fraud Ahead of Holiday Shopping Season This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

* WhatsApp Vulnerability Exposes User Phone Numbers, Enabling Large-Scale Enumeration Attacks* Critical Vulnerability Discovered in W3 Total Cache WordPress Plugin Enabling PHP Command Injection* Azure Experiences Largest-Ever DDoS Attack, Highlighting Ongoing Threat to Cloud Infrastructure* Optus Fined $826,000 for Vulnerability That Enabled Scammers to Steal Phone Numbers and Access Bank Accounts* Malicious NPM Packages Leverage Adspect Redirects to Evade Security and Lure Victims to Cryptocurrency Scams This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com