We have compiled the week’s key cybersecurity stories.
- A vulnerability in a JavaScript library was used to steal cryptocurrency.
- Hackers threatened to expose data on Pornhub premium users.
- Hackers promoted the new SantaStealer malware.
- Amazon warned about a large-scale clandestine cryptomining campaign.
A JavaScript library vulnerability used to steal cryptocurrency
Instances of loading malware to drain crypto wallets have increased of late. It infiltrates websites via a flaw in React, a popular JavaScript library for building user interfaces, Cointelegraph reported.
On December 3 the React team said white-hat hacker Lachlan Davidson had found a vulnerability enabling unauthenticated remote code execution. A patch was released the same day.
According to the non-profit cybersecurity organisation Security Alliance (SEAL), attackers are exploiting this flaw to surreptitiously add wallet-drainer code to cryptocurrency sites.
Web3 protocols are not the only targets, SEAL stressed; all websites are at risk. Users were urged to exercise extreme caution when signing any transactions or approvals.
Hackers threatened to expose data on Pornhub premium users
Users of the adult platform Pornhub faced extortion from the ShinyHunters group, the company’s management said.
The letter states the platform was impacted by a breach at third-party analytics provider Mixpanel. The incident occurred on November 8, 2025 following smishing.
According to BleepingComputer, Pornhub has not worked with Mixpanel since 2021, which helps date the incident.
The contractor confirmed the breach affected “a limited number” of clients, among whom OpenAI and CoinTracker had previously been named.
In comments to BleepingComputer, representatives said they did not consider their system the source of the leak:
“We find no evidence that this data was stolen from Mixpanel during the November incident or otherwise. The last time this information was accessed was by a legitimate account of an employee of Pornhub’s parent company in 2023.”
BleepingComputer learned ShinyHunters began blackmailing Mixpanel’s clients last week, sending emails with ransom demands.
In an ultimatum sent to Pornhub, the hackers claimed to have stolen 94GB of data containing more than 200m records of personal information.
The group later confirmed to the outlet that the database includes 201,211,943 premium-subscriber accounts.
Hackers provided the publication with a sample of the stolen data containing sensitive information:
- user email address;
- type of activity (viewing, downloading, visiting a channel);
- location;
- video URL and title;
- keywords associated with the video;
- exact event timestamp.
Hackers tout new SantaStealer malware
The new data-stealing malware SantaStealer is being actively advertised on Telegram and underground forums. It is distributed under a CaaS model, researchers at Rapid7 said.
According to them, SantaStealer is a rebrand of the BluelineStealer malware. It operates solely in memory to evade antivirus detection.
The developer is running an active marketing campaign ahead of a full launch slated for year-end.
The monthly CaaS subscription is offered in two tiers:
- basic — $175;
- premium — $300.
Rapid7 specialists analysed several SantaStealer samples and gained access to the affiliate interface. Despite numerous data-theft mechanisms, the malware falls short of the advertised detection-evasion capabilities.
The research shows the stealer’s control panel is user-friendly, allowing “clients” to configure builds—from full-scale theft to compact, targeted payloads.
SantaStealer uses 14 separate data-collection modules, each running in its own thread. Stolen data is written to memory, archived into a ZIP file and exfiltrated in 10MB chunks to the command server.
According to the researchers, SantaStealer can be used to steal:
- browser passwords, cookies, browsing history and saved payment cards;
- data from Telegram, Discord and Steam;
- data from Web3 applications and crypto-wallet extensions;
- documents from a device;
- screenshots of a user’s desktop.
Amazon warned of a large-scale clandestine cryptomining campaign
Amazon GuardDuty security specialists discovered a covert cryptomining campaign targeting Elastic Compute Cloud (EC2) and Elastic Container Service (ECS), which run virtual machines and application containers.
By deploying cryptominers on the infrastructure, attackers profit at the expense of AWS customers and Amazon itself, which shoulder the compute costs.
The attack used an image from Docker Hub created in late October, which had more than 100,000 downloads at the time of discovery. Amazon emphasised that the attackers did not compromise the software itself but accessed customer accounts using stolen credentials.
According to the report, a distinguishing feature of this campaign was a setting that prevented administrators from remotely shutting down machines. This forced security teams to first disable the protection manually and only then stop the mining.
Amazon warned affected customers to rotate compromised credentials. The malicious image was removed from Docker Hub, though specialists cautioned it could be reuploaded under different accounts or names.
Investor loses savings in AI-enabled romance scam
A bitcoin investor lost his funds after falling victim to a “pig-butchering” scam, according to The Bitcoin Adviser consultant Terence Michael.
I have a Bitcoin client
who just lost all his Bitcoin.He isn’t wealthy.
He finally made it to 1 BTC.
I celebrated with him over the phone.But within days of him finally leaving Coinbase to setup a distributed multi-key security and inheritance protocol, he was approached by… pic.twitter.com/H1FK6Mbbyi
— Terence Michael (@ProofOfMoney) December 14, 2025
He said the unnamed client transferred the leading cryptocurrency to a fraudster posing as a trader who promised to double his assets. The attacker also pretended to be a woman in love with the investor.
Despite “numerous phone calls” and “a series of text messages” with warnings, Michael failed to dissuade the client from sending BTC.
“[…] last night, while I was at dinner, I got a devastating message from him that he lost everything.”
Beyond losing his retirement savings, the recently divorced investor also bought the fraudster an airline ticket, expecting to meet the “woman.” After the transfer, the attacker admitted the photos used were generated with AI.
Also on ForkLog:
- In Chrome, a free VPN collected conversations with AI.
- In 2025, losses from hacks reached $3.4 billion.
- Tether unveiled a password manager without cloud storage.
- The SEC closed its case against the Aave DeFi protocol.
- Solana suffered one of the most powerful DDoS attacks on record.
- Trump pledged to review the case of the convicted Samourai Wallet co-founder.
- Bitcoin’s hashrate fell 8% amid rumours of raids on mining farms in China.
- Privacy was named the leading crypto-market trend for the coming years.
What to read this weekend?
An advertising algorithm in a household refrigerator, which accidentally matched the owner’s name, triggered a severe psychotic episode.
ForkLog looked into the details and how the “Economy of Things” concept and crypto wallets could safeguard mental health from corporate overreach.