Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to this year’s first edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. Canary Trap wishes you a wonderful start into 2026!
At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s cybersecurity landscape underscores the impact of modern digital threats, from critical authentication flaws, supply chain compromise, and privacy leaks. The following reports highlight how vulnerabilities, third-party risk, and data protection failures continue to affect organizations across aviation, blockchain, entertainment, and even space research sectors.
- IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass
IBM has issued a security advisory warning of a severe vulnerability affecting its API Connect platform that could enable unauthenticated remote access.
The flaw, identified as CVE-2025-13915, carries a CVSS score of 9.8, placing it in the critical severity category. According to IBM, the issue stems from an authentication bypass weakness that may allow attackers to circumvent access controls and interact with the application without proper authorization.
The vulnerability impacts the following IBM API Connect releases:
- Versions 10.0.8.0 through 10.0.8.5
- Version 10.0.11.0
To mitigate the risk, IBM recommends that affected customers obtain and deploy the interim fix available through Fix Central. The remediation process involves extracting the provided update package and applying the fix corresponding to the deployed API Connect version.
For organizations that are unable to immediately install the interim fix, IBM advises disabling self-service user registration within the Developer Portal, if it is enabled. This temporary measure can help reduce exposure until the patch is applied.
IBM API Connect is a comprehensive API management platform designed to support the full API lifecycle, including development, testing, governance, and security, across both cloud-based and on-premises environments. It is widely used across industries, including financial services, aviation, and enterprise technology.
At this time, there are no confirmed reports of active exploitation. However, given the critical nature of the vulnerability, organizations running affected versions are strongly encouraged to apply the fix as soon as possible to maintain a strong security posture.
- 30,000 Korean Air Employee Records Stolen as Cl0p Leaks Data Online
In a significant cybersecurity incident affecting the aviation sector, Korean Air has disclosed a data breach involving the personal information of approximately 30,000 current and former employees. The breach was publicly acknowledged on December 29, 2025, and comes shortly after another South Korean airline, Asiana Airlines, reported the exposure of data belonging to 10,000 staff members, raising fresh concerns about systemic security gaps within the industry.
Initial investigations indicate that Korean Air’s core IT infrastructure was not directly infiltrated. Instead, attackers gained access through KC&D Service, a company responsible for in-flight catering and duty-free operations.
KC&D Service was formerly part of Korean Air but was divested in 2020 and acquired by private equity firm Hahn & Company. Despite operating as a separate legal entity, KC&D continues to provide critical services to the airline, with Korean Air retaining a 20% ownership stake. This ongoing operational relationship meant that employee data remained accessible within KC&D’s internal systems.
In an official notice, Korean Air confirmed that employee information stored on KC&D’s enterprise resource planning (ERP) server was exposed following an external cyberattack.
According to a report from Korea JoongAng Daily, the attackers are believed to have compromised KC&D’s ERP environment by exploiting a flaw in Oracle E-Business Suite (EBS). The vulnerability, tracked as CVE-2025-61882, reportedly allows unauthenticated attackers to bypass access controls and take over affected servers.
This same vulnerability has been linked to other high-profile breaches, including an earlier compromise at Envoy Air, a regional carrier operating under American Airlines—suggesting a repeatable and scalable attack vector targeting organizations running unpatched enterprise software.
Responsibility for the attack has been attributed to the Cl0p ransomware group, a well-known Russian-speaking cybercriminal operation specializing in data extortion rather than encryption-based attacks.
Security researchers report that Cl0p has been actively abusing the Oracle EBS vulnerability since at least August, using it to infiltrate high-value targets across multiple sectors. Victims linked to this campaign reportedly include major corporations, academic institutions, and media organizations.
In the Korean Air case, Cl0p has allegedly begun leaking hundreds of gigabytes of stolen data on dark web platforms after ransom demands were refused, consistent with the group’s established “name-and-shame” extortion tactics.
The leaked dataset is believed to contain highly sensitive employee information, including names and bank account numbers stored within the ERP system. Korean Air has emphasized that no customer data, such as passenger records, booking details, or payment card information—was impacted during this incident.
In a message to employees, Vice Chairman Woo Kee-hong stated that the airline is treating the breach with the utmost seriousness, regardless of the fact that the intrusion originated from a third-party vendor.
Korean Air has confirmed that emergency security patches have been deployed and that all digital connections with KC&D Service have been severed to prevent further data exposure. The incident has been formally reported to the Korea Internet & Security Agency (KISA).
Employees have also been warned to remain vigilant for phishing attempts, scam messages, or fraudulent communications that may leverage stolen information in follow-on social engineering attacks.
This breach adds to a growing list of major cyber incidents in South Korea throughout 2025. Earlier in December, e-commerce giant Coupang reportedly suffered a massive breach affecting tens of millions of users, triggering regulatory action and executive fallout. Earlier in the year, SK Telecom disclosed a long-running malware infection that led to the exposure of millions of subscriber identifiers.
Together, these incidents underscore a recurring theme: the expanding attack surface created by third-party vendors, legacy systems, and delayed vulnerability remediation, particularly within large, interconnected enterprises.
- Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist
A recent cryptocurrency theft totaling approximately $8.5 million has been linked to Shai-Hulud 2.0, a self-propagating worm that compromised the NPM ecosystem in late November. The attack ultimately led to the distribution of a malicious version of Trust Wallet’s Chrome browser extension, exposing thousands of users.
Trust Wallet publicly disclosed the incident on December 25, confirming that attackers specifically targeted users running version 2.68 of the Chrome extension. According to the company’s post-incident analysis, the malicious extension was published on December 24, and any user who accessed their wallet between December 24 and 26 during that window was impacted.
Trust Wallet reported that 2,520 wallet addresses were drained, with roughly $8.5 million in digital assets traced to 17 attacker-controlled wallets. The company also noted that some of the compromised wallets were not originally associated with Trust Wallet.
To mitigate user impact, Trust Wallet stated it will fully reimburse all affected customers and has urged users to immediately upgrade to version 2.69 of the Chrome extension.
Trust Wallet attributed the breach to the Shai-Hulud supply chain attack, which targeted NPM users at scale. During the campaign, attackers obtained access to Trust Wallet’s developer GitHub secrets, giving them visibility into the project’s source code and access to a Chrome Web Store API key.
With this access, the threat actors were able to build a trojanized version of the Trust Wallet browser extension and publish it using the leaked API key, completely bypassing the organization’s normal release and validation process.
The malicious extension was designed to pull code from an attacker-controlled domain, allowing it to harvest sensitive wallet data and initiate unauthorized transactions on behalf of users.
Trust Wallet emphasized that Shai-Hulud was not a targeted attack against a single organization, but rather a widespread software supply chain compromise affecting multiple industries, including, but not limited to, the cryptocurrency sector.
The original Shai-Hulud worm surfaced in September 2025, targeting NPM packages to exfiltrate sensitive data into automatically generated GitHub repositories. A second wave, referred to as Shai-Hulud 2.0 (also tracked as Sha1-Hulud), emerged in late November.
Within days, researchers observed over 640 compromised NPM packages, which at peak activity on November 24 resulted in the creation of more than 25,000 GitHub repositories leaking sensitive data.
According to Wiz, rapid response efforts across the security community slowed the infection rate significantly. From November 25 through December 24, new malicious repositories were created at a reduced rate of approximately 100–200 per day.
Complete eradication proved difficult. One key reason was the persistence of the infected OpenVSX asyncapi-preview 1.0.1 extension, which did not auto-update due to the absence of a higher version. Additionally, cached and private packages continued to propagate the malware.
After the AsyncAPI team released version 1.1.0 of the extension, the infection rate dropped sharply, with only a small number of new repositories appearing by December 29.
As of now, Wiz has identified more than 12,000 compromised machines and over 29,000 repositories containing exposed credentials and sensitive data.
Despite progress, Wiz cautioned that remediation efforts remain incomplete. While npm and GitHub tokens have largely been revoked, high-value credentials tied to infrastructure and AI services are still at risk.
Just as infection rates appeared to stabilize, researchers identified a new iteration of the worm.
On December 28, Aikido discovered malicious code embedded in the @vietmoney/react-big-calendar package. Early analysis suggests that a coding flaw may have limited its ability to spread at the same scale as previous versions.
Security firm Upwind describes Shai-Hulud 3.0 as retaining the same core behavior: executing malicious logic during package installation, before users or automated scanners can detect it.
Once active, the worm leverages TruffleHog to search for API keys, tokens, and credentials, and uses the Bun runtime in Windows-based publishing workflows. Any secrets discovered are written to disk and later transmitted to attacker-controlled servers.
One notable change in this version is the removal of a so-called “dead man switch.” Earlier variants would trigger a destructive wiper if no exploitable GitHub or NPM tokens were found. That behavior has now been eliminated.
Developers and organizations using @vietmoney/react-big-calendar or any packages known to be compromised by Shai-Hulud are strongly advised to:
- Remove infected dependencies immediately.
- Rotate all credentials, API keys, and secrets.
- Audit-build pipelines and publishing workflows for unauthorized access.
As the Shai-Hulud campaign continues to evolve, the incident underscores the systemic risk posed by software supply chain attacks and the importance of securing developer credentials, build systems, and dependency ecosystems.
- Disney Will Pay $10 Million to Settle Children’s Data Privacy Lawsuit
Disney has reached a $10 million civil settlement with U.S. regulators following allegations that it breached the Children’s Online Privacy Protection Act (COPPA) by improperly labeling children’s content and enabling data collection for targeted advertising.
Announcing the federal court order, Assistant Attorney General Brett A. Shumate emphasized the government’s position on children’s privacy, stating that parents must retain control over how their children’s personal information is collected and used, and that violations of these rights will be addressed decisively.
The U.S. Department of Justice, acting on a referral from the Federal Trade Commission (FTC), alleges that Disney failed to properly designate child-directed videos on YouTube as “Made for Kids” (MFK). This designation is critical, as it signals to YouTube to disable personalized advertising and restrict the collection of personal data on content intended for children.
Since 2019, content creators have been required to classify videos and channels as MFK under reforms introduced after Google and YouTube paid $170 million to resolve COPPA violations. These rules are designed to ensure that online platforms obtain verifiable parental consent before collecting personal data from users under the age of 13.
Regulators further claim that Disney continued to mislabel children’s content even after YouTube notified the company in 2020 that it had reclassified more than 300 Disney videos from “Not Made for Kids” to “Made for Kids.” According to the FTC, this misclassification allowed personal data from underage viewers to be collected and leveraged for targeted advertising.
The complaint also notes that Disney benefits financially from advertising revenue generated on its YouTube content, including both ads sold directly by Disney and those placed by YouTube.
As part of the settlement, Disney is required to implement stronger compliance measures, including providing clear notice to parents before collecting children’s personal information and ensuring accurate MFK labeling for all child-directed YouTube content. These steps aim to prevent unlawful data collection and targeted advertising going forward.
The case comes amid broader regulatory scrutiny. In September 2024, the FTC highlighted how video streaming and social media platforms generate billions of dollars annually by monetizing data obtained through extensive tracking of children and teenagers, underscoring growing concerns around digital surveillance and youth privacy in the online ecosystem.
- European Space Agency Confirms Breach After Hacker Offers to Sell Data
The European Space Agency (ESA) has acknowledged a security incident after a threat actor claimed to be in possession of data taken from the organization and attempted to sell it online.
In response, ESA has launched a forensic investigation and begun remediation efforts to secure affected systems. Preliminary findings indicate that the compromised infrastructure was not part of the agency’s core corporate network.
According to ESA, the impacted assets consist of a limited number of externally hosted servers used to support unclassified, collaborative engineering work with the broader scientific community. The agency emphasized that the scope of the incident appears contained.
ESA stated that all relevant parties have been notified and that additional information will be shared as the investigation progresses.
The disclosure follows a post on the BreachForums cybercrime marketplace by a user operating under the alias “888,” who alleged that they gained unauthorized access to ESA systems on December 18.
The actor claimed to be selling approximately 200 GB of data purportedly exfiltrated from ESA environments. The dataset is said to include material from private Bitbucket repositories.
According to the attacker, the stolen data contains source code, API keys and access tokens, configuration files, credentials, and internal documentation. To support these claims, the individual released several screenshots publicly as proof of access.
References:
https://thehackernews.com/2025/12/ibm-warns-of-critical-api-connect-bug.html
https://hackread.com/30000-korean-air-employee-cl0p-leaks-data/
https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/
https://www.securityweek.com/european-space-agency-confirms-breach-after-hacker-offers-to-sell-data/
