ShadyPanda’s patient poisoning.
ShadyPanda plays the long game. India mandates tracking software on mobile devices. Korea weighs punitive damages after a massive breach. Qualcomm patches a critical boot flaw impacting millions. OpenAI patches a Codex CLI vulnerability. Google patches Android zero-days. Cybersecurity issues prompt an FDA permanent recall for an at-home ventilator system. Switzerland questions the security of hyperscale clouds and SaaS services. One of the world’s largest cyber insurers pulls back from the market. On our Threat Vector segment, David Moulton sits down with Stav Setty to unpack the Jingle Thief campaign. In Russia, Porsches take a holiday.
Today is Tuesday December 2nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
ShadyPanda plays the long game.
A seven-year campaign used seemingly legitimate Chrome and Edge extensions to infect 4.3 million users with backdoors and spyware, according to Koi researchers. The group, dubbed ShadyPanda, published clean extensions, waited years to build large user bases, then pushed malicious updates that auto-installed across all devices. Five extensions with more than four million installs remain live in the Microsoft Edge store. One campaign delivered a remote-code-execution backdoor to 300,000 users through five extensions, including Clean Master, which exfiltrated full browsing activity to attacker-controlled servers and included anti-analysis features. Another set of five Edge extensions, including the three-million-install WeTab, still collects extensive behavioral data and sends it in real time to servers in China and Google Analytics. Earlier campaigns silently monetized user traffic or hijacked searches. Koi says the incidents highlight a core marketplace weakness: extension stores review submissions but do not monitor updates after approval.
India mandates tracking software on mobile devices.
India is expanding its anti-theft and cybersecurity program to cover new and used smartphones, according to Reuters reporting confirmed by the telecom ministry. Companies that buy or trade second-hand devices must now verify each phone’s IMEI number against a central database. The move follows a directive requiring manufacturers to preinstall the government’s Sanchar Saathi app on new phones and push it to existing devices through software updates.
Sanchar Saathi has blocked or traced millions of stolen phones and has seen rapid adoption since its 2023 launch. Critics say mandatory installation expands state access to personal devices without adequate safeguards. Apple has told officials it will not comply, citing privacy and security concerns for its ecosystem.
Korea weighs punitive damages after a massive breach.
South Korean President Lee Jae Myung ordered a rapid investigation into Coupang’s massive data breach, calling the five-month undetected leak “astonishing” in scale. Officials say information tied to at least 30 million users was accessed after an attacker exploited an electronic signature key. The government is considering punitive damages to deter future lapses, a shift from Korea’s compensatory-only model. Coupang’s CEO said the company will comply with penalties that could reach record levels. Police have not confirmed the attacker’s identity.
Qualcomm patches a critical boot flaw impacting millions.
Qualcomm issued an urgent security bulletin warning of six high-priority vulnerabilities across millions of devices. The most serious, CVE-2025-47372, threatens the secure boot process that protects devices during startup. Qualcomm says an attacker could bypass checks, install persistent malware, or gain control before the operating system loads. The flaw was found internally, raising questions about how long it existed in deployed devices. Five additional vulnerabilities affect the high-level operating system, trusted-zone firmware, audio, DSP services, and camera functions. Qualcomm is distributing patches to manufacturers and urges immediate deployment. Users should check with their device makers for update timelines.
OpenAI patches a Codex CLI vulnerability.
OpenAI patched a Codex CLI vulnerability that allowed malicious commands to run automatically on developers’ machines, according to Check Point. The tool implicitly trusted configuration files inside local repositories and executed their instructions without user approval. Attackers who could commit or merge crafted configs could trigger remote access, command execution, credential theft, and lateral movement, creating a reproducible supply-chain backdoor. Compromised templates or popular repos could also infect downstream users.
Google patches Android zero-days.
Google’s latest Android Security Bulletin disclosed 107 zero-day vulnerabilities affecting Android and the Android Open Source Project. Fifty-one flaws were patched on December 1, including three high-impact issues in the Android framework. Google says two, CVE-2025-48633 and CVE-2025-48572, may be under limited targeted exploitation and can enable unauthorized information disclosure or elevated access across Android 13 through 16. A third flaw, CVE-2025-48631, could trigger remote denial of service. Google will release the remaining 56 patches on December 5.
Cybersecurity issues prompt an FDA permanent recall for an at-home ventilator system.
The FDA has issued a permanent recall for Baxter’s Life 2000 at-home ventilator system, citing an unspecified cybersecurity issue that could let someone with physical access alter therapy settings or access device data. Baxter began notifying patients in April, but the FDA’s public alert came in late November, warning that continued use could cause serious injury or death. Patients are urged to stop using the device and consult providers for replacements. Baxter reports no related injuries or deaths as of April 10. It remains unclear whether this recall is connected to earlier Life 2000 advisories involving multiple vulnerabilities. Security experts say a permanent recall for a cyber issue is rare and signals significant patient-safety concerns, while noting that neither Baxter nor the FDA has detailed the specific flaw involved.
Switzerland questions the security of hyperscale clouds and SaaS services.
Switzerland’s Conference of Data Protection Officers, Privatim, issued a resolution urging public bodies to avoid hyperscale clouds and most SaaS services due to security risks. The group warns that many SaaS platforms lack true end-to-end encryption and that providers, especially those subject to the US CLOUD Act, could access sensitive data. Privatim also notes that vendors can change terms unilaterally, reducing government control. The resolution concludes that large international SaaS offerings, including Microsoft 365, are generally inappropriate for handling particularly sensitive Swiss government data.
One of the world’s largest cyber insurers pulls back from the market.
Beazley, one of the world’s largest cyber insurers, is pulling back from the market as rising ransomware and hacking claims drive higher losses, according to the Financial Times. The company’s cyber gross written premiums fell 8 percent to 848 million dollars through September, and executives cite geopolitical volatility as fueling more costly attacks. While Beazley reduces its exposure, rivals like Chubb and AIG are maintaining or expanding their cyber books. Premiums have been declining since early 2024 due to intense competition for a limited pool of buyers. The sector’s strain shows up in the U.K. as well, where the Association of British Insurers reports a 230 percent year-over-year surge in cyber claims, driven largely by malware and ransomware incidents.
Coming up next on our Threat Vector segment, explore Jingle Thief with host David Moulton and Palo Alto Networks Stav Setty. We’ll be right back.
Welcome back. You can find a link to David and Stav's full conversation in our show notes and catch new episodes of Threat Vector every Thursday on your favorite podcast app.
Programming Note: Our team attended today’s NATO Cyber Coalition 2025 Cyber Range Exercise. Stay tuned for our coverage from the event later this week from Tallinn, Estonia.
In Russia, Porsches take a holiday.
Hundreds of Porsche owners across Russia found their high-performance machines reduced to very expensive lawn ornaments last week, as a factory-installed satellite security system abruptly stopped talking to the cars it was meant to protect. Drivers from Moscow to Krasnodar reported sudden engine shutdowns and fuel blockages, prompting a rush of service requests to Rolf, the country’s largest dealership group. The outage appears tied to the Vehicle Tracking System, which some owners coaxed back to life by rebooting, disabling, or performing the timeless ritual of leaving the battery unplugged for ten hours. A Rolf representative floated the idea of deliberate interference, though no evidence supports it. Porsche has stayed silent, still unable to divest its remaining Russian subsidiaries two years after suspending operations.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
