Weekly Cybersecurity Threat Intelligence Report: 29-4 Jan 2026
Reading Time: 5 minutes
European Space Agency Confirms Breach After Hacker Offers to Sell Stolen Data
The transition into 2026 has brought a surge of high-impact cyber threats, ranging from critical infrastructure vulnerabilities in enterprise software to sophisticated supply chain attacks targeting the cryptocurrency ecosystem. This weekly advisory breaks down the most significant security events, offering technical insights and mitigation strategies for IT professionals and security stakeholders.
1. Critical Vulnerability Deep Dive
This week, several "zero-day" style vulnerabilities were disclosed, affecting widely used enterprise platforms. Organizations are urged to prioritize these patches due to their high CVSS scores and potential for complete system compromise.
1.1: Apache StreamPipes: Privilege Escalation (CVE-2025-47411)
On December 29, 2025, a significant flaw was revealed in Apache StreamPipes (versions 0.69.0 to 0.97.0).
- The Threat: A non-administrative user can manipulate JSON Web Tokens (JWT) to gain full administrative control.
- The Mechanism: Flawed user ID creation allows a legitimate user to replace their username in a token with an admin's username; the system fails to validate this change.
- Impact: Attackers can manipulate real-time data pipelines, expose proprietary telemetry, and alter system settings.
- Mitigation: Upgrade immediately to version 0.98.0.
Reference: https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36
1.2: IBM API Connect: Authentication Bypass (CVE-2025-13915)
IBM disclosed a critical vulnerability (CVSS 9.8) affecting its API Connect platform.
- The Threat: Remote attackers can bypass authentication controls to access sensitive API configurations and backend services without valid credentials.
- Affected Versions: 10.0.8.0 through 10.0.8.5 and 10.0.11.0.
- Mitigation: Apply interim fixes from IBM Fix Central. If patching is delayed, disable self-service sign-up on the Developer Portal.
Reference: https://www.ibm.com/support/pages/node/7255149
1.3: SmarterMail: Remote Code Execution (CVE-2025-52691)
The Cyber Security Agency of Singapore (CSA) issued a "perfect 10" CVSS alert for SmarterTools SmarterMail.
- The Threat: An arbitrary file upload weakness allows unauthenticated attackers to upload and execute malicious web shells or binaries.
- Impact: Complete server takeover with the privileges of the SmarterMail service.
- Mitigation: Ensure you are running Build 9483 or later (released Dec 18, 2025).
Reference: https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
2. Active Attack Campaigns
2.1: The Shai-Hulud Supply Chain Worm & Trust Wallet Heist
A devastating supply chain attack linked to the Shai-Hulud 2.0 worm resulted in the theft of $8.5 million from Trust Wallet users.
- Infiltration: The worm compromised the npm ecosystem and harvested developer secrets from GitHub.
- Execution: Attackers used stolen Chrome Web Store API tokens to upload a malicious version (v2.68) of the Trust Wallet extension.
- The Fallout: 2,520 wallets were drained between Dec 24 and Dec 26, 2025.
- New Variant: Researchers have already detected Shai-Hulud 3.0, which continues to harvest secrets at install time.
2.2: Covenant Health: Ransomware Impact Escalates
A breach originally reported in mid-2025 has been revealed as far more extensive.
- Scope: 478,188 patients across the Northeastern United States (MA, ME, NH, PA, RI, VT) are affected.
- Attacker: The Qilin ransomware group claimed the theft of 850 GB of data after Covenant Health refused to pay.
- Data Exposed: Social Security numbers, medical records, and treatment details.
Reference:
https://www.maine.gov/cgi-bin/agviewerad/ret?loc=2817
3. Global Security News
3.1: European Space Agency (ESA) Data Leak
On December 30, 2025, the ESA confirmed a breach after a hacker named “888” offered 200 GB of stolen data for sale.
- Details: The breach affected external servers used for unclassified scientific collaboration.
- Stolen Assets: Source code from private Bitbucket repositories, API tokens, and credentials.
- Status: No evidence suggests mission-critical or classified systems were compromised.
Reference: https://x.com/esa/status/2005938460448715055
3.2: Coupang’s $1.17 Billion Compensation Plan
South Korean e-commerce giant Coupang is issuing massive payouts following a breach of 33.7 million accounts.
- Cause: An internal threat—a former employee unlawfully accessed systems.
- Remediation: Every affected user will receive a 50,000 won (~$34.84) voucher starting Jan 15, 2026.
Reference: https://news.coupang.com/archives/58960/
3.3: OpenAI Hardens ChatGPT Atlas
Recognizing the rise of Agentic AI, OpenAI has updated its "Atlas" browser agent to fight prompt injection.
- The Risk: Attackers hide malicious instructions in emails or web pages that the AI agent might follow (e.g., "delete all files").
- The Solution: An automated red-teaming system powered by reinforcement learning that discovers and trains the AI against new attack patterns.
Reference: https://openai.com/index/hardening-atlas-against-prompt-injection/
Action Plan for Security Teams
To protect your infrastructure against these emerging 2026 threats, we recommend the following immediate actions:
- Inventory Check: Identify all instances of Apache StreamPipes, IBM API Connect, and SmarterMail. Apply the latest security builds immediately.
- Secret Rotation: If your development team uses npm or GitHub, rotate all API tokens and review repository access logs for signs of Shai-Hulud activity.
- AI Governance: If deploying AI agents like ChatGPT Atlas, enforce "Human-in-the-loop" confirmations for sensitive actions and limit agent permissions.
- Employee Offboarding: Review and strengthen access revocation policies for departing employees to prevent Coupang-style internal breaches.
Stay secure. Stay informed.
Crowe UAE – Cyber Threat Management
+971 542468006 | [email protected]