The ClickFix threat has evolved into a more aggressive variant dubbed CrashFix, which turns user frustration into a weapon for deploying the ModeloRAT trojan. By intentionally freezing browsers with a fake ad-blocker extension, attackers force victims into a panic-driven repair loop that leads straight to a compromised system.
A high-stakes supply chain attack has struck at the heart of the decentralized finance world, poisoning official npm and PyPI libraries used by the dYdX exchange. By hijacking legitimate developer credentials, attackers turned trusted trading tools into sleeper agents capable of siphoning cryptocurrency wallets and deploying remote access trojans.
A critical sandbox escape in the n8n automation platform, tracked as CVE-2026-25049, has transformed standard data workflows into high-risk gateways for server takeovers. By exploiting flaws in how the platform sanitizes JavaScript, attackers can leap from a simple automation task to executing arbitrary commands on the underlying host.
Top Malware Reported in the Last 24 Hours
Kimwolf botnet launches record DDoS attack
The AISURU/Kimwolf botnet has executed a record-breaking DDoS attack that peaked at 31.4 Tbps for 35 seconds in November 2025. This surge is part of a trend where DDoS attacks increased by 121% in 2025, with Cloudflare mitigating 34.4 million network-layer attacks throughout the year. The botnet has compromised over 2 million Android devices, primarily off-brand TVs, by exploiting residential proxy networks like IPIDEA. In response to this growing threat, Google and Cloudflare disrupted IPIDEA's infrastructure, targeting domains used for command and control. The most affected sectors included telecommunications, IT, and gaming, while countries like China, Hong Kong, and Germany experienced the highest number of attacks.
CrashFix: New ClickFix variant drops ModeloRAT
A new variant of the ClickFix malware campaign, known as CrashFix, employs a malicious browser extension to intentionally crash users' browsers, tricking them into executing harmful commands. Users searching for ad blockers are lured to install a fake extension, such as NexShield, which, after lying dormant for about an hour, triggers a denial-of-service attack that freezes the browser. When users restart their browsers, they encounter a fake security warning prompting them to run a command that unknowingly downloads a RAT called ModeloRAT. This RAT allows attackers to gather network information, evade detection, and target corporate networks. The circular nature of the attack ensures repeated browser crashes, increasing the chances of user compliance as they seek a solution to the ongoing issue.
Compromised npm and PyPI packages deliver malware
Cybersecurity researchers have identified a supply chain attack involving compromised npm and PyPI packages that deliver wallet stealers and RATs. The affected packages, @dydxprotocol/v4-client-js and dydx-v4-client, are used for interacting with the dYdX v4 protocol, which manages sensitive cryptocurrency operations. Malicious versions of these packages were published using legitimate credentials, allowing attackers to insert harmful code targeting both JavaScript and Python ecosystems. The npm version focuses on stealing cryptocurrency wallet credentials, while the PyPI version includes a RAT that executes commands from an external server upon import.
Top Vulnerabilities Reported in the Last 24 Hours
Critical n8n flaw enables command execution
A critical vulnerability, tracked as CVE-2026-25049, has been discovered in the n8n workflow automation platform, allowing attackers to execute arbitrary system commands through malicious workflows. This flaw stems from inadequate sanitization, which bypasses previous protections implemented for another vulnerability, CVE-2025-68613. An authenticated user with permission to create or modify workflows can exploit this vulnerability by crafting specific expressions that trigger unintended command execution on the host system. The issue is exacerbated by n8n's webhook feature, which can expose workflows to the public, enabling remote code execution. Security researchers have noted that the vulnerability allows attackers to compromise servers, steal sensitive credentials, and potentially install backdoors for persistent access.
F5 issues urgent security patches
F5 released security fixes for vulnerabilities in BIG-IP and NGINX products, with CVSS v4.0 scores of up to 8.2. BIG-IP Advanced WAF and ASM vulnerabilities (CVE-2026-22548) allow attackers to bypass security controls; patches are available in version 17.1.3. NGINX vulnerabilities (CVE-2026-1642) affect multiple components, posing risks to unpatched instances. Container Ingress Services (CVE-2026-22549) in Kubernetes/OpenShift environments have a medium-severity vulnerability; version 2.20.2 resolves the issue. Admins should review BIG-IP SMTP configurations to prevent unauthorized mail relay risks.
About the Author
