Уязвимости в React и шантаж пользователей PornHub: как киберпреступники атакуют в 2025 году Headline: Vulnerabilities in React and Blackmail of PornHub Users: How Cybercriminals Attack in 2025

We have compiled the most significant news from the world of cybersecurity for the week.

Recently, there has been a surge in incidents involving the uploading of malware aimed at draining cryptocurrency wallets. This malware infiltrates websites through a vulnerability in the popular JavaScript library React, which is used for building user interfaces, as reported by Cointelegraph.

On December 3, the React team announced that white hat hacker Lachlan Davidson discovered a vulnerability that permits remote code execution without authentication. On the same day, the experts released a patch.

According to the nonprofit cybersecurity organization Security Alliance (SEAL), attackers exploit this vulnerability to stealthily add drainer codes to cryptocurrency websites.

SEAL emphasized that not only Web3 protocols are at risk, but all websites in general. Users have been advised to exercise extreme caution when signing any transactions or permissions.

Users of the adult platform Pornhub have been extorted by the hacker group ShinyHunters. This was reported by the company’s management.

The letter indicated that the platform suffered from a breach involving the third-party analytics provider Mixpanel. The incident occurred on November 8, 2025, following a smishing attack.

According to BleepingComputer, Pornhub has not worked with Mixpanel since 2021, indicating the timeline of the incident.

The contractor confirmed that the breach affected a «limited number» of clients, which included previously named entities like OpenAI and CoinTracker.

In a comment to BleepingComputer, representatives stated that they do not consider their system to be the source of the leak:

“We find no indication that this data was stolen from Mixpanel during the November incident or otherwise. The last legitimate access to this information was from an employee’s account at Pornhub’s parent company in 2023.”

BleepingComputer learned that ShinyHunters began blackmailing Mixpanel clients last week by sending ransom emails.

In the ultimatum sent to Pornhub, the hackers claimed to have stolen 94 GB of data containing over 200 million records of personal information.

Later, the group confirmed to the publication that the database includes 201,211,943 premium subscriber accounts.

The hackers provided the editorial team with a sample of the stolen data, which contained sensitive information.

A new data-stealing software called SantaStealer is being heavily advertised on Telegram and hacker forums. It is distributed using a model known as CaaS, reported the researchers from Rapid7.

According to their findings, SantaStealer is a new iteration of the malware BluelineStealer, operating solely in memory to evade detection by antivirus software.

The developer is actively marketing the software ahead of its full launch scheduled for the end of the year.

A monthly subscription for CaaS is offered in two versions.

Rapid7 experts analyzed several samples of SantaStealer and gained access to the partner interface. Despite having numerous data theft mechanisms, the malware did not meet the claimed specifications for evading detection systems.

The research revealed that the stealer’s control panel has a user-friendly design where «clients» can customize their setups: from extensive data theft to compact payloads with precise targeting.

SantaStealer employs 14 different data collection modules, each running in a separate thread. The stolen information is recorded in memory, compressed into a ZIP file, and sent in chunks of 10 MB to a command server.

According to the researchers, SantaStealer can be exploited for:

Cybersecurity specialists at Amazon GuardDuty discovered a campaign for covert cryptocurrency mining targeting services that launch virtual machines and containers using Elastic Compute Cloud (EC2) and Elastic Container Service (ECS).

By deploying cryptocurrency miners on these resources, the attackers profit at the expense of AWS clients and Amazon itself, who bear costs for computing resources.

The assault utilized an image from a Docker Hub created at the end of October, which had over 100,000 downloads at the time of detection. Amazon stressed that the attackers did not breach the software directly, but accessed clients’ accounts using stolen credentials.

The report noted that a distinctive feature of this campaign was the use of a configuration that prevents administrators from shutting down machines remotely. This forced security specialists to first manually disable defenses before being able to stop the mining.

Amazon advised the affected clients to change their compromised credentials. The malicious image has been removed from Docker Hub, but experts warned of the possibility of it being re-uploaded under different accounts or names.

A Bitcoin investor lost his funds after becoming a victim of a pig slaughtering scam. This was reported by Bitcoin consultant The Bitcoin Adviser, Terence Michael.

He stated that an unnamed client transferred the initial cryptocurrency to a scammer posing as a trader, claiming he could double the investor’s assets. The expert noted that the perpetrator also pretended to be a woman infatuated with the investor.

Despite «numerous phone calls» and «a series of text messages» offering warnings, Michael could not persuade the client to refrain from sending BTC.

“[…] last night, while I was at dinner, I received a devastating message from him saying that he had lost everything.”

In addition to losing his retirement savings, the newly divorced investor also purchased a plane ticket for the scammer, anticipating a meeting with the “woman.” After sending the funds, the fraudster admitted that the images used were generated by AI.

An advertising algorithm from a household refrigerator, coincidentally matching the name of the owner, triggered a severe psychotic episode in her.