NordVPN development breach π, Critical infrastructure vulns β‘, ShinyHunters honeypot trap πΈοΈ, Undersea cable sabotage π’
Daily Threat Intel Digest - January 5, 2026
π΄ Critical Threats & Active Exploitation
[NEW] Threat Actor Allegedly Leaks NordVPN Salesforce and Jira Data
A threat actor using the alias “1011” claims to have breached a NordVPN development environment, leaking internal Salesforce and Jira data. The attacker alleges they brute-forced a misconfigured development server to exfiltrate database source code files, API keys, and backend tokens. While the legitimacy of the leak and any impact on NordVPN’s production systems remain unconfirmed, the exposure of internal integration data could enable attackers to map out backend systems and launch deeper intrusions. This incident highlights the ongoing risk of insecure development environments, which often contain credentials and configuration data with ties to live services [Cyber Security News].
[NEW] Critical Eaton and QNAP Vulnerabilities Demand Immediate Patching
Two separate vendors have released patches for high-severity vulnerabilities that could allow attackers to execute code and access sensitive data. Eaton has patched two flaws in its UPS software (CVE-2025-5988, CVSS 8.6; CVE-2025-59888, CVSS 6.7) that allow for arbitrary code execution via insecure library loading and improper path quotation. All versions before v3.0 are vulnerable. Separately, QNAP has fixed two moderate-severity memory issues in its License Center application (CVE-2025-52871 and CVE-2025-53597) which allow authenticated users to read unauthorized data or administrators to crash processes. Organizations using these systems should apply the updates immediately to prevent compromise of critical power management and network storage infrastructure [Cyber Security News; Cyber Security News].
π― Threat Actor Activity & Campaigns
[UPDATE] Resecurity Honeypot Exposes ShinyHunters’ Infrastructure and Tactics
New details confirm that the notorious ShinyHunters cybercrime group was trapped in a sophisticated honeypot operation run by Resecurity in late 2025. After an initial probe in November, Resecurity deployed a deception environment with over 28,000 synthetic consumer records and 190,000 fake payment transactions. The attackers took the bait, making more than 188,000 automated requests to steal the worthless data. Operational security failures during this exfiltration, including connection errors, exposed the attackers’ real IP addresses, which Resecurity shared with law enforcement. Screenshots posted by ShinyHunters as “proof” of their compromise unknowingly confirmed they had only accessed the honeytrap environment [Cyber Security News].
[NEW] Cargo Ship Crew Detained Over Suspected Sabotage of Undersea Cable
Finnish authorities have arrested the crew of a cargo ship suspected of deliberately damaging an undersea telecommunications cable connecting Helsinki and Estonia. The vessel, registered in St. Vincent and the Grenadines and sailing from Russia, was allegedly dragging its anchor along the seabed. This incident, part of a pattern of similar events in the Baltic Sea, is being investigated as aggravated criminal damage and interference with telecommunications, raising fresh alarms about hybrid warfare campaigns targeting critical global infrastructure [Cyber Security News; BBC].
π‘οΈ Defense & Detection
[NEW] GHOSTCREW Toolkit Automates AI-Driven Penetration Testing
Security teams should be aware of GHOSTCREW, a new AI-driven red team toolkit that automates and orchestrates complex penetration testing tasks. The platform uses natural language commands to manage an arsenal of over 18 integrated security tools, including Nmap, Metasploit, and SQLMap. By automating workflows and generating reports, GHOSTCREW significantly lowers the technical barrier for conducting sophisticated, multi-vector attacks. This development signals a shift toward more autonomous offensive operations, requiring defenses to adapt to faster, more intelligent attack chains that can rapidly combine multiple tools and techniques [Cyber Security News].
[NEW] ProfileHound Tool Uncovers Dormant AD Profiles Full of Secrets
A new open-source tool, ProfileHound, provides red teams with enhanced post-exploitation capabilities in Active Directory environments by locating dormant user profiles. Unlike traditional session monitoring, ProfileHound integrates with BloodHound to identify user profiles stored on domain-connected machines that may contain years of accumulated secrets like cached credentials, DPAPI data, and cloud access tokens. The tool analyzes NTUSER.DAT files to create new attack paths, forcing defense teams to expand their monitoring beyond active logins to include long-forgotten but highly privileged profile data [Cyber Security News].