Threatsday Bulletin: Wi-fi Hack, Npm Worm, Defi Theft, Phishing...

Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other.

Here's a quick rundown of the latest cyber stories that show how fast the game keeps changing.

A critical exploit targeting Yearn Finance's yETH pool on Ethereum has been exploited by unknown threat actors, resulting in the theft of approximately $9 million from the protocol. The attack is said to have abused a flaw in how the protocol manages its internal accounting, stemming from the fact that a cache containing calculated values to save on gas fees was never cleared when the pool was completely emptied. "The attacker achieved this by minting an astronomical number of tokens – 235 septillion yETH (a 41-digit number) – while depositing only 16 wei, worth approximately $0.000000000000000045," Check Point said. "This represents one of the most capital-efficient exploits in DeFi history."

Fortinet said it discovered 151 new samples of BPFDoor and three of Symbiote exploiting extended Berkeley Packet Filters (eBPFs) to enhance stealth through IPv6 support, UDP traffic, and dynamic port hopping for covert command-and-control (C2) communication. In the case of Symbiote, the BPF instructions show the new variant only accepts IPv4 or IPv6 packets for protocols TCP, UDP, and SCTP on non-standard ports 54778, 58870, 59666, 54879, 57987, 64322, 45677, and 63227. Coming to BPFDoor, the newly identified artifacts have been found to support both IPv4 and IPv6, as well as switch to a completely different magic packet mechanism. "Malware authors are enhancing their BPF filters to increase their chances of evading detection. Symbiote uses port hopping on UDP high ports, and BPFDoor implements IPv6 support," security researcher Axelle Apvrille said.

Microsoft said it detected and blocked on November 26, 2025, a high-volume phishing campaign from a threat actor named Storm-0900. "The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients' suspicion," it said. "The campaign consisted of tens of thousands of emails and targeted primarily users in the United States." The URLs redirected to an attacker-controlled landing page that first required users to solve a slider CAPTCHA by clicking and dragging a slider, followed by ClickFix, which tricked users into running a malicious PowerShell script under t

Source: The Hacker News