Happy start of the year!

In this week's brief:

Trust Wallet's browser extension was compromised in another Shai-Hulud supply chain attack, draining $8.5 million from over 2,500 wallets and highlighting how even established crypto platforms remain vulnerable
Human risk incidents jumped 90% according to KnowBe4's latest study, with AI applications now the second-fastest growing attack vector as employees struggle with unauthorized AI tool usage
The job market reality check continues as a retired military professional with 12 years of experience and a CISSP can't land interviews, reflecting broader workforce challenges many of us are witnessing

A quick note before we dive in.

Industry News

Attackers sent 9,394 phishing emails from legitimate Google address by abusing Google Cloud's Application Integration Send Email task to impersonate routine enterprise notifications like voicemail alerts and file access requests.
The campaign used a multi-stage redirection flow starting with trusted storage.cloud.google.com links, then filtering through fake CAPTCHAs on googleusercontent.com, before ultimately directing victims to fake Microsoft login pages hosted on non-Microsoft domains.
Primary targets included manufacturing (19.6%), technology/SaaS (18.9%), and finance/banking/insurance (14.8%) organizations across the United States (48.6%), Asia-Pacific (20.7%), and Europe (19.8%), with the attack leveraging legitimate cloud infrastructure to bypass traditional sender reputation controls.

CloudSEK researchers discovered a nine-month RondoDoX botnet campaign that recently shifted to exploiting a critical Next.js vulnerability, deploying malicious payloads including cryptominers and the "React2Shell" backdoor through six confirmed C2 servers.
The threat actors have conducted over 40 exploitation attempts within six days targeting Next.js Server Actions through prototype pollution attacks, while simultaneously maintaining automated campaigns against IoT devices including routers and cameras.
The campaign demonstrates three distinct phases from March to December 2025, with attackers deploying multi-architecture binaries across x86, ARM, and MIPS systems while implementing aggressive persistence mechanisms that terminate competing malware and establish cron-based backdoors.

Trust Wallet's GitHub secrets were exposed during the second iteration of the Shai-Hulud supply chain attack, allowing threat actors to gain Chrome Web Store API access and push a malicious version 2.68 of their browser extension on December 24, 2025.
The trojanized extension contained a backdoor that harvested wallet mnemonic phrases from all configured wallets during every unlock attempt, exfiltrating the data to a domain hosted on bulletproof hosting provider Stark Industries Solutions.
The attack resulted in $8.5 million in cryptocurrency being drained from 2,520 wallet addresses, with Trust Wallet now processing reimbursement claims while implementing additional monitoring controls to prevent future supply chain compromises.

Member-Only Content

Join Mandos to Continue Reading

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in