Welcome to the December edition of Upfort’s Threat Matrix! As the year winds down, cyber threats show no signs of slowing. This month’s roundup highlights the wide range of tactics attackers are using—from poisoned open-source libraries and fake mobile apps to credential-stealing browser extensions and extortion-driven breaches.

Even trusted platforms like Chrome, Apple's App Store, and uh… Pornhub... aren’t immune—making it clear that small businesses must stay vigilant not just about their internal systems, but also the tools and third-party services they rely on every day.

Read on for this month’s top threats and practical steps your business can take to stay protected.

Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.

Malicious Chrome extensions steal credentials and track browsing activity

Google has removed dozens of malicious extensions from the Chrome Web Store after researchers found they were stealing user credentials and tracking browsing activity. The extensions—some disguised as productivity tools or file converters—were downloaded over 75 million times.

Once installed, they monitored users’ online activity and sent sensitive information, like login credentials, back to attacker-controlled servers. Some also modified search results or injected ads.

While Google has removed the known extensions, similar threats regularly reappear under new names, especially when users don’t carefully vet what they install.

How to protect your business: Only allow vetted extensions in company browsers. Use admin policies to restrict installs, regularly audit employee browser extensions, and educate your team to avoid installing unknown or unnecessary add-ons.

Read More

‍

Baker University data breach impacts over 53,000 individuals

Baker University has disclosed a data breach that exposed the personal information of more than 53,000 individuals. The breach stemmed from unauthorized access to internal systems earlier this year and affected students, alumni, and staff.

Compromised data includes names, Social Security numbers, and other sensitive details that could be used for identity theft or financial fraud. The university has begun notifying affected individuals and offering credit monitoring services.

How to protect your business: Minimize the storage of sensitive data whenever possible, and ensure that anything retained is encrypted and access-controlled. Regularly audit systems for vulnerabilities, and prepare a breach response plan in case of incidents.

Read More

Nissan says thousands of customers exposed in Red Hat breach

Nissan North America has disclosed that a data breach at software vendor Red Hat resulted in the exposure of personal information belonging to thousands of its customers. The breach occurred when an unauthorized party accessed a Red Hat customer support system used by Nissan.

Exposed data may include customer names, company information, and support case details. While financial data and Social Security numbers were reportedly not involved, the incident raises concerns about the security of third-party platforms used by enterprise vendors.

How to protect your business: Review vendor relationships that involve support platforms or shared systems. Ensure your partners follow secure access protocols and limit the type of customer data shared through external tools. Monitor for alerts from vendors when breaches occur.

Read More

Malicious npm package steals WhatsApp accounts and messages

Security researchers have discovered a malicious package in the npm JavaScript repository designed to hijack WhatsApp accounts. The package mimics a legitimate tool and, once installed, steals authentication tokens, session data, and messages from users running WhatsApp Web.

This attack highlights growing risks from poisoned open-source packages—a common tactic used to compromise developers and organizations indirectly by sneaking malicious code into widely used libraries or tools.

How to protect your business: Avoid installing unverified npm packages, especially those with few downloads or unclear authorship. Use software composition analysis (SCA) tools to scan dependencies, and lock down developer environments to prevent token theft or session hijacking.

Read More

‍

University of Phoenix data breach impacts nearly 3.5 million individuals

The University of Phoenix has disclosed a data breach affecting nearly 3.5 million people after attackers accessed a cloud database containing names, email addresses, phone numbers, and other personal information. The exposed data was tied to prospective and former students and may have been scraped from marketing and lead generation platforms.

Although no financial or academic records were leaked, this kind of personal data can still be used in targeted phishing attacks, scams, or identity fraud schemes—especially when sourced from educational institutions with large databases.

How to protect your business: Monitor third-party platforms that store customer or prospect data. Limit data retention, encrypt records where possible, and train staff to detect suspicious outreach attempts that may follow mass data leaks.

Read More

Cisco warns of unpatched AsyncOS zero-day exploited in attacks

Cisco has issued an alert about an actively exploited zero-day vulnerability affecting its Secure Email Gateway products running AsyncOS. The flaw allows remote attackers to inject commands and potentially take control of affected systems. While a patch is still in development, Cisco has released mitigation guidance to reduce risk in the meantime.

These gateways are often used by businesses to filter and secure email traffic—making them an attractive target for attackers seeking to bypass defenses or gain internal access.

How to protect your business: Review Cisco’s security advisory and implement temporary mitigations immediately. Monitor email gateway activity for unusual behavior and restrict administrative access to only essential users until a patch is released.

Read More

‘Cellik’ Android malware clones real Google Play apps to deliver spyware

Security researchers have discovered a new strain of Android malware called Cellik that builds fake versions of legitimate Google Play apps to spread spyware. The malicious clones look and behave like the real apps but secretly exfiltrate data, record activity, and take control of infected devices.

The attackers behind Cellik are targeting users via phishing links and third-party app stores—rather than Google Play itself—making it easier to trick victims into installing the lookalike apps.

How to protect your business: Train employees to only download mobile apps from trusted sources like the official Google Play Store. Block the use of unauthorized app stores on work devices, and install mobile security tools to detect malware-laced apps.

Read More

SoundCloud confirms breach after member data stolen, VPN access disrupted

SoundCloud has confirmed a data breach that exposed internal employee credentials and led to temporary VPN disruptions. The breach occurred after an unauthorized actor accessed the company’s internal systems and stole some member-related data.

While SoundCloud has not disclosed the exact scope of the breach, the incident highlights the ongoing risks of compromised employee credentials—especially when they’re tied to critical infrastructure like VPNs and internal tooling.

How to protect your business: Require strong, unique passwords and enforce multi-factor authentication (MFA) for all internal accounts. Regularly audit VPN access, rotate credentials after staffing changes, and monitor for signs of unauthorized access.

Read More

Pornhub extorted after hackers steal premium member activity data

A threat actor has claimed responsibility for breaching Pornhub’s systems and stealing sensitive user data tied to premium accounts—including activity logs, email addresses, and internal documentation. The hacker is reportedly attempting to extort the site by threatening to leak the information if demands aren’t met.

This kind of breach highlights the double risk of both data exposure and public embarrassment for users, which makes extortion attempts more effective. While this specific case targets a high-traffic adult site, the broader takeaway is clear: any business that collects customer data—especially involving payments or personal behavior—can be a high-stakes target for extortion.

How to protect your business: Limit the retention of sensitive customer activity data, encrypt user records at rest and in transit, and build an incident response plan that accounts for extortion scenarios.

Read More

Apple patches more zero-days after sophisticated spyware attack

Apple has released urgent security updates to fix multiple zero-day vulnerabilities exploited in a targeted spyware campaign. The attack chain, discovered by security researchers, used previously unknown flaws to infect iPhones and Macs with surveillance malware—potentially allowing access to messages, calls, and other personal data without the user’s knowledge.

The campaign is believed to have been highly targeted, but the underlying vulnerabilities affected all users. This marks yet another reminder that even devices with strong default security are not immune to zero-day threats.

How to protect your business: Enable automatic updates on all Apple devices, especially those used for business communication. Encourage employees to install updates promptly and avoid jailbreaking or modifying default system protections.

Read More