RondoDox added React2Shell to its arsenal. 90,000+ servers. 56 vulnerabilities. 30+ vendors. They call it the “exploit-shotgun” approach. Fire everything, see what hits. 😱

Once inside, RondoDox doesn’t just sit there. It launches DDoS attacks. Mines Monero. Turns infected devices into proxies to hide other attacks. And it breaks the tools needed to fight back.

The botnet has been running for 9 months. Three distinct phases. March to April 2025 was reconnaissance. April to June was daily probing of WordPress, Drupal, Struts2, and IoT devices. July onward became hourly automated attacks at scale.

The crypto library behind Discord, WordPress, and Zcash just got its first CVE. After 13 years. 😏 libsodium. You’ve probably never heard of it. But it’s everywhere.

libsodium is one of the most trusted cryptographic libraries in the world. Discord secures voice chat with it. WordPress validates updates with it. Zcash processes transactions with it. Stellar powers financial apps with it.

13,300+ GitHub stars. Bindings in every programming language you can think of. From PHP to Rust to Python to Go.

WIRED magazine got hacked. 2.3 million subscriber records leaked. And this is just the beginning. 😏 A hacker called “Lovely” dumped the database on Christmas Day. Called it a “Christmas Lump of Coal.”

The vulnerability? IDOR. Insecure Direct Object Reference. That’s OWASP Top 10. Basic web security. A flaw that’s been documented since 2007. Companies still get it wrong.

IDOR happens when a website uses a number to identify your data, but doesn’t check if you’re actually allowed to see it. Your profile lives at /api/user/12345. Change that to /api/user/12346? You see someone else’s profile. No password needed. The server just hands it over.

You log into your game. Suddenly, you got $13.3 million in your account. 🥳 You didn’t earn it. Neither did 30 million other players. December 27, 2025. Hackers broke into Rainbow Six Siege and gave every player 2 billion R6 Credits.

At Ubisoft’s prices, that’s $13.3 million per account. Total damage across the player base: $339 trillion in fake money.

But they didn’t stop there.

The attackers had full control of the game’s backend. They banned players at random, including high-profile streamers. Unbanned others. Unlocked every skin in the game, including the ultra-rare Glacier skins and stuff only developers should have. They even took over the ban ticker, a system Ubisoft says was already turned off in a previous update, and used it to mock the CEO.

You trust your database to keep your data safe. MongoDB just proved it doesn’t. 87,000 servers are leaking memory to anyone who asks. 😏

December 2025. CVE-2025-14847, rated CVSS 8.7, nicknamed “MongoBleed” because it works exactly like Heartbleed did eleven years ago.

Zlib compression is enabled by default in MongoDB. When a compressed message arrives, the server reads a header claiming how large the data will be after decompression. MongoDB allocates that amount of memory, decompresses the payload, and sends back the response.

You buy a firewall to protect your network. In one month, two different authentication bypasses are being actively exploited. One is five years old. One is brand new. 😏

December 2025. Fortinet has a problem.

On December 24th, Fortinet published an advisory about CVE-2020-12812. A vulnerability from July 2020. Five years old. Now being actively exploited again. Bypass two-factor authentication by typing the username in different case letters. Instead of “admin” type “Admin” or “ADMIN” and skip 2FA completely.

Attackers are targeting security researchers through GitHub. You downloaded a proof-of-concept exploit from GitHub. Professional README. Detailed instructions. Real CVE number. Except it’s malware. 😱 And now your system is compromised.

Kaspersky published their findings on December 23, 2025.

Attackers are creating GitHub repositories with fake exploits for real vulnerabilities. CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), CVE-2025-59230 (CVSS 7.8). Fake exploits that install malware.

Kaspersky identified 15 malicious repositories pushing this malware. GitHub has removed them, but new repositories will pop up under different account names.

Apple’s security team reviewed this app. Approved it. But now it steals your passwords, crypto wallets, and Telegram account. 😳 Hundreds of Macs infected since mid-2025.

MacSync Stealer just hit number 6 on Red Canary’s top 10 threat list for December 2025. Most victims in Ukraine, the US, Germany, and the UK.

In April 2025, a hacker called “mentalpositive” built a cheap macOS stealer named Mac.c. Price tag: $1,000. That’s budget pricing in the malware world. AMOS, the market leader, charges $3,000 per month.

56,000 downloads. 6 months online. A WhatsApp library on npm was stealing credentials, messages, and contacts. Nobody noticed. 🤔 The package is called “lotusbail” and it looks like a legitimate fork of the popular WhatsApp API library @whiskeysockets/baileys.

Same functionality. Works perfectly. Send messages, receive messages, handle media. Everything you’d expect.

Except it does something extra.

→ Your WhatsApp authentication tokens → Every message you send and receive → Your complete contact list with phone numbers → All media files and documents → Session keys for persistent access

When you’re hunting for vulnerabilities, you jump between three different websites. NVD for CVE data. Exploit-DB for working exploits. GitHub for proof-of-concept code.

That’s annoying. You lose time. You miss things.

I built Exploit Eye to fix that.

The Problem

Here’s what happens when you research a vulnerability. You find a CVE number somewhere. CVE-2025-1234, for example.

First, you check the National Vulnerability Database. You find details there. Severity scores. Affected versions. The description tells you what’s vulnerable.