TL;DR

• [Vulnerabilities] MongoBleed (CVE-2025-14847) is actively exploited; widespread exposed MongoDB hosts risk memory leakage of credentials, tokens, and secrets.
• [Vulnerabilities] Android January 2026 patch fixes critical Dolby DD+ RCE; prioritize fast OEM/carrier rollout to high-value users.
• [Threat Landscape] Emerging abuse of automation/dev ecosystems: n8n RCE (CVE-2025-68668), GlassWorm via trojanized VS Code extensions, and ongoing GravityRAT espionage across platforms.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Vulnerabilities] MongoBleed (CVE-2025-14847) is under active exploitation and in CISA’s KEV; Shadowserver/Censys see ~70–80k exposed MongoDB servers. Memory leakage enables theft of credentials, API keys and tokens across internet-facing apps.

• [Vulnerabilities] Android’s January 2026 security bulletin fixes a single, critical Dolby DD+ codec bug (CVE-2025-54957) affecting a broad Android fleet. No in-the-wild exploitation reported yet, but it enables near–zero‑click RCE via crafted audio and is now covered by OEM patch levels.

• [Healthcare Breach] New Zealand’s ManageMyHealth portal breach affects an estimated 6–7% of ~1.8M users (~126k people). Threat actors “Kazu” claim 400k patient documents and threaten leaks if ransom (~$60k) is not paid, driving identity, extortion, and regulatory risk.

• [Geopolitics] The US operation that captured Venezuela’s Nicolás Maduro involved months of planning, large‑scale airpower, and special operations, according to US and allied officials. No public evidence ties the operation to cyber effects, but it underscores how fast great‑power crises can escalate and reshape regional risk.

References

• (2026-01-01) CISA Orders Urgent Patching Of Actively Exploited MongoDB Flaw

• (2025-12-30) 'Heartbleed of MongoDB' under active exploit - The Register

• (2026-01-05) Android Security Bulletin—January 2026

• (2026-01-06) Critical Dolby Codec Vulnerability Exposes Android Devices to Code Execution Attacks

• (2026-01-05) Government orders review into ManageMyHealth data breach

• (2026-01-03) Mock house, CIA source and Special Forces: The US operation to capture Maduro

Suggested Pivots

How concentrated is MongoBleed exposure in specific cloud providers, SaaS platforms, or industries, and what secondary compromise patterns are emerging?

• Why: Mapping exposed MongoDB instances to providers/sectors clarifies who is most at risk and where knock‑on compromises (account takeover, data theft) are already occurring.
• What to expect: A breakdown of vulnerable hosts by provider/AS, sectoral clustering (e.g., gaming, fintech, SaaS), and early case studies of real‑world exploitation chains.

How quickly are major Android OEMs and carriers rolling out the January 2026 Dolby DD+ patch, and which high‑risk user segments remain unprotected?

• Why: Patch coverage, not just CVSS, determines real business risk; lagging fleets (BYOD, low‑end OEMs, specific regions) may be prime targets for mobile espionage.
• What to expect: OEM/carrier rollout timelines, approximate fleet coverage, and identification of geos or user groups most likely to run unpatched, high‑value devices.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories & Detection Ideas