Intelligence Insights: December 2025

Red Canary's November 2025 intelligence roundup identifies the most prevalent threats observed across customer environments, led by JustAskJacky (malicious Node.js lures executing reconnaissance and arbitrary in-memory commands), the Sha1-Hulud npm/GitHub Actions worm that stole credentials and propagated via CI runners, abuse of ScreenConnect RMM for direct adversary access, and MacSync Stealer targeting macOS credentials and wallets; it also notes the takedown and absence of recent Rhadamanthys activity following a multinational disruption.