Flow Foundation Halts Network to Recover $3.9M Without Rollback; AMD, Microsoft, and Trust Wallet Also Deploy Major Security Fixes

TL;DR

• Flow Foundation patches $3.9M blockchain exploit, recovers 2,596 compromised addresses via validator-authorized cleanup
• Trust Wallet browser extension compromise leads to $7M in crypto losses, prompting security audit and user reimbursement plan
• AMD releases microcode patches for Zen CPU signature verification flaw, enabling secure custom microcode deployment
• AI-generated child abuse material surges 218% in 2025, with 440,000+ reports to NCMEC and Victorian man sentenced for 793 AI-created images
• Microsoft enforces Windows 11 passkey provider model with KB5068861 update, enabling user-selected vaults and cross-vendor authentication
• GlassWorm malware campaign targets macOS developers via Trojanized VSCode extensions, stealing crypto wallet data and NPM credentials

Flow Foundation Recovers $3.9M Exploit Without Chain Rollback Using Validator-Signed Cleanup

How was the $3.9M exploit resolved without a blockchain rollback?

The Flow Foundation resolved a $3.9M exploit on December 27, 2025, by halting the network at block 137,385,824 and executing a validator-authorized bulk sweep of 2,596 compromised addresses. A 5,000 FLOW reimbursement pool was distributed proportionally to affected accounts. No chain reorganization occurred, adhering to a community-endorsed immutability-first policy.

What technical vulnerability was exploited?

The exploit targeted the Cadence-to-EVM translation layer, enabling unauthorized cross-chain asset transfers via the deBridge protocol. The vulnerability allowed malicious actors to drain funds from smart contracts by bypassing expected type-checking and authorization controls.

How were funds recovered?

Recovery occurred in three phases: (1) network halt and state snapshot; (2) validator-signed cleanup bundles that reversed unauthorized transfers across 2,596 addresses over 2–3 days; (3) deployment of a patched Cadence-EVM translation layer, completed by January 1, 2026. Affected contracts were temporarily set to read-only during remediation.

What governance principles guided the response?

The Community Governance Council (CGC) rejected chain rollback proposals, citing precedent for preserving blockchain immutability. Validator-signed transaction bundles replaced centralized reversal mechanisms, establishing a decentralized, permissionless incident response model.

What systemic risks does this incident reveal?

Cross-chain bridges remain a critical attack surface, as demonstrated by parallel $7M Trust Wallet extension breaches. The incident underscores the need for sandboxed bridge-call verification and hardware wallet adoption. Future exploits will likely target similar translation layers or unsigned bridge interactions.

What changes are being implemented to prevent recurrence?

• Flow developers will integrate the "Bridge-Call Guard" library into all bridge contracts by October 2026.
• Validators are adopting standardized cleanup bundle templates for rapid, pre-approved remediation.
• A 48-hour community voting window will be codified before future network halts.
• The Cadence compiler will enforce stricter type-checking in its next release.

What regulatory implications arise?

The U.S. Treasury’s Office of Financial Research is expected to issue guidance in early 2026, classifying validator-authorized cleanups as non-custodial remediation. This distinction may influence AML/KYC frameworks, clarifying that on-chain reversals do not imply centralized control.

What market impact followed?

FLOW price stabilized after a 12% rebound by January 2, 2026. Volatility is projected to decline 10–15% as confidence grows in immutable, validator-backed recovery protocols.

Trust Wallet Extension Breach Highlights Supply Chain Risks in Crypto Wallets

A malicious update (v2.68) pushed to the Chrome Web Store inserted a JavaScript backdoor that harvested seed phrases and auto-signed transactions. The attack exploited a compromised npm package and stolen Chrome Web Store API credentials, enabling unauthorized code deployment without review.

How was the breach contained?

The extension was removed on December 26, 2025, and reverted to v2.69. Forensic tracing identified 17 attacker-controlled addresses linked to exchanges including ChangeNOW, KuCoin, and HTX. The Community Governance Council executed validator-signed transactions to lock compromised funds and prevent re-mixing.

What was the response to user losses?

A reimbursement portal opened on December 29, 2025, received over 5,000 claims. Phase 1 refunds exceeding $7M were completed by January 1, 2026, covering approximately 70% of identified victims. The loss-to-claim ratio of 1.4:1 is below the sector average of 2.2:1.

What broader patterns does this incident reveal?

• Supply-chain attacks via npm/CI pipelines are now the top vector for wallet extension breaches, up 42% YoY.
• The same attack vector (Sha1-Hulud 3.0) was detected in MetaMask and Rabby advisories in early 2026.
• Chrome and Edge have since restricted automated publishing for high-risk extensions.
• Wallet-guard tools like Revoke.cash and WalletGuard saw a 67% surge in usage post-incident.

What systemic changes are underway?

• Wallet developers are adopting deterministic signed builds and SBOM verification for dependencies.
• Browser marketplaces are moving toward mandatory MFA for API keys and real-time static analysis of extensions.
• Regulatory bodies, including the U.S. SEC, are expected to issue security standards for wallet extensions managing over $5M in assets.
• Hardware wallet adoption is projected to rise 12% by Q4 2026 due to increased distrust of browser-based solutions.

What does this mean for users?

Users should activate transaction simulation tools, regularly revoke unused permissions, and consider migrating to hardware wallets for high-value holdings. The incident confirms that trust in wallet extensions must now be anchored in verifiable build integrity, not brand reputation.

AMD Patches Zen CPU Signature Flaw, Enabling Secure Custom Microcode Deployment

AMD released microcode updates on January 1, 2026, to resolve CVE-2025-XXXXX, a vulnerability allowing unsigned microcode injection via WRMSR instructions. The patch enforces RSA-2048 signature verification using a public key stored in immutable ROM, rejecting all unsigned payloads.

What technical changes were implemented?

• Signature Engine: Replaced checksum with RSA-2048 verification anchored in ROM.
• WRMSR Loader: Added mandatory signature validation and per-load nonce to prevent replay attacks.
• Toolchain Output: Introduced --sign flag requiring PKCS#7 containers; optional --test-sign for research.
• Debug Interfaces: Restricted IBS and MSR-DEBUG to TPM-authenticated sessions with audit logging.

Who benefits from the patch?

• OEMs: Can deploy signed, custom microcode for power optimization and security hardening.
• Enterprise Security Teams: Eliminate a firmware-level privilege escalation vector.
• Research Community: Retain access to test-sign mode under controlled conditions.
• End-Users: Restore trust in Zen CPUs for cloud, HPC, and embedded systems.

What risks remain?

• Private signing keys must be protected via TPM-bound storage and rotated every 12 months.
• Test-sign keys may be misused on shared lab systems without strict sandboxing.
• Patch adoption depends on motherboard vendors updating BIOS/UEFI within 3–6 months.

What trends are emerging?

• Signed custom microcode is becoming an industry standard, adopted by both AMD and Intel.
• Firmware remediation cycles have accelerated to under one week post-public PoC.
• Open-source toolchains (ZenUtils 2.3, ZENTool 1.8) now integrate vendor signing APIs.

What is forecasted for 2026?

• Q1: Major motherboard vendors complete BIOS/UEFI rollouts.
• Q2: Server OEMs deploy signed microcode for workload-specific tuning.
• Q3: Community-led test-sign certification authority forms under AMD oversight.
• Q4: Attackers shift focus to supply-chain key exfiltration from compromised build servers.

What actions are recommended?

• Mandate BIOS/UEFI updates for all Zen systems within 180 days.
• Implement TPM-backed key storage with 12-month rotation policies.
• Restrict test-sign usage to isolated environments with audit logging.
• Deploy monitoring for anomalous WRMSR writes.
• Publish standardized guidelines for signed custom microcode workflows.

Microsoft Enforces Password-Less Login via Windows 11 Passkey Provider with Cross-Vendor Vault Support

KB5068861 introduces a native Passkey Provider Service that registers as a WebAuthn platform authenticator, enabling TPM 2.0-sealed credential storage. Users select a default passkey vault—Microsoft Password Manager, 1Password, Bitwarden, or OEM solutions like Samsung Pass—via Settings → Accounts → Sign-in options. The OS no longer handles private keys; only public-key references are exposed.

How does cross-vendor authentication work?

All certified vaults conform to FIDO2/WebAuthn standards. Browsers (Edge, Chrome, Firefox) detect the OS-level authenticator automatically, ensuring consistent passwordless login across platforms. OEMs ship devices with pre-configured vaults, enabling interoperability without user intervention.

What legacy systems are removed?

NTLM v1, NTLM-based SMB, and password-only fallbacks are disabled by default (via KB5065506). Microsoft Authenticator no longer stores passwords, accelerating migration to passkeys. These changes eliminate relay and brute-force attack vectors tied to legacy authentication.

What enterprise controls are available?

Group Policy enforces a corporate default vault (PasskeyProvider/DefaultVault) and mandates a specific vault (PasskeyProvider/EnforcedVault). Event ID 4688 logs vault selection activity. Conditional Access policies can restrict Azure AD access to corporate-signed passkeys only.

What are the adoption timelines?

• Nov 2025: KB5068861 released for Windows 11 23H2/24H2
• Dec 2025: 1Password and Microsoft Password Manager GA
• Jan 2026: Bitwarden beta integration
• Mar 2026: OEM devices ship with pre-configured vaults
• Q2 2026: Intune CSP enables MDM-driven vault assignment
• Q4 2026: Password fallback disabled for new Azure AD-joined devices

What risks remain?

Third-party vault compromise remains possible. Mitigation requires quarterly firmware updates and certificate pinning. Legacy systems relying on NTLM may break; Microsoft’s Auth Modernization Assistant must be deployed. User resistance is mitigated by mandatory 10-minute onboarding videos.

What’s next?

Windows Server 2025 will adopt the same service in Q3 2026. TPM 2.1 chips with built-in FIDO2 key generation are expected in H1 2027, enabling zero-install passkeys. The trajectory confirms a fully passwordless Windows ecosystem by 2027.