The Hacker News | #1 Trusted Source for Cybersecurity News

Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is an ongoing concern and is self-propagating, as seen in attacks like the "mini Shai Hulud" campaigns.  That pattern should change how security teams think about the software supply chain. Traditionally, security focused on shared systems like source code repositories, CI/CD platforms, artifact registries, package managers, and cloud environments. The goal was to protect production workloads and data. We absolutely still need to focus on these areas, but it is an incomplete picture.  Modern software delivery begins before code reaches Git. It begins on the developer workstation, wher...

Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code. Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks. "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks," Ivanti said in an advisory. Fortinet published advisories for two critical shortcomings affecting FortiAuthenticator and FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that could result in code execution - CVE-2026-44277 (CVSS score: 9.1) - An improper access control vulnerability in FortiAuthenticator that may allow an unauthenticated attacker to...

Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma , the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver, and resides in a routine named "HsmOsBlockPlaceholderAccess." It was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Although it was assumed that the shortcoming was fixed by Microsoft in December 2020 as part of CVE-2020-17103 , Chaotic Eclipse said further investigation has uncovered that the "exact same issue [...] is actually still present, unpatched." "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by...

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP . The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after," OX Security's Moshe Siman Tov Bustan said. Interestingly, the malicious payloads embedded into the four npm packages are different, despite them being published by the same npm user, " deadcode09284814 ." As of writing, the four libraries are still available for download from npm. An analysis of the packages has revealed that "axois-utils" is designed ...

A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design. "Fast16's hook engine is selectively interested in high-explosive simulations inside LS-DYNA and AUTODYN," the Threat Hunter Team said . "The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device. The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years. Evidence unearthed by the cybe...

A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck . The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008. Successful exploitation of the flaw can permit an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests. However, it bears noting that code execution is possible only on devices where Address Space Layout Randomization (ASLR), a safeguard against memory-based attacks, is turned off.

Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of posts on X. The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access. Furthermore, Grafana revealed the attacker tried to blackmail and extort the company, demanding they make a payment to prevent the stolen database from being published. Grafana said it has opted not to pay the ransom, citing the U.S. Federal Bureau of Invest...

A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before 3.15.0.3. It's used in more than 40,000 WooCommerce stores.  The flaw lets unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store, the Dutch e-commerce security company said. FunnelKit, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3. "Attackers are planting fake Google Tag Manager scripts into the plugin's 'External Scripts' setting," it noted. "The injected code looks like ordinary analytics next to the store's real tags, but...

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB). It overlaps with activity traced by the broader cybersecurity community under the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH. The hacking group is known for its attacks targeting government, diplomatic, and defense sectors in Europe and Central Asia, as well as endpoints previously breached by Aqua Blizzard (aka Actinium and Gamaredon) to support the Kremlin's strategic objectives. "This upgrade aligns with Secret Blizzard's broader objective of gaini...

Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. A brief description of the flaws is below - CVE-2026-44112 (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root.  CVE-2026-44113 (CVSS score: 7.7/6.3) - A TOCTOU race condition vulnerability in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root. CVE-2026-44115 (CVSS score: 8.8) - An incomplete list of disallowed inputs vuln...

In Your Biggest Security Risk Isn't Malware — It's What You Already Trust , we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them . The reaction we heard most was a fair one: We know. So what do we actually do about it? That's what Bitdefender's complimentary Internal Attack Surface Assessment   is built to answer. It's a 45-day, low-effort engagement available to organizations with 250 or more employees that turns the abstract problem of "living off the land" into a specific, prioritized list of users, endpoints, and tools you can safely take away from attackers without breaking the business. Why This, Why ...

OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," OpenAI said . "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access." The artificial intelligence (AI) upstart said only limited credential material was successfully transferred from these code repositories, adding no other information or code was impacted. Upon being alerted of the activity, OpenAI said it isolated impacted systems and identities...