The Hacker News | #1 Trusted Source for Cybersecurity News

In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week's stories show how easily a small mistake or hidden service can turn into a real break-in. Behind the headlines, the pattern is clear. Automation is being used against the people who built it. Attackers reuse existing systems instead of building new ones. They move faster than most organizations can patch or respond. From quiet code flaws to malware that changes while it runs, attacks are focusing less on speed and more on staying hidden and in control. If you're protecting anything connected—developer tools, cloud systems, or internal networks—this edition shows where attacks are going next, not where they used to be. ⚡ Threat of the Week Critical Fortinet Flaw Comes Under...

Just a few years ago, the cloud was touted as the "magic pill" for any cyber threat or performance issue. Many were lured by the "always-on" dream, trading granular control for the convenience of managed services. In recent years, many of us have learned (often the hard way) that public cloud service providers are not immune to attacks and SaaS downtime, hiding behind the Shared Responsibility cushion. To stay operational, competitive, and resilient in today's threat landscape, teams must move beyond the dependency on SaaS providers and understand what cyber resilience really means. The Myth of DevOps SaaS Resilience In 2024 alone, popular DevOps SaaS platforms—like GitHub, Jira, or Azure DevOps— experienced 502 incidents in total, which resulted in degraded performance and outages totaling over 4,755 hours . The conclusion is clear: Entrusting "the big players" with your source code, development metadata, and workflow projects doesn't make your business immune to downtime and subs...

A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp , can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ). It impacts AMD Zen 1 through Zen 5 processors. "In the context of SEV-SNP, this flaw allows malicious VM [virtual machine] hosts to manipulate the guest VM's stack pointer ," researchers Ruiyi Zhang, Tristan Hornetz, Daniel Weber, Fabian Thomas, and Michael Schwarz said . "This enables hijacking of both control and data flow, allowing an attacker to achieve remote code execution and privilege escalation inside a confidential VM." AMD, which is tracking the vulnerability as CVE-2025-29943 (CVSS v4 ...

Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix -like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix has been codenamed CrashFix by Huntress. KongTuke , also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery. Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware , Interlock ransomware , and TA866 (aka Asylum Ambuscade), with the threat ...

Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations. "By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them," CyberArk researcher Ari Novick said in a report published last week. StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software. Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a soc...

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities noted. "According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," the Cyber Police of Ukraine said in a statement.  The agency said the accused individuals functioned as "hash crackers," who specialize in extracting passwords from information systems using specialized software. Once the credential information was obtained, members of the ransomware group broke into corporate networks and ultimately deployed ransomware and extorted money to recover the e...

OpenAI on Friday said it would start showing ads in ChatGPT to logged-in adult U.S. users in both the free and ChatGPT Go tiers in the coming weeks, as the artificial intelligence (AI) company expanded access to its low-cost subscription globally. "You need to know that your data and conversations are protected and never sold to advertisers," OpenAI said . "And we need to keep a high bar and give you control over your experience, so you see truly relevant, high-quality ads—and can turn off personalization if you want." The company has positioned advertising as a way to ensure that the benefits of artificial general intelligence – a term used to describe a stage in machine learning when an AI system can reach or surpass human-level intelligence – can be made more accessible to the masses. In addition, it can be "transformative" for small businesses and emerging brands trying to compete, it added. It also emphasized that ads do not influence responses...

The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives. "The actor creates a malformed archive as an anti-analysis technique," Expel security researcher Aaron Walton said in a report shared with The Hacker News. "That is, many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems." This leads to a scenario where the archive cannot be processed by tools like WinRAR or 7-Zip, and, therefore, prevents many automated workflows from analyzing the contents of the file. At the same time, it can be opened by the default Windows unarchiver, thereby ensuring that victims who fall victim to the social engineering scheme can extract and run the JavaScript malware. GootLoader is typically distrib...

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking," Socket security researcher Kush Pandya said in a Thursday report. The names of the extensions are listed below - DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, Published by: databycloud1104) - 251 Installs Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Published by: databycloud1104) - 101 Installs DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, Published by: databycloud1104) - 1,000 Installs DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg, Published by: databycloud1104) - 1,000 Installs Software Access (ID: bmodapc...

You lock your doors at night. You avoid sketchy phone calls. You're careful about what you post on social media. But what about the information about you that's already out there—without your permission? Your name. Home address. Phone number. Past jobs. Family members. Old usernames. It's all still online, and it's a lot easier to find than you think. The hidden safety threat lurking online Most people don't realize how much of their personal life is sitting on public websites, data broker platforms, and sketchy directories. These sites don't just sell your info to marketers—they make it available to anyone with internet access. And that's when things can get dangerous. Exposed personal information can lead to: Doxxing incidents where personal info is leaked online Harassment that moves from your inbox to your doorstep Stalkers and scammers are building a profile on you using old addresses and phone numbers Strangers showing up where you live or work. It's not just creep...

Security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE . The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive ("US now deciding what's next for Venezuela.zip") containing a malicious DLL that's launched using DLL side-loading techniques. It's not known if the campaign managed to successfully compromise any of the targets. The activity has been attributed with moderate confidence to a Chinese state-sponsored group known as Mustang Panda (aka Earth Preta, HoneyMyte, and Twill Typhoon), citing tactical and infrastructure patterns. It's worth noting that the threat actor is known for extensively relying on DLL side-loading to launch its backdoors, including TONESHELL. "This campaign reflects a continued trend of targeted spear...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...