The Hacker News | #1 Trusted Source for Cybersecurity News

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named " lotusbail ," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "seiren_primrose" in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing. Under the cover of a functional tool, the malware "steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server," Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it's equipped to capture authentication tokens and session keys, messa...

Cyber threats last week showed how attackers no longer need big hacks to cause big damage. They're going after the everyday tools we trust most — firewalls, browser add-ons, and even smart TVs — turning small cracks into serious breaches. The real danger now isn't just one major attack, but hundreds of quiet ones using the software and devices already inside our networks. Each trusted system can become an entry point if it's left unpatched or overlooked. Here's a clear look at the week's biggest risks, from exploited network flaws to new global campaigns and fast-moving vulnerabilities. ⚡ Threat of the Week Flaws in Multiple Network Security Products Come Under Attack — Over the past week, Fortinet , SonicWall , Cisco , and WatchGuard said vulnerabilities in their products have been exploited by threat actors in real-world attacks. Cisco said attacks exploiting CVE-2025-20393, a critical flaw in AsyncOS, have been abused by a China-nexus advanced persistent threat (APT) actor cod...

As the internet becomes an essential part of daily life, its environmental footprint continues to grow.  Data centers, constant connectivity, and resource-heavy browsing habits all contribute to energy consumption and digital waste. While individual users may not see this impact directly, the collective effect of everyday browsing is significant. Choosing a browser designed with sustainability in mind is one practical way to reduce that impact, without changing how you work online. This article explains what eco-friendly browsing means, why it matters, and how a green browser like Wave Browser pairs a modern, secure browsing experience with a mission to help protect our ocean through verified cleanup efforts. Why Eco-Friendly Browsing Matters Most people think of environmental impact in terms of transportation, food, or physical products. Digital activity is often overlooked. However: Browsers run continuously throughout the day Heavy tabs and background processes incre...

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection." Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding in...

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous." Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant. The group has also managed to remain elusive, attracting little attention, unlike other Iranian hacking crews such as Charming Kitten , MuddyWater , and OilRig ...

The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for "the train of Aragua"), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department.  In July 2025, the U.S. government announced sanctions against the group's head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the "illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities." The Justice Department said an indictment returned on December 9, 2025, has charged a group of...

A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare . The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. "Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets' area of expertise to ultimately arrange a fictitious meeting or interview," the enterprise security company said . As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Clo...

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence team said in an analysis. CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader's ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025. The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document wi...

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer," the company said in a Thursday advisory. "If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured." The vulnerability impacts the following versions of Fireware OS - 2025.1 - Fixed in 2025.1.4 12.x - Fixed in 12.11.6 1...

Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure. "Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials," the NPF said in a post shared on social media. In addition, laptops, mobile devices, and other digital equipment linked to the operation have been se...

Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access ( DMA ) attacks across architectures that implement a Unified Extensible Firmware Interface ( UEFI ) and input–output memory management unit ( IOMMU ). UEFI and IOMMU are designed to enforce a security foundation and prevent peripherals from performing unauthorized memory accesses, effectively ensuring that DMA-capable devices can manipulate or inspect system memory before the operating system is loaded. The vulnerability, discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games in certain UEFI implementations, has to do with a discrepancy in the DMA protection status. While the firmware indicates that DMA protection is active, it fails to configure and enable the IOMMU during the critical boot phase. "This gap allows a malicious DMA-capable Peripheral Component Interconnect E...

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers," security researchers Anton Cherepanov and Peter Strýček said . Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. The attacks are characterized by the use of a varied custom toolset that mainly consists of C#...

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164 , carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE said in an advisory issued this week. It affects all versions of the software prior to version 11.00 , which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20. It's worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to ...