-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

The Hacker News | #1 Trusted Source for Cybersecurity News

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

Jul 11, 2026 Software Supply Chain / Malware
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release  six minutes after it was published . If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had. None of this is in the prior release, 8.13.0.  The package diff  shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but a roughly 7.8MB container packing three gzip-compressed native binaries, one each for Linux, Windows, and macOS. On install, setup.js picks the binary for the host operating system, writes it under a random name in the system temp directory...
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

Jul 11, 2026 Threat Intelligence / Cyber Espionage
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week. The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. The China-nexus threat actor is also said to have compromised one of these web applications to deploy a custom implant masquerading as a portal update. The application in question, named Complaint Management System (CMS), serves pol...
Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

Jul 11, 2026 Vulnerability / Email Security
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened," Zimbra said . "If exploited, it could allow access to mailbox information, session data, or account settings." XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. This allows attackers to inject and execute malicious JavaScript in victims' browsers, which can result in session hijacking, credential theft, and account compromise. Stored XSS, or persistent ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

Jul 10, 2026 Enterprise Security / Security Incident
Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security experts. It says it has no indication of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat. What Progress has not said is what the threat is or who is behind it. The order became public when a customer posted the company's email to Reddit's  r/sysadmin  on July 10. Progress  confirmed the disruption on its status page, listing Storage Zone Controller customers as "not operational" and the incident as under investigation as of a 12:12 p.m. EDT update. Only the Storage Zone Controller is af...
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Jul 10, 2026 Software Supply Chain / Malware
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21 , came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was released on July 8, 2026, but has since been deprecated on the registry. That said, the release artifacts belonging to the compromised version are still available for download from GitHub as of writing. "The malicious functionality was introduced to the project's official GitHub repository through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository," Socket said . The software supply chain security firm said the threat actor behind the attack also published version 1.20.21 across 17 additional @inj...
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

Jul 10, 2026 Firmware Security / Vulnerability
Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device has confirmed that the software is genuine. That last part is the point. A bootloader runs before the operating system, so a flaw here can undermine everything that loads after it. All six bugs are reached while U-Boot is still reading an untrusted image, before it has checked the signature. What Binarly found U-Boot can bundle a kernel, device tree, ramdisk, and other boot components into one package, a FIT (Flattened Image Tree), and it checks that package's digital signature before handing over control. Binarly went looking for weak spots in that check and found six. Most of the vulner...
Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

Jul 10, 2026 Vulnerability / Hardware Security
Researchers at Ledger's Donjon security team  have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs the physical card in hand and a lab that Donjon puts at around $250,000. It also means cutting the card open, which leaves damage no one can miss. It cannot be done over the internet, and there is no fix coming: Tangem cards cannot take software updates, so every card already sold carries the flaw. The one group that should act now is anyone whose card is lost or stolen and holds serious value. How the card is meant to protect you A Tangem wallet looks like a plain bank card. Tap it to your phone, and a companion app talks to a Samsung S3D232A chip inside. That chip is a ...
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Jul 10, 2026 AI Security / Vulnerability
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link f...
New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

Jul 10, 2026 Malware / Enterprise Security
The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON . Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure , which compromises multiple distributors. "These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families," QiAnXin said . One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON's requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare's Content Delivery Networ...
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Jul 10, 2026 Vulnerability / Server Security
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry  disclosed the flaw on July 8  and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server process down. XQUIC is open-source, so the risk is not Alibaba's alone: any server that embeds it and serves HTTP/3 with the default QPACK settings is exposed. That includes Tengine, Alibaba's Nginx-based web server, which FoxIO says fronts the company's cloud and CDN on sites including Taobao and Alipay. Every release through v1.9.4, the latest, is affected. There is no fixed release and no CVE as of July 10. Until a fix ships, operators can set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which turns off QPACK's dynamic table, or drop HTTP/3 support entirely. The bug lives in how H...
From 17,000 to 1.1 Million Assets: How Lumen Technologies Rebuilt Exposure Management at Scale

From 17,000 to 1.1 Million Assets: How Lumen Technologies Rebuilt Exposure Management at Scale

Jul 10, 2026 Asset Management / Enterprise Security
Most enterprises assume their asset inventory is close enough to accurate. The evidence suggests otherwise. According to a survey of over 600 security leaders in the 2026 Axonius Actionability Report, only 45% of organizations consolidate their asset and exposure data into a single view, and every downstream security program inherits whatever the inventory gets wrong. Lumen Technologies , a telecommunications company with nearly a century of history, put this to the test. Geoff Krahn, Director of Product and Platform Security at Lumen, and his team used the Axonius asset intelligence platform to reconcile data from more than 40 disconnected systems into one trusted view. They uncovered 60 times more devices than they knew they had, then rebuilt their exposure management program on that foundation. Why asset inventories break down at enterprise scale Lumen's environment is an extreme case of a problem most security teams recognize. More than 40 independent IT and security to...
Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Jul 10, 2026 Cybercrime / Website Security
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as WP-SHELLSTORM , is what  SOCRadar  calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a "webshell") on each, and packages that access for resale. The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla's JCE editor; skip to the checklist below if that's you. A forgotten server Two teams dug into the same exposed folder. SOCRadar's threat intelligence team spotted it on June 11, 2026, on a U...
Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

Jul 10, 2026 Mobile Security / Privacy
Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure. The apps flagged with at least one problem have been installed more than 2.4 billion times. The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read. Five of those send the app's configuration file in the clear, which lets an attacker on the network redirect the connection to a server they control. The system, called MVPNalyzer , was presented at the NDSS security conference in February 2026 by researchers at the University of Michigan, the University of New Mexico, and IIT Delhi. It is a mobile counterpart to the same lab's earlier VPNalyzer study ...
Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

Jul 10, 2026 Enterprise Security / Authentication
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-UNC-066 , has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process . The activity has singled out food and beverage, technology, healthcare, automotive, construction, and aviation industries. "The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing ('vishing') scheme," Okta researcher Houssem Eddine Bordjiba said . "The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey." Users are then directed to a phishing kit that's identical to the Microsoft passkey enrollment process, giving the impression that th...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources