Malware | Breaking Cybersecurity News | The Hacker News

The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers instead. "The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org," developer Don Ho said . "The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself." The exact mechanism through which this was realized is currently being investigated, Ho added. The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being "occasionally" redirected to malicious domains, resulting in the download of poisoned executables. Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded u...

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. "Malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally," Morphisec researcher Michael Gorelik said . MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix. It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, whi...

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer's resources to push malicious updates to downstream users. "On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader," Socket security researcher Kirill Boychenko said in a Saturday report. "These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases." The supply chain security company said that the supply chain attack involved the compromise of the developer's publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized ...

A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses. The activity , observed by HarfangLab in January 2026, has been codenamed RedKitten . It's said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation. The ensuing crackdown has resulted in mass casualties and an internet blackout . "The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control," the French cybersecurity company said. What makes the campaign noteworthy is the threat actor's likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains...

CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra , which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit. It's worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm. "All attacks had a purely destructive objective," CERT Polska said in a report published Friday. "Althoug...