Open-Source | Breaking Cybersecurity News | The Hacker News

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn't the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats. AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge. Let's dive into the threats making noise behind the scenes. ⚡ Threat of the Week Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise...

A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy , which is assessed to share overlaps with another hacking group named Core Werewolf , also tracked as Awaken Likho and PseudoGamaredon. According to the Knownsec 404 Advanced Threat Intelligence team, the attacks leverage content related to military facilities as lures to drop UltraVNC, allowing threat actors to remotely access the compromised hosts. "The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine," the company said in a report published last week. The disclosure arrives nearly four months after Kaspersky revealed that Russian government agencies and industrial entities have been the target of Core Werewolf, ...

Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...

A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023, was not officially made available until August 2024 with the release of version r1720 . As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS score: 9.8).  Synacktiv, which reported the flaw to the project maintainers in January 2023, described it as an improper authorization check that allows an attacker to execute malicious code on susceptible servers. "An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files," it said in a report published in Ju...

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," Oligo Security researcher Avi Lumelsky said in a report published last week. Ollama is an open-source application that allows users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its project repository on GitHub has been forked 7,600 times to date. A brief description of the six vulnerabilities is below - CVE-2024-39719 (CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the se...

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month an email that was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024. "The email appeared to be a message without text, containing only an attached document," it said in an analysis published earlier this week. "However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code." The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting ( XSS ) v...

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate. The latest findings from cloud security firm Orca show that even GitHub Actions , a continuous integration and continuous delivery ( CI/CD ) platform, is not immune from the threat. "If developers make a typo in their GitHub action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Ha...

A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. "An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server," Rapid7 security researcher Ryan Emmons said in a new report. It's worth noting that CVE-2024-45195 is a bypass for a sequence of issues , CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months. Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware. Rapid7 said all three older shortcomings stem from the ...

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC , short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed. "It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week. These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettah...

A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY , said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools." The primary objective of the attacks is to harvest and sell credentials, deploy cryptocurrency miners, and maintain persistence in victim environments. A majority of the infections are concentrated in the U.S., China, Singapore, Russia, France, Japan, and India, among others. Prominent among the open-source programs used by the threat actor is SSH-Snake , which was first released in January 2024. It has been described as a tool to carry out automatic network traversal using SSH private keys discovered on systems. The abuse of the software by CRYSTALRAY was ...

All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make up between  70% and 90% of any given piece of modern software . Unfortunately for our security-minded developers, most modern vulnerabilities come from those software components.  As new vulnerabilities emerge and are publicly reported as  Common Vulnerabilities and Exposures  (CVEs), security teams have little choice but to ask the developer to refactor the code to include different versions of the dependencies. Nobody is happy in this situation, as it blocks new features and can be maddening to roll back component versions and hope that nothing breaks. Developers need a w...

Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian cybersecurity firm Tanto Security said in a report published today. Judge0 (pronounced "judge zero") is  described  by its maintainers as a "robust, scalable, and open-source online code execution system" that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs. According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been  forked 412 times on GitHub  to date. The flaw...