Supply Chain Security | Breaking Cybersecurity News | The Hacker News

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024.  Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise. Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%). Download the complete 43-page analysis → TL;DR A critical disconnect emerges in the 2026 research: While 81% of security leaders call web attacks a top priority, only 39% have deployed solutions to stop the bleeding. Last year's research found 51% unjustified access. This year it's 64% — and accelerating into public infrastructure. What is Web Exposure? Gartner coined 'Web Exposure Management' to describe security risks from third-party applications: analytics, marketing pixels, CDNs, and payment tools. Each connection expands your attack surface; a single vendor compromise can trigger a massive ...

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that's specifically designed for long-term, stealthy access to Linux-based cloud environments According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular plugins that enable its operators to augment or change its capabilities over time, as well as pivot when objectives change. It was first discovered in December 2025. "The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods," the cybersecurity company said in an analysis published today. "VoidLink's architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike's Beacon Object Files (BOF) appr...

Old Playbook, New Scale: While defenders are chasing trends, attackers are optimizing the basics The security industry loves talking about "new" threats. AI-powered attacks. Quantum-resistant encryption. Zero-trust architectures. But looking around, it seems like the most effective attacks in 2025 are pretty much the same as they were in 2015. Attackers are exploiting the same entry points that worked - they're just doing it better. Supply Chain: Still Cascading Downstream As the Shai Hulud NPM campaign showed us, supply chain remains a major issue. A single compromised package can cascade through an entire dependency tree, affecting thousands of downstream projects. The attack vector hasn't changed. What's changed is how efficiently attackers can identify and exploit opportunities. AI has collapsed the barrier to entry. Just as AI has enabled one-person software projects to build sophisticated applications, the same is true in cybercrime. What used to requi...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a high-severity security flaw impacting Gogs by adding it to its Known Exploited Vulnerabilities ( KEV ) catalog. The vulnerability, tracked as CVE-2025-8110 (CVSS score: 8.7), relates to a case of path traversal in the repository file editor that could result in code execution. "Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution," CISA said in an advisory. Details of the shortcoming came to light last month when Wiz said it discovered it being exploited in zero-day attacks. The vulnerability essentially bypasses protections put in place for CVE-2024-55947 to achieve code execution by creating a git repository, committing a symbolic link pointing to a sensitive target, and using the PutContents API to write data to the symlink. This, in t...

This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn't need novel tricks. They used what was already exposed and moved in without resistance. Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior. Different victims, same playbook: look normal, move quickly, spread before alarms go off. For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle. Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward. ⚡ Threat of the Week Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability ...

Popular artificial intelligence (AI)-powered Microsoft Visual Studio Code (VS Code) forks such as Cursor, Windsurf, Google Antigravity, and Trae have been found to recommend extensions that are non-existent in the Open VSX registry, potentially opening the door to supply chain risks when bad actors publish malicious packages under those names. The problem, according to Koi , is that these integrated development environments (IDEs) inherit the list of officially recommended extensions from Microsoft's extensions marketplace. These extensions don't exist in Open VSX. The VS Code extension recommendations can take two different forms: file-based, which are displayed as toast notifications when users open a file in specific formats, or software-based, which are suggested when certain programs are already installed on the host. "The problem: these recommended extensions didn't exist on Open VSX," Koi security researcher Oren Yomtov said. "The namespaces were u...

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it's that threat actors don't pause for holidays or resolutions. They just evolve faster. This week's round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what "cybercrime" looks like in practice. Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn't about one big breach anymore; it's about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn't slowed; it's only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week. Here's a sharp look at what's moving beneath the surface of the cybersecurity world as 2026 begin...

Last week's cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not stop when an incident was "over" — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now. ⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7)...

In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025 , malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI systems in 2024 alone, a 25% increase from the previous year. Here's what these incidents have in common: The compromised organizations had comprehensive security programs. They passed audits. They met compliance requirements. Their security frameworks simply weren't built for AI threats. Traditional security frameworks have served organizations well for decades. But AI systems operate fundamentally differently from the applications these frameworks were designed to protect. And the attacks against them don't fit into existing control categories. Security teams followed the f...

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to update to version 2.69 as soon as possible. "We've confirmed that approximately $7 million has been impacted and we will ensure all affected users are refunded," Trust Wallet said in a post on X. "Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users." Trust Wallet is also urging users to refrain from interacting with any messages that do not come from its official channels. Mobile-only users and all other browser extension versions are not affected. According to details shared by SlowMist...

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows - Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) - 2,000 users (Published on November 26, 2017) Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (Published on April 27, 2023) "Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said. "Behind the subscription facade, the extensions execute complete traffic ...

The U.S. Federal Communications Commission (FCC) on Monday announced a ban on all drones and critical components made in a foreign country, citing national security concerns. To that end, the agency has added to its Covered List Uncrewed aircraft systems (UAS) and UAS critical components produced in a foreign country, and all communications and video surveillance equipment and services pursuant to the 2025 National Defense Authorization Act ( NDAA ). This move will keep China-made drones such as those from DJI and Autel Robotics out of the U.S. market. The FCC said that while drones offer the potential to enhance public safety and innovation, criminals, hostile foreign actors, and terrorists can weaponize them to present serious threats to the U.S. It also noted that a further review by an Executive Branch interagency body with appropriate national security expertise that was convened by the White House led to a "specific determination" that UAS and UAS critical compon...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK. "A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved," Cloudforce One, Cloudflare's threat intelligence team, said . "Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server." Since its public disclosure on December 3, 2025, the shortcoming...

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical React2Shell security flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT . "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday. The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview , which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typi...

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565 . Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade , which is also tracked under the names Earth Kapre, RedCurl, and Red Wolf. The financially motivated threat actor is believed to be active since late 2018 , initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The group has a history of using phishing emails to conduct commercial espionage. However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt . One of the notable tools in the threat actor's arsenal is RedLoader, which s...

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack. Software supply chain security company ReversingLabs said it found the "vulnerability" in bootstrap files provided by a build and deployment automation tool named "zc.buildout." "The scripts automate the process of downloading, building, and installing the required libraries and tools," security researcher Vladimir Pezo said . "Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org – a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue." The PyPI packages that include a bootstrap script that accesses the domain in question include tornado, pypiserver, slapos.core, roman, x...

The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack. In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case. The SEC said its decision to seek dismissal "does not necessarily reflect the Commission's position on any other case." SolarWinds and Brown were accused by the SEC in October 2023 of "fraud and internal control failures" and that the company defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The agency also said both SolarWinds and Brown ignored "repeated red flags" and failed to adequately protect its assets, ultimately leading to the supply chain compromise that came to li...

Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef . The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign , per the Singapore-headquartered company, is still ongoing, with new artifacts being detected and associated infrastructure remaining active. "The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection," researchers Darrel Virtusio and Jozsef Gegeny said. TamperedChef is the name assigned to a long-running campaign that has leveraged seemingly legitimate installers for various utilities to distribute an information stealer malware of...

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail), which was first documented by the threat intelligence firm early last year. "Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said. The disclosure comes about two months after Swiss cybersecurity company PRODAFT tied the hacking group to a campaign targeting European telecommunications companies, succes...