cybersecurity | Breaking Cybersecurity News | The Hacker News

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency , which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data. "Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client," according to a description of the flaw in CVE.org. The flaw impacts the following versions of the database - MongoDB 8.2.0 through 8.2.3 MongoDB 8.0.0 through 8.0.16 MongoDB 7.0.0 through 7.0.26 MongoDB 6.0.0 through 6.0.26 MongoDB 5.0.0 through 5.0.31 MongoDB 4.4.0 through 4.4.29 All MongoDB Server v4.2 versions All MongoDB Server v4.0 versions All MongoDB Server v3.6 versions The issue has b...

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to update to version 2.69 as soon as possible. "We've confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded," Trust Wallet said in a post on X. "Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users." Trust Wallet is also urging users to refrain from interacting with any messages that do not come from its official channels. Mobile-only users and all other browser extension versions are not affected. According to details shared by SlowMist, versi...

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core ) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch . "A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions," the project maintainers said in an advisory. "The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries." "The 'lc' key is used internally by LangChain to mark ser...

It's getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they're blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut "hacker stories" now looks more like a mirror of the systems we all use. This week's findings show a pattern: precision, patience, and persuasion. The newest campaigns don't shout for attention — they whisper through familiar interfaces, fake updates, and polished code. The danger isn't just in what's being exploited, but in how ordinary it all looks. ThreatsDay pulls these threads together — from corporate networks to consumer tech — revealing how quiet manipulation and automation are reshaping the threat landscape. It's a reminder that the future of cybersecurity won't hinge on bigger walls, but on sharper awareness.

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. This assessment is "based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps ," it added. LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.  ...

Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. "This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (eg, LDAP)," Fortinet noted in July 2020. "The issue exists because of inconsistent case-sensitive matching among the local and remote authentication."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code execution. "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi," CISA said. The addition of CVE-2023-52163 to the KEV catalog comes in the multiple reports from Akamai and Fortinet about the exploitation of the flaw by threat actors to deliver botnets like Mirai and ShadowV2 . According to TXOne Research security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched due to the device reaching end-of-life (EoL) status. Successfu...

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks. "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix -style techniques, this sample adopts a more deceptive, hands-off approach," Jamf researcher Thijs Xhaflaire said . The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named "zk-call-messenger-installer-3.9.2-lts.dmg" that's hosted on "zkcall[.]net/download." The fact that it's signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructio...

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland. Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns. When victims request payout of the promised profits, they are asked to pay additional fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss...

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday.  But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting.  This article will outline the learnings from key data breaches in 2025 as well as the most effective ways for SMBs to protect themselves in the coming year. Examining the 2025 data breaches Prior to 2025, large businesses were popular targets for hackers because of their large pools of resources. It was assumed that smaller businesses simply weren't as vulnerable to cyberattacks because there was less value in attacking them. But new security research from the Data Breach Observatory shows that's changing: Small- and medium-sized businesses (SMBs) are now more likely to become a target. ...

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation. The SEC said the scam unfolded as a multi-step fraud that enticed unsuspecting users with ads on social media and built trust with them through group chats in which the scammers posed as financial professionals and promised returns from artificial intelligence (AI)-generated investment tips. The fraudsters then convinced the victims to invest their funds into fake cryptocurrency asset trading platforms, only to defraud them later. According to the SEC, AI Weal...

Apple has been fined €98.6 million ($116 million) by Italy's antitrust authority after finding that the company's App Tracking Transparency (ATT) privacy framework restricted App Store competition. The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato, or AGCM) said the company's "absolute dominant position" in app distribution allowed it to "unilaterally impose" the ATT rules on third-party app developers, without consulting with them beforehand. The investigation was launched in May 2023. The AGCM said it's not calling into question Apple's decision to adopt safeguards designed to enhance users' privacy on iOS, but rather it's taking issue with the consent requirements that are excessively burdensome for developers and "disproportionate" to the stated objectives of ATT. Specifically, this requires developers to serve both ATT- and GDPR-related permission prompts in apps for iPhone and iPad ...

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows - Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) - 2,000 users (Published on November 26, 2017) Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (Published on April 27, 2023) "Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said. "Behind the subscription facade, the extensions execute complete traffic ...

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa. The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and ransomware on the continent. Participating nations included Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. Over the course of the initiative, more than 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The names of the ransomware families were not disclosed. The investigated incidents were linked to estimated financial losses exceeding $21 million, INTERPOL added. Multiple suspects have been arr...

Passwd is designed specifically for organizations operating within Google Workspace. Rather than competing as a general consumer password manager, its purpose is narrow, and business-focused: secure credential storage, controlled sharing, and seamless Workspace integration. The platform emphasizes practicality over feature overload, aiming to provide a reliable system for teams that already rely on Google's tools.  Security as the starting point Encryption and data protection are the basic building blocks of Passwd. Every credential, file, or sensitive asset gets encrypted with AES-256, an extremely secure encryption standard that is widely recognized. Encryption happens before storage, keeping data protected throughout its lifecycle.  Passwd is based on a zero-knowledge architecture; only the users, not Passwd, are able to access decrypted data. It does not have any visibility of the stored passwords or secrets. The structure reflects an enterprise mindset: Centralize...

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of a bank account takeover scheme. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S. and Estonia. "The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing," the DoJ said . "These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities." The ads served as a conduit to redirect unsuspecting users to fake bank websites operated by the threat actors, who harvested ...

A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613 , carries a CVSS score of 9.9 out of a maximum of 10.0. Security researcher Fatih Çelik has been credited with discovering and reporting the flaw. The package has about 57,000 weekly downloads, according to statistics on npm. "Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime," the maintainers of the npm package said . "An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of w...

The U.S. Federal Communications Commission (FCC) on Monday announced a ban on all drones and critical components made in a foreign country, citing national security concerns. To that end, the agency has added to its Covered List Uncrewed aircraft systems (UAS) and UAS critical components produced in a foreign country, and all communications and video surveillance equipment and services pursuant to the 2025 National Defense Authorization Act ( NDAA ). This move will keep China-made drones such as those from DJI and Autel Robotics out of the U.S. market. The FCC said that while drones offer the potential to enhance public safety and innovation, criminals, hostile foreign actors, and terrorists can weaponize them to present serious threats to the U.S. It also noted that a further review by an Executive Branch interagency body with appropriate national security expertise that was convened by the White House led to a "specific determination" that UAS and UAS critical compon...

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named " lotusbail ," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "seiren_primrose" in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing. Under the cover of a functional tool, the malware "steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server," Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it's equipped to capture authentication tokens and session keys, messa...