web security | Breaking Cybersecurity News | The Hacker News

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2. The plugin has more than 40,000 active installs. "In versions 2.5.1 and below, the plugin is vulnerable to privilege escalation, due to a combination of factors including direct route selection, bypassing of authentication mechanisms, and auto-login as admin," Patchstack said . The problem is rooted in its routing mechanism, which is designed to put certain sensitive routes behind an authentication barrier. The plugin exposes its routes under the "/api/modular-connector/" prefix. However, it has been found that this security layer can be bypassed every time the "direct request...

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024.  Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise. Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%). Download the complete 43-page analysis → TL;DR A critical disconnect emerges in the 2026 research: While 81% of security leaders call web attacks a top priority, only 39% have deployed solutions to stop the bleeding. Last year's research found 51% unjustified access. This year it's 64% — and accelerating into public infrastructure. What is Web Exposure? Gartner coined 'Web Exposure Management' to describe security risks from third-party applications: analytics, marketing pixels, CDNs, and payment tools. Each connection expands your attack surface; a single vendor compromise can trigger a massive ...

Cybersecurity researchers have discovered a major web skimming campaign that has been active since January 2022, targeting several major payment networks like American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. "Enterprise organizations that are clients of these payment providers are the most likely to be impacted," Silent Push said in a report published today. Digital skimming attacks refer to a category of client-side attacks in which bad actors compromise legitimate e-commerce sites and payment portals to inject malicious JavaScript code that's capable of stealthily harvesting credit card information and other personal information when unsuspecting users attempt to make a payment on checkout pages. These attacks are classified under an umbrella term called Magecart , which initially referred to a coalition of cybercriminal groups that targeted e-commerce sites using the Magento software, before diversifying to other products and platf...

Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries , while masquerading as a tool to automate trading on the platform. The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still available on the Chrome Web Store as of writing. It was first published on September 1, 2025, by a developer named "jorjortan142." "The extension programmatically creates new MEXC API keys, enables withdrawal permissions, hides that permission in the user interface (UI), and exfiltrates the resulting API key and secret to a hardcoded Telegram bot controlled by the threat actor," Socket security researcher Kirill Boychenko said in an analysis. According to the Chrome Web Store listing, the web browser add-on is described as an extension that "simplifies connecti...

A Google Chrome extension with a "Featured" badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. The extension in question is Urban VPN Proxy , which has a 4.7 rating on the Google Chrome Web Store. It's advertised as the "best secured Free VPN access to any website, and unblock content." Its developer is a Delaware-based company named Urban Cyber Security Inc . On the Microsoft Edge Add-ons marketplace, it has 1.3 million installations .  Despite claiming that it allows users to "protect your online identity, stay protected, and hide your IP," an update was pushed to users on July 9, 2025, when version 5.5.0 was released with the AI data harvesting enabled by default using hard-coded settings. Specifically, this is achieved by means of a t...

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution. The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8). "An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device," Fortinet said in an advisory. The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle ...

Google on Monday announced a set of new security features in Chrome, following the company's addition of agentic artificial intelligence (AI) capabilities to the web browser. To that end, the tech giant said it has implemented layered defenses to make it harder for bad actors to exploit indirect prompt injections that arise as a result of exposure to untrusted web content and inflict harm. Chief among the features is a User Alignment Critic, which uses a second model to independently evaluate the agent's actions in a manner that's isolated from malicious prompts. This approach complements Google's existing techniques, like spotlighting , which instruct the model to stick to user and system instructions rather than abiding by what's embedded in a web page. "The User Alignment Critic runs after the planning is complete to double-check each proposed action," Google said . "Its primary focus is task alignment: determining whether the proposed action s...

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware. "NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes ...

As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies. Here are the five threats that reshaped web security this year, and why the lessons learned will define digital protection for years to come. 1. Vibe Coding Natural language coding, " vibe coding " , transformed from novelty to production reality in 2025, with nearly 25% of Y Combinator startups using AI to build core codebases. One developer launched a multiplayer flight simulator in under three hours, eventually scaling it to 89,000 players and generating thousands in monthly revenue. The Result Code that functions perfectly yet contains exploitable flaws, bypassing traditional security tools. AI generates what you ask for, not what you forget...

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now. The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline[.]com" by only letting scripts from trusted Microsoft domains run. "This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience," the Windows maker said . Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source. The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected. The change, which has been described as a proacti...

New research from CrowdStrike has revealed that DeepSeek's artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China. "We found that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security vulnerabilities increases by up to 50%," the cybersecurity company said . The Chinese AI company previously attracted national security concerns, leading to a ban in many countries. Its open-source DeepSeek-R1 model was also found to censor topics considered sensitive by the Chinese government, refusing to answer questions about the Great Firewall of China or the political status of Taiwan, among others. In a statement released earlier this month, Taiwan's National Security Bureau warned citizens to be vigilant when using Chinese-m...

CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp's familiar web interface, using social engineering tactics to trick users into compromising their accounts. Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign's activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia. Read the full report here: https://www.ctm360.com/reports/hackonchat-unmasking-the-whatsapp-hacking-scam The hacking operations and the exploitation techniques Two techniques dominate these hacking operations. The Session Hijacking , where threat actors misuse the linked-device functionality to hijack act...

The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for less-skilled threat actors to mount attacks at scale. Push Security, in a report shared with The Hacker News, said it observed the use of the technique in phishing attacks designed to steal victims' Microsoft account credentials. BitB was first documented by security researcher mr.d0x in March 2022, detailing how it's possible to leverage a combination of HTML and CSS code to create fake browser windows that can masquerade as login pages for legitimate services in order to facilitate credential theft . "BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form," Push Security said. "BitB phishing pages repl...

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named " dino_reborn " between September and November 2025, are listed below. The npm account no longer exists on npm as of writing. signals-embed (342 downloads) dsidospsodlks (184 downloads) applicationooks21 (340 downloads) application-phskck (199 downloads) integrator-filescrypt2025 (199 downloads) integrator-2829 (276 downloads) integrator-2830 (290 downloads) "Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher," Socket security researcher Olivia Brown said. "If the visitor is a victim, they see a fake CAPTCHA, eventually b...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-11371 (CVSS score: 7.5) - A vulnerability in files or directories accessible to external parties in Gladinet CentreStack and Triofox that could result in unintended disclosure of system files. CVE-2025-48703 (CVSS score: 9.0) - An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) that results in unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. The development comes weeks after cybersecurity company Huntress said it detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors leveraging the flaw to run reconnaissan...

A severe vulnerability disclosed in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash . "It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed," Pino said in a technical breakdown of the shortcoming. At its core, Brash stems from the lack of rate limiting on " document.title " API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process. The attack plays out in three steps - Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes ...

Cybersecurity researchers have discovered a new vulnerability in OpenAI's ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant's memory and run arbitrary code. "This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware," LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery ( CSRF ) flaw that could be exploited to inject malicious instructions into ChatGPT's persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user's account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes. Memory, first introduced by OpenAI in February 2024, is...

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API. Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236. The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up. Adobe has since revised its advisory to confirm reports of in-the-wil...

Before an attacker ever sends a payload, they've already done the work of understanding how your environment is built. They look at your login flows, your JavaScript files, your error messages, your API documentation, your GitHub repos. These are all clues that help them understand how your systems behave. AI is significantly accelerating reconnaissance and enabling attackers to map your environment with greater speed and precision. While the narrative often paints AI as running the show, we're not seeing AI take over offensive operations end to end. AI is not autonomously writing exploits, chaining attacks, and breaching systems without the human in the loop. What it is doing is speeding up the early and middle stages of the attacker workflow: gathering information, enriching it, and generating plausible paths to execution.  Think of it like AI-generated writing; AI can produce a draft quickly given the right parameters, but someone still needs to review, refine, and tune it f...

Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them. Download the complete iframe security guide here .  TL;DR: iframe Security Exposed Payment iframes are being actively exploited by attackers using malicious overlays to skim credit card data. These pixel-perfect fake forms bypass traditional security, as proven by a recent Stripe campaign that has already compromised dozens of merchants. This article explores: Anatomy of the 2024 Stripe skimmer attack. Why old defenses like CSP and X-Frame-Options are failing. Modern attack vectors: overlays, postMessage spoofing, and CSS exfiltration. How third-party scripts in payment iframes create new risks. How the new PCI DSS 4.0.1 rules are forcing merchants to secure the entire page. A six-step defense strategy focusing on real-time mon...