The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

This week didn’t produce one big headline. It produced many small signals — the kind that quietly shape what attacks will look like next. Researchers tracked intrusions that start in ordinary places: developer workflows, remote tools, cloud access, identity paths, and even routine user actions. Nothing looked dramatic on the surface. That’s the point. Entry is becoming less visible while impact scales later. Several findings also show how attackers are industrializing their work — shared infrastructure, repeatable playbooks, rented access, and affiliate-style ecosystems. Operations are no longer isolated campaigns. They run more like services. This edition pulls those fragments together — short, precise updates that show where techniques are maturing, where exposure is widening, and what patterns are forming behind the noise. Startup espionage expansion Operation Nomad Leopard Targets Afghanistan In a sign that the threat actor has moved ...

Today’s “AI everywhere” reality is woven into everyday workflows across the enterprise, embedded in SaaS platforms, browsers, copilots, extensions, and a rapidly expanding universe of shadow tools that appear faster than security teams can track. Yet most organizations still rely on legacy controls that operate far away from where AI interactions actually occur. The result is a widening governance gap where AI usage grows exponentially, but visibility and control do not.  With AI becoming central to productivity, enterprises face a new challenge: enabling the business to innovate while maintaining governance, compliance, and security.  A new Buyer’s Guide for AI Usage Control argues that enterprises have fundamentally misunderstood where AI risk lives. Discovering AI Usage and Eliminating ‘Shadow’ AI will also be discussed in an upcoming virtual lunch and learn .  The surprising truth is that AI security isn’t a data problem or an app problem. It’s an interaction pro...

The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of the month. "The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities," Tomer Bar, vice president of security research at SafeBreach, said in a report shared with The Hacker News. "This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran." The cybersecurity company said it observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian govern...

A new, critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in the execution of arbitrary system commands. The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is the result of inadequate sanitization that bypasses safeguards put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical defect that was patched by n8n in December 2025. "Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n's maintainers said in an advisory released Wednesday. "An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." The issue affects the following versions - <1.123.17 (Fixed in 1.123.17) <2.5.2 (Fixed in 2.5.2)

Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it through the attacker's infrastructure. Datadog Security Labs said it observed threat actors associated with the recent React2Shell ( CVE-2025-55182 , CVSS score: 10.0) exploitation using malicious NGINX configurations to pull off the attack. "The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers," security researcher Ryan Simon said. "The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov)." The activity involves the use of shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and load balancer for web traffic management. These "locatio...

Microsoft on Wednesday said it built a lightweight scanner that it said can detect backdoors in open-weight large language models (LLMs) and improve the overall trust in artificial intelligence (AI) systems. The tech giant's AI Security team said the scanner leverages three observable signals that can be used to reliably flag the presence of backdoors while maintaining a low false positive rate. "These signatures are grounded in how trigger inputs measurably affect a model's internal behavior, providing a technically robust and operationally meaningful basis for detection," Blake Bullwinkel and Giorgio Severi said in a report shared with The Hacker News. LLMs can be susceptible to two types of tampering: model weights, which refer to learnable parameters within a machine learning model that undergird the decision-making logic and transform input data into predicted outputs, and the code itself. Another type of attack is model poisoning, which occurs when a t...

Threat hunters have disclosed details of a new, stealthy malware campaign dubbed DEAD#VAX that employs a mix of "disciplined tradecraft and clever abuse of legitimate system features" to bypass traditional detection mechanisms and deploy a remote access trojan (RAT) known as AsyncRAT . "The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, enabling surveillance and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots. The starting point of the infection sequence is a phishing email...

Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025. Check Point Research is tracking the previously undocumented activity cluster under the moniker Amaranth-Dragon , which it said shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. "Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events," the cybersecurity company said in a report shared with The Hacker News. "By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content." The Israeli firm added that the attacks were "narrowly focused" and "tightly scoped," indicating efforts on the part o...

An innovative approach to discovering, analyzing, and governing identity usage beyond traditional IAM controls. The Challenge: Identity Lives Outside the Identity Stack Identity and access management tools were built to govern users and directories. Modern enterprises run on applications. Over time, identity logic has moved into application code, APIs, service accounts, and custom authentication layers. Credentials are embedded. Authorization is enforced locally. Usage patterns change without review. These identity paths often operate outside the visibility of IAM, PAM, and IGA. For security and identity teams, this creates a blind spot - what we call Identity Dark Matter. This dark matter is responsible for the identity risk that cannot be directly observed. Why Traditional Approaches Fall Short Most identity tools rely on configuration data and policy models. That works for managed users.

Many incident response failures do not come from a lack of tools, intelligence, or technical skills. They come from what happens immediately after detection, when pressure is high, and information is incomplete. I have seen IR teams recover from sophisticated intrusions with limited telemetry. I have also seen teams lose control of investigations they should have been able to handle. The difference usually appears early. Not hours later, when timelines are built, or reports are written, but in the first moments after a responder realizes something is wrong. Those early moments are often described as the first 90 seconds. However, taken too literally, that framing misses the point. This is not about reacting faster than an attacker or rushing to action. It is about establishing direction before assumptions harden and options disappear. Responders make quiet decisions right away, like what to look at first, what to preserve, and whether to treat the issue as a single system problem o...

Microsoft has warned that information-stealing attacks are "rapidly expanding" beyond Windows to target Apple macOS environments by leveraging cross-platform languages like Python and abusing trusted platforms for distribution at scale. The tech giant's Defender Security Research Team said it observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix since late 2025 to distribute disk image (DMG) installers that deploy stealer malware families like Atomic macOS Stealer ( AMOS ), MacSync , and DigitStealer . The campaigns have been found to use techniques like fileless execution, native macOS utilities, and AppleScript automation to facilitate data theft. This includes details like web browser credentials and session data, iCloud Keychain, and developer secrets. The starting point of these attacks is often a malicious ad, often served through Google Ads, that redirects users searching for tools like DynamicLake and artificial i...

The Eclipse Foundation, which maintains the Open VSX Registry, has announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open-source repository to combat supply chain threats. The move marks a shift from a reactive to a proactive approach to ensure that malicious extensions don't end up getting published on the Open VSX Registry. "Up to now, the Open VSX Registry has relied primarily on post-publication response and investigation. When a bad extension is reported, we investigate and remove it," Christopher Guindon, director of software development at the Eclipse Foundation, said . "While this approach remains relevant and necessary, it does not scale as publication volume increases and threat models evolve." The change comes as open-source package registries and extension marketplaces have increasingly become attack magnets, enabling bad actors to target developers at scale through a variet...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities ( KEV ) catalog, flagging it as actively exploited in attacks. The vulnerability, tracked as CVE-2025-40551 (CVSS score: 9.8), is a untrusted data deserialization vulnerability that could pave the way for remote code execution. "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine," CISA said. "This could be exploited without authentication." SolarWinds issued fixes for the flaw last week, along with CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), in WHD version 2026.1. There are currently no public reports about ...

Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon , an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data. The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by Docker with the release of version 4.50.0 in November 2025. "In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP [Model Context Protocol] Gateway, which then executes it through MCP tools," Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News. "Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture." ...

Most security teams today are buried under tools. Too many dashboards. Too much noise. Not enough real progress. Every vendor promises “complete coverage” or “AI-powered automation,” but inside most SOCs, teams are still overwhelmed, stretched thin, and unsure which tools are truly pulling their weight. The result? Bloated stacks, missed signals, and mounting pressure to do more with less. This live session, " Breaking Down the Modern SOC: What to Build vs Buy vs Automate ," with Kumar Saurabh (CEO, AirMDR) and Francis Odum (CEO, SACR) , clears the fog. No jargon. Just real answers to the question every security leader faces: What should we build, what should we buy, and what should we automate? Secure your spot for the live session ➜ You’ll see what a healthy modern SOC looks like today—how top-performing teams decide where to build, when to buy, and how to automate without losing control. The session goes beyond theory: expect a real customer case study, a si...

Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added. In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder (...

Recent major cloud service outages have been hard to miss. High-profile incidents affecting providers such as AWS, Azure, and Cloudflare have disrupted large parts of the internet, taking down websites and services that many other systems depend on. The resulting ripple effects have halted applications and workflows that many organizations rely on every day. For consumers, these outages are often experienced as an inconvenience, such as being unable to order food, stream content, or access online services. For businesses, however, the impact is far more severe. When an airline’s booking system goes offline, lost availability translates directly into lost revenue, reputational damage, and operational disruption. These incidents highlight that cloud outages affect far more than compute or networking. One of the most critical and impactful areas is identity. When authentication and authorization are disrupted, the result is not just downtime; it is a core operational and security inci...

The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit . Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug. The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it. The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), have been credited with discovering and reporting the flaw. "Social engineering lures were crafted in both English and localized ...

Mozilla on Monday announced a new controls section in its Firefox desktop browser settings that allows users to completely turn off generative artificial intelligence (GenAI) features. "It provides a single place to block current and future generative AI features in Firefox," Ajit Varma, head of Firefox, said . "You can also review and manage individual AI features if you choose to use them. This lets you use Firefox without AI while we continue to build AI features for those who want them." Mozilla first announced its plans to integrate AI into Firefox in November 2025, stating it's fully opt-in and that it's incorporating the technology while placing users in the driver's seat. The new feature is expected to be rolled out with Firefox 148, which is scheduled to be released on February 24, 2026. At the outset, AI controls will allow users to manage the following settings individually - Translations Alt text in PDFs (adding accessibility descrip...

A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++. The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7. The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility. The weakness was plugged in December 2025 with the release of version 8.8.9. It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the atta...