The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming cybercriminal, who, about 10 years ago, fled his hometown in Kharkov, Ukraine, to a new place somewhere near the Romanian coast. The vulnerabilities were credited by Microsoft to a party named "SkorikARI with SkorikARI," which has been assessed to be another username used by EncryptHub. The flaws in question, both of which were fixed by Redmond as part of its Patch Tuesday update last month, are below - CVE-2025-24061 (CVSS score: 7.8) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2025-24071 (CVSS score: 6.5) - Microsoft Windo...

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader. "These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors' obfuscation techniques," Socket security researcher Kirill Boychenko said in a report. The packages in question, which were collectively downloaded more than 5,600 times prior to their removal, are listed below - empty-array-validator twitterapis dev-debugger-vite snore-log core-pino events-utils icloud-cod cln-logger node-clog consolidate-log consolidate-logger The disclosure comes nearly a month after a set of six npm packages were discovered distributing BeaverTail , a JavaScript stealer that's also capable of delivering a Python-b...

Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information and test stolen credit card data. Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs . A third package discovered by Socket, disgrasya, contained a fully automated carding script targeting WooCommerce stores. The packages attracted hundreds of downloads before being taken down, according to statistics from pepy.tech - bitcoinlibdbfix - 1,101 downloads bitcoinlib-dev - 735 downloads disgrasya - 37,217 downloads "The malicious libraries both attempt a similar attack, overwriting the legitimate 'clw cli' command with malicious code that attempts to exfiltrate sensitive database files," ReversingLabs said. In an interesting twist, the authors of the counterfeit libraries are s...

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token ( PAT ) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code," Palo Alto Networks Unit 42 said in an update this week. "This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog." There is evidence to suggest that the malicious activity began as far back as late November 2024, although the attack against Coinbase did not take place until March 2025. Unit 42 said its investigation began with the knowledge that reviewdog's GitHub Action was compromised due to a leaked PAT associated with the project's maintainer. This subsequen...

There's a virtuous cycle in technology that pushes the boundaries of what's being built and how it's being used. A new technology development emerges and captures the world's attention. People start experimenting and discover novel applications, use cases, and approaches to maximize the innovation's potential. These use cases generate significant value, fueling demand for the next iteration of the innovation, and in turn, a new wave of innovators create the next generation of use cases, driving further advancements. Containerization has become the foundation of modern, cloud-native software development, supporting new use cases and approaches to building resilient, scalable, and portable applications. It also holds the keys to the next software delivery innovation, simultaneously necessitating the evolution to secure-by-design, continuously-updated software and serving as the means to get there. Below, I'll talk through some of the innovations that led to our containerized r...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting ( BPH ) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it identified an operational security (OPSEC) failure in the domain that left its malicious infrastructure exposed, thereby revealing the malicious payloads staged on the server.  "This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte – an amateur cybercriminal leveraging Proton66's bulletproof hosting to distribute malware and engage in other illicit activities," it said in a report shared with The Hacker News. Proton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns distribut...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said , involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF attachments. The digital missives sought to induce a false sense of urgency by claiming that a Ukrainian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees. Visiting these links leads to the download of a Visual Basic Script (VBS) loader that's designed to fetch and execute a PowerShell script capable of harvesting files matching a specific set of extensions and capturing screenshots. The activity, attributed to a threat ...

A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances. Apache Parquet is a free and open-source columnar data file format that's designed for efficient data processing and retrieval, providing support for complex data, high-performance compression, and encoding schemes. It was first launched in 2013. The vulnerability in question is tracked as CVE-2025-30065 . It carries a CVSS score of 10.0. "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory. According to Endor Labs, successful exploitation of the flaw requires tricking a vulnerable system into reading a specially crafted Parquet file to obtain code execution. "This vulnerability can impact data pipelines and analytics systems...

Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The Hacker News. A notable aspect of these campaigns is that they lead to phishing pages that are delivered via a phishing-as-a-service (PhaaS) platform codenamed RaccoonO365 , an e-crime platform that first came to light in early December 2024. Also delivered are remote access trojans (RATs) like Remcos RAT, as well as other malware and post-exploitation frameworks such as Latrodectus , AHKBot, GuLoader , and BruteRatel C4 (BRc4). One such campaign spotted by the tech giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the United States ahead of the t...