The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Microsoft has warned that using pre-made templates, such as out-of-the-box Helm charts, during Kubernetes deployments could open the door to misconfigurations and leak valuable data. "While these 'plug-and-play' options greatly simplify the setup process, they often prioritize ease of use over security," Michael Katchinskiy and Yossi Weizman from the Microsoft Defender for Cloud Research team said . "As a result, a large number of applications end up being deployed in a misconfigured state by default, exposing sensitive data, cloud resources, or even the entire environment to attackers." Helm is a package manager for Kubernetes that allows developers to package, configure, and deploy applications and services onto Kubernetes clusters. It's part of the Cloud Native Computing Foundation (CNCF). Kubernetes application packages are structured in the Helm packaging format called charts , which are YAML manifests and templates used to describe the Kuber...

Microsoft Entra ID (formerly Azure Active Directory) is the backbone of modern identity management, enabling secure access to the applications, data, and services your business relies on. As hybrid work and cloud adoption accelerate, Entra ID plays an even more central role — managing authentication, enforcing policy, and connecting users across distributed environments. That prominence also makes it a prime target. Microsoft reports over 600 million attacks on Entra ID every day. These aren't just random attempts, but include coordinated, persistent, and increasingly automated campaigns designed to exploit even small vulnerabilities. Which brings us to the core question: Are Entra ID's native protections enough? Where do they fall short — and what steps should you take to close the gaps and ensure you're covered? Understanding Entra ID At its core, Microsoft Entra ID is your enterprise identity and access management system. It defines how users prove who they are, what resources...

Everyone has cybersecurity stories involving family members. Here's a relatively common one. The conversation usually goes something like this:  "The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I've never seen before. Isn't that weird?" This is an example of an account takeover attack on a customer account. Typically what happens is that a streaming account is compromised, probably due to a weak and reused password, and access is resold as part of a common digital black market product, often advertised as something like "LIFETIME STREAMING SERVICE ACCOUNT - $4 USD." In the grand scheme of things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call your bank to issue a new credit card and be back to binge-watching The Crown i...

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed," Google said in a Monday advisory. "User interaction is not needed for exploitation." It's worth noting that CVE-2025-27363 is rooted in the FreeType open-source font rendering library. It was first disclosed by Facebook in March 2025 as having been exploited in the wild. The shortcoming has been described as an out-of-bounds write flaw that could result in code execution when parsing TrueType GX and variable fo...

A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities ( KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-3248 , carries a CVSS score of 9.8 out of a maximum of 10.0. "Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests," CISA said. Specifically, the endpoint has been found to improperly invoke Python's built-in exec() function on user-supplied code without adequate authentication or sandboxing, thereby allowing attackers to execute arbitrary commands on the server. The shortcoming, which affects most versions of the popular tool, has been addressed in version 1.3.0 released on March 31, 2025. Horizon3.ai has been credited with...

Cybersecurity researchers have disclosed a series of now-patched security vulnerabilities in Apple's AirPlay protocol that, if successfully exploited, could enable an attacker to take over susceptible devices supporting the proprietary wireless technology. The shortcomings have been collectively codenamed AirBorne by Israeli cybersecurity company Oligo. "These vulnerabilities can be chained by attackers to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK," security researchers Uri Katz, Avi Lumelsky, and Gal Elbaz said . Some of the vulnerabilities, like CVE-2025-24252 and CVE-2025-24132, can be strung together to fashion a wormable zero-click RCE exploit, enabling bad actors to deploy malware that propagates to devices on any local network the infected device connects to. This could then pave the way for sophisticated attacks that can lead to the deployment of backdoors an...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25. "Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code," CISA said . The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution. Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called "deployWebpackage.do" that triggers a pre-authenticat...

What if attackers aren't breaking in—they're already inside, watching, and adapting? This week showed a sharp rise in stealth tactics built for long-term access and silent control. AI is being used to shape opinions. Malware is hiding inside software we trust. And old threats are returning under new names. The real danger isn't just the breach—it's not knowing who's still lurking in your systems. If your defenses can't adapt quickly, you're already at risk. Here are the key cyber events you need to pay attention to this week. ⚡ Threat of the Week Lemon Sandstorm Targets Middle East Critical Infra — The Iranian state-sponsored threat group tracked as Lemon Sandstorm targeted an unnamed critical national infrastructure (CNI) in the Middle East and maintained long-term access that lasted for nearly two years using custom backdoors like HanifNet, HXLibrary, and NeoExpressRAT. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive es...

Let's be honest: if you're one of the first (or the first) security hires at a small or midsize business, chances are you're also the unofficial CISO, SOC, IT Help Desk, and whatever additional roles need filling. You're not running a security department. You are THE security department. You're getting pinged about RFPs in one area, and reviewing phishing alerts in another, all while sifting through endless FP alerts across the board. The tools meant to help are often creating more work than they solve. Security teams end up choosing between letting things slip or becoming the "Department of No." Chances are you inherited your company's Google Workspace. Thankfully, Google handles the infrastructure, the uptime, and the spam filtering. But while Google takes care of a lot, it doesn't cover everything, and it can be difficult for security teams to operationalize all of Google's underlying capabilities without significant engineering work. It's your job to se...

The threat actors known as Golden Chickens have been attributed to two new malware families dubbed TerraStealerV2 and TerraLogger, suggesting continued development efforts to fine-tune and diversify their arsenal. "TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information," Recorded Future Insikt Group said . "TerraLogger, by contrast, is a standalone keylogger. It uses a common low-level keyboard hook to record keystrokes and writes the logs to local files." Golden Chickens, also known as TA4557 and Venom Spider, is the name given to a financially motivated threat actor linked to a notorious malware family called More_eggs . It's known to be active since at least 2018, offering its warez under a malware-as-a-service (MaaS) model. Campaigns distributing More_eggs entail the use of spear-phishing emails to target hiring managers using fake resumes, allowing attackers to steal confidential data. ...

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system's primary disk and render it unbootable. The names of the packages are listed below - github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy "Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads," Socket researcher Kush Pandya said . The packages are designed to check if the operating system on which they are being run is Linux, and if so retrieve a next-stage payload from a remote server using wget. The payload is a destructive shell script that overwrites the entire primary disk (" /dev/sda ") with zeroes, effectively preventing the machine from booting up. "This destructive method ensures no data recovery tool or forensic process can restore the data, as...

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage," the FortiGuard Incident Response (FGIR) team said in a report. The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757. It's been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has leveraged ...