The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities ( KEV ) catalog, noting that there is evidence of them being exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-50224 (CVSS score: 6.5) - An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in "/tmp/dropbear/dropbearpwd" CVE-2025-9377 (CVSS score: 8.6) - An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution According to information listed on the company's website, the following router models have reached end-of-life (EoL) status - TL-WR841N (versions 10.0 and 11.0) TL-WR841ND (version 10.0) Archer C7 (versions 2.0 and 3.0) Howe...

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar. "The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below - colortoolsv2 (7 downloads) mimelib2 (1 download) The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them. While the packages themselves make no effort to conceal their malici...

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. HexStrike AI, according to its website , is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges. Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling. But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to ...

In January 2025, cybersecurity experts at Wiz Research found that Chinese AI specialist DeepSeek had suffered a data leak, putting more than 1 million sensitive log streams at risk. According to the Wiz Research team, they identified a publicly accessible ClickHouse database belonging to DeepSeek. This allowed "full control over database operations, including the ability to access internal data", Wiz Research stated, with more than a million lines of log streams involved, containing chat history, secret keys and more. Wiz immediately reported the issue to DeepSeek, which quickly secured the exposure. Still, the incident underscored the danger of data leakage. Intentional or unintentional? Data leakage is a broad concept, covering a range of scenarios. As IBM notes, the term in general refers to a scenario where "sensitive information is unintentionally exposed to unauthorized parties" .  It could be intentional or unintentional. On the intentional side...

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below - CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component  CVE-2025-48543 (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation. The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of "limited, targeted exploitation." Benoît Sevens of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Lin...

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice . "Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," the company said . "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension." The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Application...

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne's steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn't just about detection—it's about operational continuity under pressure. For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. ...

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud." The entire attack lasted only about 35 seconds, with the company stating its "defenses have been working overtime." Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions. Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected t...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device. "This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot," the agency said. "The attacker can then obtain incorrect access control by setting a new administrative password." According to malwrforensics , the issue has been fixed with firmware version TL-WA855RE(EU)_V5_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it's unlikely to receive any patches or updates. Users of the Wi-Fi range e...

Salesloft on Tuesday announced that it's taking Drift temporarily offline "in the very near future," as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. "This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality," the company said . "As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible." The company said its top priority is to ensure the integrity and security of its systems and customers' data, and that it's working with cybersecurity partners, Mandiant and Coalition, as part of its incident response efforts. The development comes after Google Threat Intelligence Group (GTIG) and Mandiant disclosed what it said w...

The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE. The attack, observed by NCC Group's Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee's system. "From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections," Yun Zheng Hu and Mick Koomen said . "Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack." The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim. Although the exact initial ...

Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems. "MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management," QiAnXin XLab said in a report published last week. "Compared to typical backdoors, MystRodX stands out in terms of stealth and flexibility." MystRodX, also called ChronosRAT, was first documented by Palo Alto Networks Unit 42 last month in connection with a threat activity cluster called CL-STA-0969 that it said exhibits overlaps with a China-nexus cyber espionage group dubbed Liminal Panda. The malware's stealth stems from the use of various levels of encryption to obscure source code and payloads, while its flexibility allows it to dynamically enable different functions based on a configuration, such as choosing TCP or HTTP for network co...