The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new Android malware called RatOn  has evolved from a basic tool capable of conducting Near Field Communication ( NFC ) relay attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS ) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic. Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It's worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to d...

⚠️ One click is all it takes. An engineer spins up an "experimental" AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes. Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security's line of sight, tied to identities you don't even know exist. And here's the uncomfortable truth: every one of them carries infinite risk. Agents impersonating trusted users. Non-human identities with access you didn't approve. Data leaking across boundaries you thought were locked down. This isn't a futuristic threat. It's happening today, across enterprises everywhere. And they're multiplying faster than your governance can catch up. That's why you can't miss our upcoming panel: Shadow AI Agents Exposed. Secure your seat now - Register Here . Why Shadow AI is Exploding From identity providers to PaaS platforms, it takes almost nothing to spin...

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT . The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said. "These include the use of an Easy Programming Language ( EPL ) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools," Yurren Wan said . EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It's chiefly meant for users who may not be proficient in English....

It's budget season. Once again, security is being questioned, scrutinized, or deprioritized. If you're a CISO or security leader, you've likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they're framed in a way the board can understand and appreciate. According to a Gartner analysis , 88% of Boards see cybersecurity as a business risk, rather than an IT issue, yet many security leaders still struggle to raise the profile of cybersecurity within the organization. For security issues to resonate amongst the Board you need to speak its language: business continuity, compliance, and cost impact. Below are some strategies to help you frame the conversation, transforming the technical and complex into clear business directives.  Recognize the High Stakes Cyber threats continue to evolve, from ransomware and supply chain attacks to ...

Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said it's designed to block other actors from accessing the Docker API from the internet. The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity. "This new strain seems to use similar tooling to the original, but may have a different end goal – including possibly setting up the foundation of a complex botnet," security researcher Yonatan Gilvarg said . The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors runn...

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix ), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link. The phishing page is said to have prompted the co-maintainer to enter their username, password, and two-factor authentication (2FA) token, only for it to be stolen likely by means of an adversary-in-the-middle ( AitM ) attack and used to publish the rogue version to the npm registry. The following 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident - ansi-regex@6.2.1 ansi-styles@6.2.2 backslash@0.2.1 chalk@5.6.1 chalk-template@1.1.1 color-convert@3.1.1 color-name@2.0.1...

Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841. "The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group," Silent Push said in a new analysis shared with The Hacker News. The identified infrastructure, totaling 45 domains, has also been identified as sharing some level of overlap with another China-associated hacking group tracked as UNC4841 , which is best known for its zero-day exploitation of a security flaw in Barracuda Email Security Gateway (ESG) appliances (CVE-2023-2868, CVSS score: 9.8). Salt Typhoon , active since 2019, drew widespread attention last year for its targeting of telecommunications services providers in the U.S. Believed to be operated by China's Ministry of State Secur...

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. It's currently not known how the digital intruders gained access to the GitHub account. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows," Salesloft said in an updated advisory. The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance. In the next phase, the attackers accessed Drift's Amazon Web Services (AWS)...

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. "Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site," Arctic Wolf said in a report published last week. Exclusively targeting IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain ("gitpage[.]app"). The activity was first detected on August 19, 2025. The first...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it's knowing which risks matter most right now. That's what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It's a sharp reminder of how fragile integrations can become the weak link in enterprise defenses. Alongside this, we'll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise. ⚡ Threat of the Week Salesloft to Take Drift Of...

When Attackers Get Hired: Today's New Identity Crisis What if the star engineer you just hired isn't actually an employee, but an attacker in disguise? This isn't phishing; it's infiltration by onboarding. Meet "Jordan from Colorado," who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out. On day one, Jordan logs into email and attends the weekly standup, getting a warm welcome from the team. Within hours, they have access to repos, project folders, even some copy/pasted dev keys to use in their pipeline. A week later, tickets close faster, and everyone's impressed. Jordan makes insightful observations about the environment, the tech stack, which tools are misconfigured, and which approvals are rubber-stamped. But Jordan wasn't Jordan. And that red-carpet welcome the team rolled out was the equivalent to a golden key, handed straight to the adversary. From Phishing to Fake Hires The modern con isn't a malicious link in...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...