The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

In a world where threats are persistent, the modern CISO's real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the decisions you make now will shape your organization's resilience for years to come. This isn't just a threat roundup; it's the strategic context you need to lead effectively. Here's your full weekly recap, packed with the intelligence to keep you ahead. ⚡ Threat of the Week New HybridPetya Ransomware Bypasses UEFI Secure Boot — A copycat version of the infamous Petya/NotPetya malware dubbed HybridPetya has been spotted. But no telemetry exists to suggest HybridPetya has been deployed in the wild yet. It also differs in one key respect: It can compromise the secure boot featu...

A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes. Dubbed Villager, the framework is assessed to be the work of Cyberspike, which has positioned the tools as a red teaming solution to automate testing workflows. The package was first uploaded to PyPI in late July 2025 by a user named stupidfish001, a former capture the flag (CTF) player for the Chinese HSCSEC team. "The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns," Straiker researchers Dan Regalado and Amanda Rousseau said in a report shared with The Hacker News. The emergence of Villager comes shortly ...

Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware. "The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said . "By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware." The activity, which was discovered by the cybersecurity company in August 2025, leads to the deployment of malware families like HiddenGh0st and Winos (aka ValleyRAT), both of which are variants of a remote access trojan called Gh0st RAT. It's worth noting that the use of Winos has been attributed to a cybercrime group known as Silver Fox , which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. It's believed to be acti...

The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said . UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025. As a result of the breach, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company also said it's in the process of implementing new multi-factor auth...

Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks. The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution. "Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code," Samsung said in an advisory. "The patch fixed the incorrect implementation." According to a 2020 report from Google Project Zero, libimagecodec.quram.so is a closed-source image parsing library developed by Quramsoft that implements support for various image formats. The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025. Samsung did not share any specifics on how the vulnerability is being exploited in attacks...

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. The agency did not share further details on what triggered these alerts. Previous threat notifications were sent on March 5, April 29 , and June 25. Apple has been sending these notices since November 2021. "These complex attacks target individuals for their status or function: journalists, lawyers, activists, politicians, senior officials, members of steering committees of strategic sectors, etc," CERT-FR said. The development comes less than a month after it emerged that a security flaw in WhatsApp ( CVE-2025-55177 , CVSS score: 5.4) was chained wi...

Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya / NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year. Slovakian cybersecurity company ESET said the samples were uploaded to the VirusTotal platform in February 2025. "HybridPetya encrypts the Master File Table , which contains important metadata about all the files on NTFS-formatted partitions," security researcher Martin Smolár said . "Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition." In other words, the deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTF...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-5086 , carries a CVSS score of 9.0 out of 10.0. According to Dassault, the issue impacts versions from Release 2020 through Release 2025. "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution," the agency said in an advisory. The addition of CVE-2025-5086 to the KEV catalog comes after the SANS Internet Storm Center reported seeing exploitation attempts targeting the flaw that originate from the IP address 156.244.33[.]162 , which geolocates to Mexico. The attacks involve sending an HTTP request to the "/apriso/WebServices/FlexNetOperationsService.sv...

The security landscape for cloud-native applications is undergoing a profound transformation. Containers, Kubernetes, and serverless technologies are now the default for modern enterprises, accelerating delivery but also expanding the attack surface in ways traditional security models can't keep up with. As adoption grows, so does complexity. Security teams are asked to monitor sprawling hybrid environments, sift through thousands of alerts, and protect dynamic applications that evolve multiple times per day. The question isn't just how to detect risks earlier — it's how to prioritize and respond to what really matters in real time. That's where cloud-native application protection platforms (CNAPPs) come into play. These platforms consolidate visibility, compliance, detection, and response into a unified system. But in 2025, one capability is proving indispensable: runtime visibility. The New Center of Gravity: Runtime For years, cloud security has leaned heavily on preventative c...

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program. The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users' computers with their privileges. "Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: 'folderOpen' auto-execute the moment a developer browses a project," Oasis Security said in an analysis. "A malicious .vscode/tasks.json turns a casual 'open folder' into silent code execution in the user's context." Cursor is an AI-powered fork of Visual Studio Code, which supports a feature called Workspace Trust to allow developers to safely browse and edit code regardless of where it came from or who wrote it. With this option disab...

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content. To that end, support for C2PA's Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency. C2PA's Content Credentials are a tamper-evident, cryptographically signed digital manifest providing verifiable provenance for digital content such as images, videos, or audio files. The metadata type, according to Adobe , serves as a "digital nutrition label," giving information about the creator, how it was made, and if it was generated using artificial intelligence (AI). "The Pixel Camera app achieved Assurance Level 2, the highest security rating currently defined by the C2PA Conformance Program," Google's Android Security and C2PA Core teams said ....

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. "Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable," Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an "arsonist selling firefighting services to their victims." The development comes after Wyden's office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals . The ransomware attack, which al...