The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Malicious actors can exploit default configurations in ServiceNow's Now Assist generative artificial intelligence (AI) platform and leverage its agentic capabilities to conduct prompt injection attacks. The second-order prompt injection, according to AppOmni, makes use of Now Assist's agent-to-agent discovery to execute unauthorized actions, enabling attackers to copy and exfiltrate sensitive corporate data, modify records, and escalate privileges. "This discovery is alarming because it isn't a bug in the AI; it's expected behavior as defined by certain default configuration options," said Aaron Costello, chief of SaaS Security Research at AppOmni. "When agents can discover and recruit each other, a harmless request can quietly turn into an attack, with criminals stealing sensitive data or gaining more access to internal company systems. These settings are easy to overlook." The attack is made possible because of agent discovery and agent-to-a...

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034 , carries a CVSS score of 6.7 out of a maximum of 10.0. "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," the company said in a Tuesday advisory. In other words, successful attacks require an attacker to first authenticate themselves through some other means and chain it with CVE-2025-58034 to execute arbitrary operating system commands. It has been addressed in the following versions - FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above) FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above) FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above) FortiWeb 7.2.0 through 7.2.11 (U...

The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for less-skilled threat actors to mount attacks at scale. Push Security, in a report shared with The Hacker News, said it observed the use of the technique in phishing attacks designed to steal victims' Microsoft account credentials. BitB was first documented by security researcher mr.d0x in March 2022, detailing how it's possible to leverage a combination of HTML and CSS code to create fake browser windows that can masquerade as login pages for legitimate services in order to facilitate credential theft . "BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form," Push Security said. "BitB phishing pages repl...

Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform's network protocol. The idea is to make it easier to delve into WhatsApp-specific technologies as the application continues to be a lucrative attack surface for state-sponsored actors and commercial spyware vendors. The company also noted that it's setting up a pilot initiative where it's inviting research teams to focus on platform abuse with support for internal engineering and tooling. "Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our program," it added . The development comes as the social media giant said it has awarded more than $25 million in bug bounties to over 1,400 researchers from 88 countries in the last 15 years, out of which more than $4 million were...

You've probably already moved some of your business to the cloud—or you're planning to. That's a smart move. It helps you work faster, serve your customers better, and stay ahead. But as your cloud setup grows, it gets harder to control who can access what. Even one small mistake—like the wrong person getting access—can lead to big problems. We're talking data leaks, legal trouble, and serious damage. And with different rules in different regions like the US, UK, EU, APAC, and more, keeping up is tough. Join our free webinar: " Securing Cloud Workloads and Infrastructure: Balancing Innovation with Identity and Access Control " with experts from CyberArk. You'll learn simple, practical ways to stay secure and move fast. Cloud tools today aren't all the same. Most companies use several cloud platforms at once—each with its own setup, rules, and risks. You want your team to stay fast and flexible, but you also need to keep everything safe. That's a tricky balance. That's why we'...

Cybersecurity researchers have disclosed details of a cyber attack targeting a major U.S.-based real-estate company that involved the use of a nascent command-and-control (C2) and red teaming framework known as Tuoni . "The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads," Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News. Tuoni is advertised as an advanced C2 framework designed for security professionals, facilitating penetration testing operations, red team engagements, and security assessments. A "Community Edition" of the software is freely available for download from GitHub. It was first released in early 2024. The attack, per Morphisec, unfolded in mid-October 2025, with the unknown threat actor likely leveraging social engineering via Microsoft Teams impersonation for initial access. It's suspected that t...

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail), which was first documented by the threat intelligence firm early last year. "Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said. The disclosure comes about two months after Swiss cybersecurity company PRODAFT tied the hacking group to a campaign targeting European telecommunications companies, succes...

Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane. Building on Gartner's definition of " identity fabric ," identity security fabric takes a more proactive approach, securing all identity types (human, machine, and AI agents) across on-prem, hybrid, multi-cloud, and complex IT environments. Why identity security fabric matters now As cyberattacks become more prevalent and sophisticated, traditional approaches characterized by siloed identity tools can't keep pace with evolving threats. Today's rapidly expanding attack surface is driven primarily by non-human identities (NHIs), including service accounts, API keys, and AI agents. Fragmented point solutions weaken an organization's overall ...

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named " dino_reborn " between September and November 2025, are listed below. The npm account no longer exists on npm as of writing. signals-embed (342 downloads) dsidospsodlks (184 downloads) applicationooks21 (340 downloads) application-phskck (199 downloads) integrator-filescrypt2025 (199 downloads) integrator-2829 (276 downloads) integrator-2830 (290 downloads) "Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher," Socket security researcher Olivia Brown said. "If the visitor is a victim, they see a fake CAPTCHA, eventually b...

Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU . It's currently not known who was targeted by the attack. "The attack involved extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions," Microsoft's Sean Whalen said . "These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement." According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, se...

Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the flaw in the NIST National Vulnerability Database (NVD). Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an "exploit for CVE-2025-13223 exists in the...

Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT . The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION . First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for "AcridRain") Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year. "Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services," the Canadian cybersecurity vendor said. "Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Vi...