The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. It's advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand's real URL. It also lets users choose custom keywords like "login," "verify," "security," or "account," and integrates URL shorteners such as TinyURL to obscure the destination URL. "It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container , loads the brand's real website, and acts as a reverse proxy between the target and the legitimate site," Abnormal researchers Callie Baron and Piotr Wojtyla said . "Recipients are served genuine page content directly through the attacker's infrastruc...

Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens. It described the phishing attacks as an identity-based threat that takes advantage of OAuth's standard, by-design behavior rather than exploiting software vulnerabilities or stealing credentials. "OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows," the Microsoft Defender Security Research Team said . "Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipu...

Google on Monday disclosed that a high-severity security flaw impacting an open-source Qualcomm component used in Android devices has been exploited in the wild. The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), a buffer over-read in the Graphics component. "Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in an advisory, describing it as an integer overflow. The chipmaker said the flaw was reported to it through Google's Android Security team on December 18, 2025. Customers were notified of the security defect on February 2, 2026. There are currently no details on how the vulnerability is being exploited in the wild. However, Google acknowledged in its monthly Android security bulletin that "there are indications that CVE-2026-21385 may be under limited, targeted exploitation." Google's March 2026 update contains patches for a total of 129 vulnerabilities, including a critica...

The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger.  "The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT," the cybersecurity company said in a report shared with The Hacker News. SloppyLemming is the moniker assigned to a threat actor that's known to target government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since ...

Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system. The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026 in version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux. "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome extension," according to a description on the NIST National Vulnerability Database (NVD). Palo Alto Networks Unit 42 researcher Gal Weizman, who discovered and reported the flaw on November 23, 2025, said the issue could have permitted malicious extensions with basic permissi...

Google has announced a new program in its Chrome browser to ensure that HTTPS certificates are secure against the future risk posed by quantum computers . "To ensure the scalability and efficiency of the ecosystem, Chrome has no immediate plan to add traditional X.509 certificates containing post-quantum cryptography to the Chrome Root Store ," the Chrome Secure Web and Networking Team said . "Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group." As Cloudflare explains, MTC is a proposal for the next generation of the Public Key Infrastructure (PKI) used to secure the internet that aims to reduce the number of public keys and signatures in the TLS handshake to the bare minimum required. Under this model, a Certification Authority (CA) signs a single 'Tree Head' representing potentially millions of certi...

This week is not about one big event. It shows where things are moving. Network systems, cloud setups, AI tools, and common apps are all being pushed in different ways. Small gaps in access control, exposed keys, and normal features are being used as entry points. The pattern becomes clear only when you see everything together. Faster scans, smarter misuse of trusted services, and steady targeting of high-value sectors. Each story adds context. Reading them all gives a fuller picture of how today’s threat landscape is evolving. ⚡ Threat of the Week Cisco SD-WAN Zero-Day Exploited — A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administr...

Most SaaS teams remember the day their user traffic started growing fast. Few notice the day bots started targeting them. On paper, everything looks great: more sign-ups, more sessions, more API calls. But in reality, something feels off: Sign-ups increase, but users aren’t activating. Server costs rise faster than revenue. Logs are filled with repeated requests from strange user agents. If this sounds familiar, it’s not just a sign of popularity. Your app is under constant automated attack, even if no ransom emails have arrived. Your load balancer sees traffic. Your product team sees “growth”. Your database sees pain. This is where a WAF like SafeLine fits in. SafeLine is a self-hosted web application firewall (WAF) that sits in front of your app and inspects every HTTP request before it reaches your code.  It does not just look for broken packets or known bad IPs. It watches how traffic behaves: what it sends, how fast, in what patterns, and against which endpoints. ...

A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28 , according to new findings from Akamai. The vulnerability in question is CVE-2026-21513 (CVSS score: 8.8), a high-severity security feature bypass affecting the MSHTML Framework. "Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network," Microsoft noted in its advisory for the flaw. It was fixed by the Windows maker as part of its February 2026 Patch Tuesday update. However, the tech giant also noted that the vulnerability had been exploited as a zero-day in real-world attacks, crediting the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), for reporting it. In a hypothetical attack scenario, a threat actor could weaponize th...

Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and ultimately drop a developer-targeted credential stealer and remote access trojan. The C2 infrastructure is hosted on Vercel across 31 deployments. The campaign , discovered by Socket and kmsec.uk's Kieran Miyamoto, is being tracked under the moniker StegaBin . It's attributed to a North Korean threat activity cluster known as Famous Chollima. "The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses," So...

OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and take over control. "Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented," Oasis Security said in a report published this week. The flaw has been codenamed ClawJacked by the cybersecurity company. The attack assumes the following threat model: A developer has OpenClaw set up and running on their laptop, with its gateway , a local WebSocket server, bound to localhost and protected by a password. The attack kicks in when the developer lands on an attacker-controlled website through social engineering or some other means. The infection sequence then follows the steps below - Malicious JavaScript on the web page opens a WebSocket connection to localhost on the ...

New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys (identified by the prefix "AIza") embedded in client-side code to provide Google-related services like embedded maps on websites. "With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account," security researcher Joe Leon said , adding the keys "now also authenticate to Gemini even though they were never intended for it." The problem occurs when users enable the Gemini API on a Google Cloud project (i.e., Generative Language API), causing the existing API keys in that project, including those accessible via the website JavaScript code, to gain surreptitious access to Gemini endpoints without any warning or notice. Th...