The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai , Gafgyt , and Mozi . "These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks," the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News. The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS . This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage. Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below - CVE-2017-9841 - A Remote code execution vulnerability in PHPUnit CVE-2021-3129 - A Re...

Cybersecurity researchers have flagged a new security issue in agentic web browsers like OpenAI ChatGPT Atlas that exposes underlying artificial intelligence (AI) models to context poisoning attacks. In the attack devised by AI security company SPLX, a bad actor can set up websites that serve different content to browsers and AI crawlers run by ChatGPT and Perplexity. The technique has been codenamed AI-targeted cloaking . The approach is a variation of search engine cloaking, which refers to the practice of presenting one version of a web page to users and a different version to search engine crawlers with the end goal of manipulating search rankings. The only difference in this case is that attackers optimize for AI crawlers from various providers by means of a trivial user agent check that leads to content delivery manipulation. "Because these systems rely on direct retrieval, whatever content is served to them becomes ground truth in AI Overviews, summaries, or autonom...

Artificial Intelligence (AI) is rapidly transforming Governance, Risk, and Compliance (GRC) . It's no longer a future concept—it's here, and it's already reshaping how teams operate. AI's capabilities are profound: it's speeding up audits, flagging critical risks faster, and drastically cutting down on time-consuming manual work. This leads to greater efficiency, higher accuracy, and a more proactive GRC function. However, this powerful shift introduces significant new challenges. AI brings its own set of risks, including potential bias, dangerous blind spots, and regulatory gaps that are only beginning to be addressed by governing bodies. Staying ahead of this curve—not just struggling to keep up—requires clear, practical knowledge. Don't Just Stay Afloat—Master the Change To help you navigate this complex landscape, we invite you to our free, high-impact webinar, " The Future of AI in GRC: Opportunities, Risks, and Practical Insights . " This se...

BeyondTrust's annual cybersecurity predictions point to a year where old defenses will fail quietly, and new attack vectors will surge. Introduction The next major breach won't be a phished password. It will be the result of a massive, unmanaged identity debt. This debt takes many forms: it's the "ghost" identity from a 2015 breach lurking in your IAM, the privilege sprawl from thousands of new AI agents bloating your attack surface , or the automated account poisoning that exploits weak identity verification in financial systems. All of these vectors—physical, digital, new, and old—are converging on one single point of failure: identity .  Based on analysis from BeyondTrust's cybersecurity experts, here are three critical identity-based threats that will define the coming year:  1. Agentic AI Emerges as the Ultimate Attack Vector By 2026, agentic AI will be connected to nearly every technology we operate, effectively becoming the new middleware for most organizations. ...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said . The npm packages were uploaded to the registry on July 4, 2025, and accumulated over 9,900 downloads collectively - deezcord.js dezcord.js dizcordjs etherdjs ethesjs ethetsjs nodemonjs react-router-dom.js typescriptjs zustand.js The multi-stage credential theft operation manifested in the form of various typosquatted packages impersonating popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react...

Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and VulnCheck . The vulnerabilities are listed below - CVE-2025-6204 (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. CVE-2025-6205 (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. CVE-2025-24893 (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection ) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 202...

A group of academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack called TEE.Fail that allows for the extraction of secrets from the trusted execution environment (TEE) in a computer's main processor, including Intel's Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX) and AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and Ciphertext Hiding . The attack, at its core, involves the use of an interposition device built using off-the-shelf electronic equipment that costs under $1,000 and makes it possible to physically inspect all memory traffic inside a DDR5 server. "This allows us for the first time to extract cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including in some cases secret attestation keys from fully updated machines in trusted status," the researchers noted on an informational site. "Beyond breaking CPU-based TEEs, we...

Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover ( DTO ) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell , it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_...

Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire . According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff , which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima. Victims of the GhostCall campaign span several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, whereas Japan and Australia have been identified as the major hunting grounds for the GhostHire campaign. "GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims t...

In cybersecurity, speed isn't just a win — it's a multiplier. The faster you learn about emerging threats, the faster you adapt your defenses, the less damage you suffer, and the more confidently your business keeps scaling. Early threat detection isn't about preventing a breach someday: it's about protecting the revenue you're supposed to earn every day. Companies that treat cybersecurity as a reactive cost center usually find themselves patching holes, paying ransoms, and dealing with downtime. Companies that invest in proactive visibility, threat intelligence, and early detection mechanisms stay in the game longer. With trust, uptime, and innovation intact. Let's break down why this strategy directly connects to long-term business success: 1. Early detection drastically lowers the cost of incidents A breach caught at initial access might cost just internal response hours. Caught at data exfiltration — multiply the cost by 10, and a breach caught after regulatory violations kick...

The New Reality for Lean Security Teams If you're the first security or IT hire at a fast-growing startup, you've likely inherited a mandate that's both simple and maddeningly complex: secure the business without slowing it down. Most organizations using Google Workspace start with an environment built for collaboration, not resilience. Shared drives, permissive settings, and constant integrations make life easy for employees—and equally easy for attackers. The good news is that Google Workspace provides an excellent security foundation. The challenge lies in properly configuring it, maintaining visibility, and closing the blind spots that Google's native controls leave open. This article breaks down the key practices every security team—especially small, lean ones—should follow to harden Google Workspace and defend against modern cloud threats. 1. Lock Down the Basics Enforce Multi-Factor Authentication (MFA) MFA is the single most effective way to stop account compromise. In ...