-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

Jul 13, 2026 Cybersecurity / Hacking
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don't file tickets. That's the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too long. Fake installers, poisoned packages, systems left facing the open internet, and helpful little AI assistants running instructions that were never yours. The gap between "patch exists" and "already exploited" keeps shrinking, and nobody's closing it. None of it is exotic. That's what wears you down. Same ordinary mistakes, just happening faster than we can keep up. Here's the full mess, top to bottom. ⚡ Threat of the Week Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers — Progress urged customers to shut down Win...
New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

Jul 13, 2026 AI Security / Data Integrity
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack  stealth memory injection  and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell,"  landed on arXiv on 6 July 2026 . First, what these assistants do A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you. Many of these agents can also act for you, readin...
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Jul 13, 2026 Email Security / Artificial Intelligence
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing , adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing lures that make use of legitimate email delivery infrastructure, such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid, to imitate a redirection chain that blends into regular email traffic before it ends in Forg365-controlled domains. "The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support," ZeroBAC said . The email securi...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling

Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling

Jul 13, 2026 Artificial Intelligence / Privacy
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would check in only at set times. None of these ships in a product today, and Meta has not announced one; a filing like this stakes a claim on an idea long before anyone commits to building it. The application,  US 2026/0182881 , was filed by Meta Platforms in December 2025 and published on July 2. It names a single inventor, Lachlan Dunn , and traces back to a provisional filing from December 2024. The patent-analysis site  Patentlyze  flagged the filing first. Its title pairs two ideas, emotional state analysis and real-time fitness coaching. The claims show the first is the ...
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots

Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots

Jul 13, 2026 Artificial Intelligence / Security Operations
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest. On the flight home, I picked up a book I had not touched in a few years. Daniel Kahneman's Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond ...
Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Jul 13, 2026 Artificial Intelligence / Threat Intelligence
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. "The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt," Huntress researchers Jevon Ang and Dray Agha said . The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the "C:\ProgramData\" folder. The incident took place in early June 2026. This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered cod...
Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

Jul 13, 2026 Identity Security / Threat Intelligence
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it:  python3 -m http.server 8080 , was still sitting in the readable  .bash_history . From that one lapse, French security firm  Lexfo  lifted the operator's entire toolkit and pivoted through it to two more phishing operators, three campaigns in all. Each ran a custom fork of the open-source Evilginx proxy , cloned from public GitHub. The largest of the three had been running for more than a year, its victims overwhelmingly corporate mailboxes. The three got past MFA in two mechanically different ways, one by proxying the live login , one by abusing a legitimate Microsoft sign-in flow. The two need different defenses, which is the part that matters most if you run Microsoft 365. Directory listing on a working attack server is close to a full confession. The listing exposed phishing conf...
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

Jul 13, 2026 Vulnerability / Web Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939 - A vulnerability in the iCagenda extension for Joomla that allows the upload of arbitrary files via the file attachment feature, leading to PHP code upload and execution. CVE-2026-56291 - A vulnerability in the Balbooa Forms extension for Joomla that allows the upload of arbitrary files, leading to remote code execution. According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 is said to have been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. It resides in the "Submit an...
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

Jul 11, 2026 Software Supply Chain / Malware
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release  six minutes after it was published . If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had. None of this is in the prior release, 8.13.0.  The package diff  shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but a roughly 7.8MB container packing three gzip-compressed native binaries, one each for Linux, Windows, and macOS. On install, setup.js picks the binary for the host operating system, writes it under a random name in the system temp directory...
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

Jul 11, 2026 Threat Intelligence / Cyber Espionage
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week. The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. The China-nexus threat actor is also said to have compromised one of these web applications to deploy a custom implant masquerading as a portal update. The application in question, named Complaint Management System (CMS), serves pol...
Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

Jul 11, 2026 Vulnerability / Email Security
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened," Zimbra said . "If exploited, it could allow access to mailbox information, session data, or account settings." XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. This allows attackers to inject and execute malicious JavaScript in victims' browsers, which can result in session hijacking, credential theft, and account compromise. Stored XSS, or persistent ...
URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

Jul 10, 2026 Enterprise Security / Security Incident
Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security experts. It says it has no indication of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat. What Progress has not said is what the threat is or who is behind it. The order became public when a customer posted the company's email to Reddit's  r/sysadmin  on July 10. Progress  confirmed the disruption on its status page, listing Storage Zone Controller customers as "not operational" and the incident as under investigation as of a 12:12 p.m. EDT update. Only the Storage Zone Controller is af...
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Jul 10, 2026 Software Supply Chain / Malware
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21 , came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was released on July 8, 2026, but has since been deprecated on the registry. That said, the release artifacts belonging to the compromised version are still available for download from GitHub as of writing. "The malicious functionality was introduced to the project's official GitHub repository through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository," Socket said . The software supply chain security firm said the threat actor behind the attack also published version 1.20.21 across 17 additional @inj...
Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

Jul 10, 2026 Firmware Security / Vulnerability
Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device has confirmed that the software is genuine. That last part is the point. A bootloader runs before the operating system, so a flaw here can undermine everything that loads after it. All six bugs are reached while U-Boot is still reading an untrusted image, before it has checked the signature. What Binarly found U-Boot can bundle a kernel, device tree, ramdisk, and other boot components into one package, a FIT (Flattened Image Tree), and it checks that package's digital signature before handing over control. Binarly went looking for weak spots in that check and found six. Most of the vulner...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources