The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Every October brings a familiar rhythm - pumpkin-spice everything in stores and cafés, alongside a wave of reminders, webinars, and checklists in my inbox. Halloween may be just around the corner, yet for those of us in cybersecurity, Security Awareness Month is the true seasonal milestone. Make no mistake, as a security professional, I love this month. Launched by CISA and the National Cybersecurity Alliance back in 2004, it's designed to make security a shared responsibility. It helps regular citizens, businesses, and public agencies build safer digital habits. And it works. It draws attention to risk in its many forms, sparks conversations that otherwise might not happen, and helps employees recognize their personal stake in and influence over the organization's security.  Security Awareness Month initiatives boost confidence, sharpen instincts, and keep security at the front of everyone's mind... until the winter holiday season decorations start to go up, that is. After th...

Chipmaker AMD has released fixes to address a security flaw dubbed RMPocalypse that could be exploited to undermine confidential computing guarantees provided by Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ). The attack , per ETH Zürich researchers Benedict Schlüter and Shweta Shinde, exploits AMD's incomplete protections that make it possible to perform a single memory write to the Reverse Map Paging (RMP) table, a data structure that's used to store security metadata for all DRAM pages in the system. "The Reverse Map Table (RMP) is a structure that resides in DRAM and maps system physical addresses (sPAs) to guest physical addresses (gPAs)," according to AMD's specification documentation . "There is only one RMP for the entire system, which is configured using x86 model-specific registers (MSRs)." "The RMP also contains various security attributes of each that are managed by the hypervisor through hardware-mediated and...

Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel. The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of Washington, University of California (San Diego), and Carnegie Mellon University. Pixnapping, at its core, is a pixel-stealing framework aimed at Android devices in a manner that bypasses browser mitigations and even siphons data from non-browser apps like Google Authenticator by taking advantage of Android APIs and a hardware side-channel, allowing a malicious app to weaponize the technique to capture 2FA codes in under 30 seconds. "Our key observation is that Android APIs enable an attacker to create an analog to [Paul] Stone-style attacks outside of the browser," the researchers...

Before an attacker ever sends a payload, they've already done the work of understanding how your environment is built. They look at your login flows, your JavaScript files, your error messages, your API documentation, your GitHub repos. These are all clues that help them understand how your systems behave. AI is significantly accelerating reconnaissance and enabling attackers to map your environment with greater speed and precision. While the narrative often paints AI as running the show, we're not seeing AI take over offensive operations end to end. AI is not autonomously writing exploits, chaining attacks, and breaching systems without the human in the loop. What it is doing is speeding up the early and middle stages of the attacker workflow: gathering information, enriching it, and generating plausible paths to execution.  Think of it like AI-generated writing; AI can produce a draft quickly given the right parameters, but someone still needs to review, refine, and tune it f...

Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks. Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL." The software supply chain security company said it identified a number of packages that use Discord webhooks in various ways - mysql-dumpdiscord (npm), which siphons the contents of developer configuration files like config.json, .env, ayarlar.js, and ayarlar.json to a Discord webhook nodejs.discord (npm...

Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns. The Proofpoint Threat Research Team described the threat activity cluster as sophisticated, leveraging web injections and filtering checks as part of its attack chains. "TA585 is notable because it appears to own its entire attack chain with multiple delivery techniques," researchers Kyle Cucci, Tommy Madjar, and Selena Larson said . "Instead of leveraging other threat actors – like paying for distribution, buying access from initial access brokers, or using a third-party traffic delivery system – TA585 manages its own infrastructure, delivery, and malware installation." MonsterV2 is a remote access trojan (RAT), stealer, and loader, which Proofpoint first observed being advertised on criminal forums in February 2025. It's worth noting that MonsterV2 is also calle...

Every week, the cyber world reminds us that silence doesn't mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week's edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly. ⚡ Threat of the Week Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashio...

Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing. With the 2025 shopping season weeks away, visibility gaps must close now. Get the complete Holiday Season Security Playbook here . Bottom Line Up Front The 2024 holiday season saw major attacks on website code: the Polyfill.io breach hit 500,000+ websites, and September's Cisco Magecart attack targeted holiday shoppers. These attacks exploited third-party code and online store weaknesses during peak shopping, when attacks jumped 690% . For 2025: What security steps and monitoring should online retailers take now to prevent similar attacks while still using the third-party tools they need? As holiday shopping traffic increases, companies strengthen their servers and networks, but a critical weak spot remains unwatched: the browser environment where malicious code r...

Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors. The activity, described as akin to an "exploit shotgun" approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro. The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389 , a security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022. RondoDox was first documented by Fortinet FortiGuard Labs back in July 2025, detailing attacks aimed at TBK digital video recorders (DVRs) and Four-Faith routers to enlist them in a botnet for carrying out distributed denial-of-service (DDoS) attacks agains...

Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users' devices. "Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer's JavaScript engine (Chakra) to gain access to victim devices," the Microsoft Browser Vulnerability Research team said in a report published last week. In the attack chain documented by the Windows maker, the threat actors have been found to trick unsuspecting users into visiting an seemingly legitimate website and then employ a flyout on the page to instruct them into reloading the page in IE mode. Once the page is reloaded, the attackers are said to have weaponized an unspecified exploit in the Chakra engine to obtain remote code execution. The infection sequence culminates w...

Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns. "Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations," McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report. "When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running." The activity, per the cybersecurity company, is primarily focused on Brazil, although the banking malware is known to target various countries in Latin America, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. This is not the first time Astaroth campaigns have trained t...

Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. "Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, 'serviceaccount,'" eSentire said in a technical report published last week. "Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot." The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer's environment. ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker "chaos_00019" and is responsible for issuin...

Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data. The vulnerability, tracked as CVE-2025-61884 , carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14. "Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator," according to a description of the flaw in the NIST's National Vulnerability Database (NVD). "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data." In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild. Oracle's Chi...

Cybersecurity company Huntress on Friday warned of "widespread compromise" of SonicWall SSL VPN devices to access multiple customer environments. "Threat actors are authenticating into multiple accounts rapidly across compromised devices," it said . "The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing." A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73. The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access...

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware. The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability ( CVE-2025-6264 ) to enable arbitrary command execution and endpoint takeover, per Cisco Talos . In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely...

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js' Single Executable Application (SEA) feature as a way to distribute its payloads. According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It's assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord. SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed. "Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies," security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News. On a dedicated website, the...

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts. "Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday," the Microsoft Threat Intelligence team said in a report. However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates , were previously highlighted by Silent Push, Malwarebytes, and Hunt.io. What makes the attacks notable is that they don't exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protect...

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035 , a critical security flaw in GoAnywhere Managed File Transfer (MFT) that's assessed to have come under active exploitation since at least September 11, 2025. The company said it began its investigation on September 11 following a "potential vulnerability" reported by a customer, uncovering "potentially suspicious activity" related to the flaw.  That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15. Three days later, a CVE for the vulnerability was formally published, it added. "The scope of the risk of this...

The SOC of 2026 will no longer be a human-only battlefield. As organizations scale and threats evolve in sophistication and velocity, a new generation of AI-powered agents is reshaping how Security Operations Centers (SOCs) detect, respond, and adapt. But not all AI SOC platforms are created equal. From prompt-dependent copilots to autonomous, multi-agent systems, the current market offers everything from smart assistants to force-multiplying automation. While adoption is still early— estimated at 1–5% penetration according to Gartner —the shift is undeniable. SOC teams must now ask a fundamental question: What type of AI belongs in my security stack? The Limits of Traditional SOC Automation Despite promises from legacy SOAR platforms and rule-based SIEM enhancements, many security leaders still face the same core challenges: Analyst alert fatigue from redundant low-fidelity triage tasks Manual context correlation across disparate tools and logs Disjointed and static detect...

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. "While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said . The packages have been found to use npm's public registry and unpkg.com's CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety's Paul McCarty late last month. Specificall...