The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The comfort zone in cybersecurity is gone. Attackers are scaling down, focusing tighter, and squeezing more value from fewer, high-impact targets. At the same time, defenders face growing blind spots — from spoofed messages to large-scale social engineering. This week's findings show how that shrinking margin of safety is redrawing the threat landscape. Here's what's making headlines. Hijack Loader expands its reach in Latin America LATAM Targeted by PureHVNC Phishing emails containing SVG file attachments targeting Colombian, Spanish-speaking individuals with themes relating to the Attorney General's office of Colombia have been used to deliver PureHVNC RAT . "The emails entice the user to download an 'official document' from the judicial information system, which starts the infection chain of executing a Hijack Loader executable that leads to the PureHVNC Remote Access Trojan (RAT)," IBM X-Force said . The activity w...

Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers' machines. The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs. Some of the packages have also been flagged by the DevSecOps company DCODX -  op-cli-installer (486 Downloads) unused-imports (1,350 Downloads) badgekit-api-client (483 Downloads) polyfill-corejs3 (475 Downloads) eslint-comments (936 Downloads) What makes the attack stand out is the attacker's pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case,...

Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai , Gafgyt , and Mozi . "These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks," the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News. The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS . This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage. Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below - CVE-2017-9841 - A Remote code execution vulnerability in PHPUnit CVE-2021-3129 - A Re...

Cybersecurity researchers have flagged a new security issue in agentic web browsers like OpenAI ChatGPT Atlas that exposes underlying artificial intelligence (AI) models to context poisoning attacks. In the attack devised by AI security company SPLX, a bad actor can set up websites that serve different content to browsers and AI crawlers run by ChatGPT and Perplexity. The technique has been codenamed AI-targeted cloaking . The approach is a variation of search engine cloaking, which refers to the practice of presenting one version of a web page to users and a different version to search engine crawlers with the end goal of manipulating search rankings. The only difference in this case is that attackers optimize for AI crawlers from various providers by means of a trivial user agent check that leads to content delivery manipulation. "Because these systems rely on direct retrieval, whatever content is served to them becomes ground truth in AI Overviews, summaries, or autonom...

Artificial Intelligence (AI) is rapidly transforming Governance, Risk, and Compliance (GRC) . It's no longer a future concept—it's here, and it's already reshaping how teams operate. AI's capabilities are profound: it's speeding up audits, flagging critical risks faster, and drastically cutting down on time-consuming manual work. This leads to greater efficiency, higher accuracy, and a more proactive GRC function. However, this powerful shift introduces significant new challenges. AI brings its own set of risks, including potential bias, dangerous blind spots, and regulatory gaps that are only beginning to be addressed by governing bodies. Staying ahead of this curve—not just struggling to keep up—requires clear, practical knowledge. Don't Just Stay Afloat—Master the Change To help you navigate this complex landscape, we invite you to our free, high-impact webinar, " The Future of AI in GRC: Opportunities, Risks, and Practical Insights . " This se...

BeyondTrust's annual cybersecurity predictions point to a year where old defenses will fail quietly, and new attack vectors will surge. Introduction The next major breach won't be a phished password. It will be the result of a massive, unmanaged identity debt. This debt takes many forms: it's the "ghost" identity from a 2015 breach lurking in your IAM, the privilege sprawl from thousands of new AI agents bloating your attack surface , or the automated account poisoning that exploits weak identity verification in financial systems. All of these vectors—physical, digital, new, and old—are converging on one single point of failure: identity .  Based on analysis from BeyondTrust's cybersecurity experts, here are three critical identity-based threats that will define the coming year:  1. Agentic AI Emerges as the Ultimate Attack Vector By 2026, agentic AI will be connected to nearly every technology we operate, effectively becoming the new middleware for most organizations. ...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said . The npm packages were uploaded to the registry on July 4, 2025, and accumulated over 9,900 downloads collectively - deezcord.js dezcord.js dizcordjs etherdjs ethesjs ethetsjs nodemonjs react-router-dom.js typescriptjs zustand.js The multi-stage credential theft operation manifested in the form of various typosquatted packages impersonating popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react...

Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and VulnCheck . The vulnerabilities are listed below - CVE-2025-6204 (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. CVE-2025-6205 (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. CVE-2025-24893 (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection ) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 202...

A group of academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack called TEE.Fail that allows for the extraction of secrets from the trusted execution environment (TEE) in a computer's main processor, including Intel's Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX) and AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and Ciphertext Hiding . The attack, at its core, involves the use of an interposition device built using off-the-shelf electronic equipment that costs under $1,000 and makes it possible to physically inspect all memory traffic inside a DDR5 server. "This allows us for the first time to extract cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including in some cases secret attestation keys from fully updated machines in trusted status," the researchers noted on an informational site. "Beyond breaking CPU-based TEEs, we...

Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover ( DTO ) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell , it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_...

Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire . According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff , which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima. Victims of the GhostCall campaign span several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, whereas Japan and Australia have been identified as the major hunting grounds for the GhostHire campaign. "GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims t...

In cybersecurity, speed isn't just a win — it's a multiplier. The faster you learn about emerging threats, the faster you adapt your defenses, the less damage you suffer, and the more confidently your business keeps scaling. Early threat detection isn't about preventing a breach someday: it's about protecting the revenue you're supposed to earn every day. Companies that treat cybersecurity as a reactive cost center usually find themselves patching holes, paying ransoms, and dealing with downtime. Companies that invest in proactive visibility, threat intelligence, and early detection mechanisms stay in the game longer. With trust, uptime, and innovation intact. Let's break down why this strategy directly connects to long-term business success: 1. Early detection drastically lowers the cost of incidents A breach caught at initial access might cost just internal response hours. Caught at data exfiltration — multiply the cost by 10, and a breach caught after regulatory violations kick...

The New Reality for Lean Security Teams If you're the first security or IT hire at a fast-growing startup, you've likely inherited a mandate that's both simple and maddeningly complex: secure the business without slowing it down. Most organizations using Google Workspace start with an environment built for collaboration, not resilience. Shared drives, permissive settings, and constant integrations make life easy for employees—and equally easy for attackers. The good news is that Google Workspace provides an excellent security foundation. The challenge lies in properly configuring it, maintaining visibility, and closing the blind spots that Google's native controls leave open. This article breaks down the key practices every security team—especially small, lean ones—should follow to harden Google Workspace and defend against modern cloud threats. 1. Lock Down the Basics Enforce Multi-Factor Authentication (MFA) MFA is the single most effective way to stop account compromise. In ...

The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky. The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape which the company disclosed in March 2025 as having come under active exploitation as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is also tracked as TaxOff/Team 46 by  Positive Technologies , Dante APT by F6, and  Prosperous Werewolf by BI.ZONE. It's known to be active since at least February 2024. The wave of infections involved sending phishing emails containing personalized, short-lived links inviting recipients to the Primakov Readings forum. Clicking the links through Google Chrome or a Chromium-based web browser was enough to trigger an exploit for CVE-2025-2783, enabling the attackers t...

A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025. The activity "reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce -based infection chain, in addition to their previously documented Microsoft Word exploit vectors," Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week. The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts. While ModuleInstaller serves as a downloader for next-stage payloads, including StealerBot, the latter is a .NET implant that can launch a reverse shell, deliver addi...

Social media platform X is urging users who have enrolled for two-factor authentication (2FA) using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service. To that end, users are being asked to complete the re-enrollment , either using their existing security key or enrolling a new one, by November 10, 2025. "After November 10, if you haven't re-enrolled a security key, your account will be locked until you: re-enroll; choose a different 2FA method; or elect not to use 2FA (but we always recommend you use 2FA to protect your account!)," the company's Safety handle wrote in a post on X. The move is part of the company's efforts to formally retire the twitter[.]com domain. Twitter, which was acquired by SpaceX and Tesla CEO Elon Musk in October 2022, was rebranded to X in July 2023. In a follow-up post, X noted that the change does not apply to users who have enrolled for 2FA using other methods, such...

Cybersecurity researchers have discovered a new vulnerability in OpenAI's ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant's memory and run arbitrary code. "This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware," LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery ( CSRF ) flaw that could be exploited to inject malicious instructions into ChatGPT's persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user's account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes. Memory, first introduced by OpenAI in February 2024, is...

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here's how that false sense of security was broken again this week. ⚡ Threat of the Week Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .N...

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups , accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors. Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to th...