The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

In what's an act of deliberate sabotage, the developer behind the popular "node-ipc" NPM package shipped a new tampered version to condemn Russia's invasion of Ukraine, raising concerns about security in the open-source and the  software supply chain . Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behavior by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji. Node-ipc is a prominent  node module  used for local and remote inter-process communication ( IPC ) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads. "A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus," Synk researcher Liran Tal  said  ...

The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g.,  EternalBlue  and  Hot Potato  Windows privilege escalation," Avast researcher Martin Chlumecký  said  in a report published Wednesday. "One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords." Active since 2016, the  DirtyMoe botnet  is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like  Purple Fox  or injected installers of Telegram Messenger. Also employed as part of the attack sequence is a DirtyMoe service that triggers the launch of two additional p...

As a CSIRT consultant, I cannot overemphasize the importance of effectively managing the first hour in a critical incident. Finding out what to do is often a daunting task in a critical incident. In addition, the feeling of uneasiness often prevents an incident response analyst from making effective decisions. However, keeping a cool head and actions planned out is crucial in successfully handling a security incident. This blog will elaborate on some key points to help readers facilitate better incident response procedures. Preparation is essential Before taking on any incidents, security analysts would need to know a great deal of information. To start off, incident response analysts need to familiarize themselves with their roles and responsibilities. IT infrastructure has evolved rapidly over the past years. For example, we observed increasing movement to cloud computing and data storage. The fast-changing IT environment frequently requires analysts to update their skill sets, ...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC)  said . TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware. The expansion to TrickBot's capabilities comes amid reports of its  infrastructure goin...

The Security Service of Ukraine (SBU) said it has detained a "hacker" who offered technical assistance to the invading Russian troops by providing mobile communication services inside the Ukrainian territory. The anonymous suspect is said to have broadcasted text messages to Ukrainian officials, including security officers and civil servants, proposing that they surrender and take the side of Russia. The individual has also been accused of routing phone calls from Russia to the mobile phones of Russian troops in Ukraine. "Up to a thousand calls were made through this hacker in one day. Many of them are from the top leadership of the enemy army," the SBU  alleged , adding it confiscated the equipment that was used to pull off the operation. Besides implicating the hacker for helping Russia make anonymous phone calls to its military forces based in Ukraine, the agency said the hacker passed commands and instructions to different groups of "Russian invaders....

A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called  cr8escape  could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," CrowdStrike researchers John Walker and Manoj Ahuje  said  in an analysis published this week. A lightweight alternative to Docker,  CRI-O  is a  container runtime  implementation of the Kubernetes Container Runtime Interface (CRI) that's used to pull container images from registries and launch an Open Container Initiative ( OCI )-compatible runtime such as runC to spawn and run container processes. The vulnerability is rated 8.8 on the CVSS vulnerability scoring system and affects CRI-O versions 1.19 and later. Following responsible disclosure, patches have been r...

A previously undocumented backdoor has been observed targeting Linux systems with the goal of corralling the machines into a botnet and acting as a conduit for downloading and installing rootkits. Qihoo 360's Netlab security team called it  B1txor20  "based on its propagation using the file name 'b1t,' the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes." First observed propagating through the  Log4j vulnerability  on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control (C2) servers by encoding data in DNS queries and responses. B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a  SOCKS5 proxy , and functions to upload sensitive information back to the C2 server. Once a machine is successfully compromised, the malware utilizes the DNS tunnel to retrieve and execute ...

The maintainers of OpenSSL have  shipped patches  to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates. Tracked as  CVE-2022-0778  (CVSS score: 7.5), the issue stems from parsing a malformed certificate with invalid explicit  elliptic-curve  parameters, resulting in what's called an "infinite loop." The flaw resides in a function called BN_mod_sqrt() that's used to compute the modular square root. "Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022. "The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters." While there is no evidence that the vulnerability has been exploited in the w...