-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

The Hacker News | #1 Trusted Source for Cybersecurity News

Critical NGINX Vulnerability Can Crash Workers and May Allow Remote Code Execution

Critical NGINX Vulnerability Can Crash Workers and May Allow Remote Code Execution

Jul 19, 2026 Vulnerability / Server Security
F5 has shipped fixes for a critical nginx flaw that lets a remote, unauthenticated attacker trigger a heap buffer overflow in the worker process with crafted HTTP requests. CVE-2026-42533 was patched on July 15 in nginx 1.30.4 (stable) and 1.31.3 (mainline) , and in NGINX Plus 37.0.3.1; anyone on an earlier build should upgrade. Triggering it can crash or restart the worker, causing a denial of service; where ASLR is disabled or can be bypassed, F5 says it may also allow remote code execution. The overflow lives in nginx's script engine, the code that assembles strings from directives at request time. It only surfaces under a specific configuration: a regex-based map whose output variable is referenced in a string expression after a capture from an earlier regex match. Under that pattern the engine's two-pass evaluation comes apart. The first pass measures how many bytes the result needs and allocates a buffer to fit; the second pass writes the bytes in. Both read the ...
UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

Jul 19, 2026 Malware / Cyber Warfare
Russian state-sponsored threat actors have been observed leveraging the infamous ClickFix strategy to trick Ukrainian targets into infecting their own machines with data-stealing malware. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the activity has been attributed to UAC-0145 , a sub-cluster within Sandworm , an advanced hacking unit affiliated with GRU, Russia's primary foreign military intelligence agency. In these attacks, threat actors have been found to leverage fake CAPTCHA checks on compromised websites that instruct prospective targets to execute a PowerShell command in the terminal. "The mentioned command, as an example, could be intended for downloading and saving a VBS file in the Startup autorun directory; one of the variants of such a program was called GHETTOVIBE," CERT-UA said in an alert. The attacks also involve the use of SCOUTCURL, a PowerShell script that performs basic reconnaissance by harvesting details about t...
SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

Jul 19, 2026 Vulnerability / Network Security
A previously undocumented threat actor has been attributed to the exploitation of recently disclosed SonicWall Secure Mobile Access (SMA) 1000 series VPN appliances as zero-days prior their public disclosure since June 22, 2026. Cybersecurity company Volexity is tracking the activity under the moniker UTA0533 . The discovery was made following an incident response investigation earlier this month. The impacted organization has not been identified. "This threat actor was observed using multiple zero-day exploits, malware designed specifically for SonicWall SMA VPN appliances, as well as other attacker tradecraft," security researchers Sean Koessel and Steven Adair said in an analysis. The vulnerabilities in question are CVE-2026-15409 (CVSS score: 10.0) and CVE-2026-15410 (CVSS score: 7.2), both of which could be chained to facilitate arbitrary command execution and take over susceptible devices. Patches for both the vulnerabilities were released by SonicWall this wee...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Jul 17, 2026 Vulnerability / Web Security
Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. wp2shell is two bugs, not one, and both now carry CVE IDs. CVE-2026-63030 is the REST API batch-route confusion; CVE-2026-60137 is a SQL injection in WordPress core. Chained, they take an anonymous request all the way to code execution. Since Friday, the full mechanism has been published, and a working proof-of-concept has gone up on GitHub. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the batch-route bug and reported it throug...
OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

Jul 17, 2026 Vulnerability / Server Security
Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the details on Thursday. The fixed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 , all dated June 9. Every release on those branches before the fixed ones has it. Nothing in a normal patch pipeline will point you at them: there is no identifier for a scanner to match and no advisory to read. The flaw is that OpenSSL took the attacker's word for it. Every TLS handshake message carries a 4-byte header, three bytes of which declare how long the body will be. Older versions grew the receive buffer to that declared size the moment the header landed, before a single byte of the bo...
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

Jul 17, 2026 Software Supply Chain / Malware
Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil , which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. "This tactic makes disabling or destroying the C2 infrastructure extremely difficult," Checkmarx researcher Pavan Gudimalla said in an analysis published last month. The activity has been attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated. While the typosquats pub...
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

Jul 17, 2026 Botnet / AI Security
A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama , n8n , Open WebUI , Langflow , and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter shows 47 credential hauls and 41 model inventories in its last 100 records. Those inventories carry DeepSeek, GLM, and Kimi identifiers tagged :cloud, which suggests that what the bots catalogue reaches past the box itself. QiAnXin's XLab published a report on Friday, named the malware after the "n4d mesh controller" string in its source, and screenshotted the panel. The figures on it are the operator's own, captured July 10, and they do not agree with each other. A counter reading 17,700 total deploys sits above a funnel claiming 95,700 in the past 24 hours. On...
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

Jul 17, 2026 Malware / Threat Intelligence
Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine . Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software. It's known to be active since at least 2015. "In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers," Expel security researcher Aaron Walton said in an analysis. "This attack highlighted the capability of the malware and operators." Central to the threat actor's operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) w...
Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

Jul 17, 2026 Social Engineering / Malware
North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. "Any user who ran the project ended up with a four-stage payload aligned with OtterCookie: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer," Elastic Security Labs said in a report shared with The Hacker News. The findings once again highlight the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK) with an aim to steal sensitive data and plunder cryptocurrency wallets. The activity is being tracked under the moniker REF9403. The cybersecurity arm of the Dutch enterprise search and observability platform said it discovered the campaign after the threat actors targeted membe...
E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants

E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants

Jul 17, 2026 Regulation / Artificial Intelligence
The European Commission on Thursday ordered Google to give rival AI assistants the same reach into Android that Gemini already has: the camera, the microphone, whatever is on screen, a wake word that fires with the display off, and the ability to drive other apps in the background by imitating taps and typing. Google has to ship it in the next major release, Android 18, and by 1 August 2027 at the latest. That is one of two binding specification decisions adopted on 16 July under the Digital Markets Act, six months after the Commission opened proceedings on 27 January. The second makes Google hand anonymised Search query, click, and ranking data to rival search engines, and to AI chatbots that do search, for a cost-based fee. Neither is a fine. Specification proceedings only say what a gatekeeper has to build; the Commission's separate power to open a non-compliance case , fines included, is untouched. Android carries around 60% of European mobile users. Five features g...
The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace?

The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace?

Jul 17, 2026 National Security / Artificial Intelligence
Military forces are under increasing pressure to field autonomous capabilities faster than ever before. Across the U.S., UK, and NATO, new investment, evolving defense strategies, and accelerated acquisition pathways are transforming how capability is delivered, rewarding programs that can move from concept to operational deployment at commercial speed. Now the focus shifts to the trusted information infrastructure that allows them to operate together at mission speed. As autonomous aircraft, uncrewed maritime vessels, ground systems, satellites and AI-enabled mission applications become increasingly connected, so too does the information that powers them. Telemetry, ISR, command data, AI outputs, sensor-to-shooter workflows and coalition intelligence all need to move seamlessly across platforms, domains, and partners. The future force won't be defined by autonomous systems alone, it will be defined by the trusted information infrastructure that connects them. Defense Has ...
Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

Jul 17, 2026 Ransomware / Law Enforcement
Armenia has held a Russian tourist named Aleksandr Ermakov in a detention center since June 28, on a U.S. extradition request for a REvil ransomware suspect named Aleksandr Ermakov. His wife, Maria Yurova, told REN TV that border officers pulled him out of the departure hall at Yerevan's Zvartnots airport, held up a phone with a photo of him off his VKontakte page, and walked him into a side room. His lawyers say Washington has the wrong man. The Ermakov the U.S. wants is Aleksandr Gennadievich Ermakov , sanctioned by Australia, the US, and the UK in January 2024 for stealing 9.7 million records from Medibank Private , one of Australia's largest private health insurers, and dumping some on the dark web. He is also serving a two-year Russian sentence that bars him from leaving the country, according to TASS and to case files two Russian outlets say they have read. The man in the Armenian cell, his lawyers say, is Aleksandr Yuryevich Ermakov , from Omsk, a former priso...
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

Jul 17, 2026 Malware / Windows Security
ACR Stealer , an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the company's managed detection arm, had watched ACR Stealer activity climb across customer environments from late April to mid-June, and says the campaigns are "successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents." Both chains open with the same prompt, then split: one leaves traces on disk, the other runs almost entirely in memory. Microsoft's remediation guidance tells victims to revoke tokens, not just rotate passwords. A payload in the pixels The prompt likely arrives through malvertising or SEO-manipulated...
New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Jul 17, 2026 Cyber Espionage / Threat Intelligence
Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in the region. GoSerpent is designed to contact an external server and deploy secondary payloads on sensitive data collection and credential dumping on the system. "Monitoring the activities of this threat actor revealed that in May 2026 they came back with an evolved set of malicious tools: new Stowaway RAT and proxy tool which resembled the initial malware as well as an additional stealthy tool to exfiltrate sensitive data collected for the previous few months through network share," security researcher Noushin Shabab said . The end goal of these efforts is to harvest sensitive fi...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources