Security
Headlines
HeadlinesLatestCVEs

Latest News

M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…

HackRead
#web#mac#auth
Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

Ripple's xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack

The Ripple cryptocurrency npm JavaScript library named xrpl.js has been compromised by unknown threat actors as part of a software supply chain attack designed to harvest and exfiltrate users' private keys. The malicious activity has been found to affect five different versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. The issue has been addressed in versions 4.2.5 and 2.14.3.

The Tech That Safeguards the Conclave’s Secrecy

Following the death of Pope Francis, the Vatican is preparing to organize a new conclave in less than 20 days. This is how they’ll tamp down on leaks.

Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito

Google on Tuesday revealed that it will no longer offer a standalone prompt for third-party cookies in its Chrome browser as part of its Privacy Sandbox initiative. "We've made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies," Anthony Chavez, vice president of Privacy

GHSA-ggpf-24jw-3fcw: CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0

## Description https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify `weights_only=True` to calls to `torch.load()` did not solve the problem prior to PyTorch 2.6.0. PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6 This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem. ## Background Knowledge When users install VLLM according to the official manual ![image](https://github.com/user-attachments/assets/d17e0bdb-26f2-46d6-adf6-0b17e5ddf5c7) But the version of PyTorch is specified in the requirements. txt file ![image](https://github.com/user-attachments/assets/94aad622-ad6d-4741-b772-c342727c58c7) So by default when the user install VLLM, it will install the PyTorch with version 2.5.1 ![image](https://github.com/user-attachments/assets/04ff31b0-a...

GHSA-fpx3-h2pc-88vf: Laravel Starter Cross Site Scripting (XSS)

Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.

Fake Alpine Quest Mapping App Spotted Spying on Russian Military

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data,…

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat

April “In the Trend of VM” (#14): vulnerabilities in Microsoft Windows, VMware products, Kubernetes, and Apache Tomcat. We decided to pause recording new videos, so for now only text. 🤷‍♂️🙂 🗞 Post on Habr (rus)🗒 Digest on the PT website (rus) A total of 11 trending vulnerabilities: 🔻 Elevation of Privilege – Windows Cloud Files […]

GHSA-33qr-m49q-rxfx: Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2

### Impact Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems. Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions. ### Patches Upgrade to version 4.2.5 or 2.14.3. ### Required Actions To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys: The XRP Ledger supports key rotation: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair If any account's master key is potentially compromised, you should disable it: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair ### References https://www.aikido.dev/blog/xrp-...