Security
Headlines
HeadlinesLatestCVEs

Latest News

FBI Flags Quishing Attacks From North Korean APT

A state-sponsored threat group tracked as "Kimsuky" sent QR-code-filled phishing emails to US and foreign government agencies, NGOs, and academic institutions.

DARKReading
Open in Source
GoFundMe Ignores Own Rules by Hosting a Legal-Defense Fund for the ICE Agent Who Killed Renee Good

The fundraiser for the ICE agent in the Renee Good killing has stayed online in seeming breach of GoFundMe’s own terms of service, prompting questions about selective enforcement.

Wired
Open in Source
#auth
5 Best Secure Container Images for Modern Applications (2026)

Secure container images are now essential for modern apps. These five options help teams reduce risk, cut patching effort, and improve long-term security.

GHSA-9rp8-h4g8-8766: Weblate wlc has insecure API key configuration

### Impact Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server. ### Patches * https://github.com/WeblateOrg/wlc/pull/1098 ### Workarounds Remove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections. ### References This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.

Fake Employee Reports Spread Guloader and Remcos RAT Malware

Scammers are using fake October 2025 performance reviews to trick staff into installing Guloader and Remcos RAT malware. Learn how to identify this threat and protect your personal data from remote hackers.

Cybersecurity in the Public Sector: Challenges, Strategies and Best Practices

Public sector cybersecurity faces outdated systems, budget gaps, and rising attacks. Learn key challenges, defense strategies, and proven best practices.

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials. One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then

GHSA-2mmv-7rrp-g8xh: Weblate command-line client susceptible to SSL verification skip

### Impact The SSL verification would be skipped for some crafted URLs. ### Patches * https://github.com/WeblateOrg/wlc/pull/1097 ### Workarounds Avoid using untrusted wlc configurations, as that might cause insecure connections. ### References This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.

GHSA-2mq9-hm29-8qch: Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

### Prologue These vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually. ### Summary A persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the `templates/base.html` template. Because the application exposes an API token endpoint (`/api/current-user/token`) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access. This vulnerability is of critical severity due to the broad impact, minimal requirements for exploitation (authenticated user), and the ability to escalate privileges to full accoun...