Latest News

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1

Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data. "Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack," Positive Technologies security researcher

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

### Overview A flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x. ### Details The vulnerability affects the creation of exception messages like: ``` JsonParseException: Unexpected character ... at [Source: (byte[])...] ``` When `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`. If the buffer contains residual sensitive data from a previous request, such a...

### Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. For example, given this schema: ``` definition user {} definition office { relation parent: office relation manager: user permission read = manager + parent->read } definition group { relation parent: office permission read = parent->read } definition document { relation owner: group with equals permission read = owner->read } caveat equals(actual string, required string) { actual == required } ``` and these relationships: ``` office:headoffice#manager@user:maria office:branch1#parent@office:headoffice group:admins#parent@office:branch1 group:managers#parent@office:headoffice document:budget#owner@group:admins[equals:{"required":"admin"}] document:budget#owner@group:managers[equals:{"required":"manager"}] ``` P...

### Summary A **Denial of Service (DoS)** vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. ### Impact - **Component**: `server_quic.go` - **Attack Vector**: Remote, network-based - **Attack Complexity**: Low - **Privileges Required**: None - **User Interaction**: None - **Impact**: High availability loss (OOM kill or unresponsiveness) This issue affects deployments with `quic://` enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU. ### Patches The patch introduces two key mitigation m...

Several widespread ClickFix campaigns are underway, bent on delivering malware to business targets, and they represent a new level of phishing sophistication that defenders need to be prepared for, researchers warn.