New data shows hackers targeted UK water systems five times since 2024, raising concerns about critical infrastructure defenses worldwide.

Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk.

Recorded Future News sent a request to the UK’s Drinking Water Inspectorate (DWI), the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the country’s water system. Using freedom of information laws, the site discovered five incidents that had taken place since January 1, 2024.

**A steady stream of water attacks**

These aren’t the first attacks on UK water systems. In August 2022, the Clop ransomware gang hit South Staffordshire Water, thinking that it was actually Thames Water. The attack focused on stealing customer data, meaning water supplies weren’t disrupted, although corporate systems were affected.

In late 2023, pro-Iranian hackers disrupted water supplies in County Mayo, Ireland. The intruders, known as the Cyber Av2ngers group, caused outages across 160 homes for two days. The attack was politically motivated by the utility’s apparent use of an Israeli-made tool.

These are far from the only attacks on water systems around the world. In February last year, CISA warned that a Chinese state-sponsored group had spent nine months moving laterally through a US water facility.

In that incident, attackers gained access using an administrator’s login and spent months inside the infrastructure, nosing around databases and other assets. CISA linked the intrusion to Volt Typhoon—a group that also targeted telecommunications companies around the world. The attackers were described as “OT adjacent,” meaning they had reached administrative systems close enough to potentially impact the operational technology that controls water flow.

The attacks keep coming. Just last month, the Canadian Centre for Cybersecurity reported an attack on a municipal water facility. Hacktivists managed to alter water pressure, causing “degraded service” for the local community.

It’s always worrying when attackers target critical national infrastructure. When attackers hit Colonial Pipeline in 2021, they only compromised its administrative network (the part that handles paperwork). But the company was spooked enough that it shut down its fuel distribution systems too, as a protective measure, causing gasoline prices to spike across the US East Coast.

**A possible legal shake-up**

Many attacks on water systems might go unreported, depending on where they happen. The UK’s Network and Information Systems (NIS) regulations dictate that critical national infrastructure organizations should reveal cyber attacks to the public. However, that only applies if those attacks caused disruption.

That’s why the attacks uncovered by Recorded Future haven’t been made public until now. While worrying, they didn’t affect the UK’s water supply. A 2022 review of the NIS regulations criticized this limited disclosure, noting that attacks with the potential to disrupt services often went unreported.

Although the attacks reported to Recorded Future were voluntarily disclosed by the DWI by suppliers, upcoming legal changes could lower the bar for mandatory reporting. The UK’s proposed Cyber Security and Resilience Bill would expand disclosure requirements, increasing transparency about attacks that could affect the water supply. The Bill is expected to reach Parliament in 2025—though time is running short.

**A resource under pressure**

Water is under considerable threat already in the UK, with major droughts declared this year. The Met Office reports that this year’s February-to-April period was the driest since 1956, with rainfall at just half the long-term average. River flows have dropped sharply, soil moisture is down, and the National Drought Group has met to coordinate a national response.

Water companies already have plans to manage shortages, the UK government says. But as the cyberattacks mount, the question is: are their system defenses strong enough too?

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Cyberattacks on UK water systems reveal rising risks to critical infrastructure 

Chrome’s enhanced autofill makes storing your passport and ID easy—but convenience like this can come at a high cost.

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new “enhanced autofill” can now stash your driver’s license, passport details, VIN, or license plate information. Sounds convenient, right?

But just because you can, it doesn’t mean you should.

Let’s face it: filling out government forms or travel bookings online is a pain. Anything that saves a few minutes—or spares you from hunting down your passport at the back of a drawer—feels like a win, especially if Chrome can neatly autofill those fields. And yes, Google promises encryption, explicit permission for autofill, and manual activation only if you want it.

But let’s think this through. Is storing your most personally identifiable information—like government-issued IDs—in the market-dominant browser a good idea? Because that’s what Chrome is.

Chrome’s market share (over 73% at the time of writing) makes it the internet’s biggest bullseye for criminals. Whether you’re using the enhanced autofill or the regular one, browser-based storage schemes are relentlessly hunted by password stealers, infostealers, and other types of malware.

And let’s not forget phishing attempts. Maybe having to dig through your drawer while you think about why a website needs that information isn’t such a bad thing after all.

Sure, Chrome encrypts autofill data, only saves your info with permission, and asks for confirmation before pasting it into a form. You can also ramp up security with two-factor authentication (2FA) and a Chrome sync passphrase. But when cybercriminals get the right kind of access (by stealing a browser session, finding an unlocked device, or getting you to install a rogue extension), your sensitive information is in danger. And with what Chrome can now store, that could mean your identity.

Chrome’s enhanced autofill promises a smoother online ride, but the consequences of storing government IDs in your browser could outweigh the perks. Cybercriminals love a big target—and with Chrome’s popularity, the bounty only grows. When the reward for a criminal is your passport, driver’s license, or identity, convenience should come second to caution.

Thankfully, someone decided it was a good idea to turn off this feature by default, but if you want to check, here’s how to find it:

*   Open Chrome.
*   In the main Chrome menu, click on **Settings**.
*   Under **Autofill and passwords**, select **Enhanced autofill** if present.

**Better alternative: password managers**

We would advise that if you must store this kind of information digitally, use a password manager. These tools are built for secure storage—they’re audited for security, separate from browser processes, and don’t automatically serve up your data to any site that happens to have the right input fields.

Stick to a dedicated password manager and stay in control of what’s stored and where it gets filled out. Remember: the less a browser knows about your life, the safer you are when someone eventually tries to break in.

**Other recommendations:**

*   Make sure your browser is up to date.
*   Use a real-time up-to-date anti-malware solution with web protection.
*   Use two-factor authentication or passkeys to enhance the security of your important accounts.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Should you let Chrome store your driver’s license and passport? 

Apple has patched nearly 50 security flaws across iPhones, Macs, Safari and more. Some could expose your data or let hackers in, so don’t wait to update.

Apple has released security updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, Safari, and Xcode, fixing nearly 50 security flaws. Some of these bugs could let cybercriminals see your private data, take control of parts of your device, or break key security protections.

Installing these updates as soon as possible keeps your personal information—and everything else on your Apple devices—safe from attack.

**What caught our eye**

Although Apple never releases full details before everyone has had a chance to apply the updates, two serious security flaws stand out:

*   **CVE-2025-43442:** This vulnerability is a permission issue which is fixed in iOS 26.1 and iPadOS 26.1. It could allow an app to identify which other apps a user has installed. You can imagine that if a banking Trojan—like this one on Android—can see which banking apps and crypto wallets someone uses they can maximize their social engineering strategies to target that user.
*   **CVE‑2025‑43455:** This is a privacy issue in watchOS 26.1, visionOS 26.1, iOS 26.1, and iPadOS 26.1. It allows malicious apps to capture screenshots of sensitive information in embedded views. Apple addressed this by tightening privacy checks and isolation policies.

**Updates for your particular device**

This table shows which updates are available and points you to the relevant security content fot that operating system (OS).

iOS 26.1 and iPadOS 26.1

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

macOS Tahoe 26.1

macOS Tahoe

macOS Sequoia 15.7.2

macOS Sequoia

macOS Sonoma 14.8.2

macOS Sonoma

tvOS 26.1

Apple TV HD and Apple TV 4K (all models)

watchOS 26.1

Apple Watch Series 6 and later

visionOS 26.1

Apple Vision Pro

Safari 26.1

macOS Sonoma and macOS Sequoia

Xcode 26.1

macOS Sequoia 15.6 and later

**How to update your devices****How to update your iPhone or iPad**

For iOS and iPadOS users, here’s how to check if you’re using the latest software version:

*   Go to **Settings** > **General** > **Software Update**.
*   Turn on **Automatic Updates** if you haven’t already—you’ll find it on the same screen.

**How to update macOS on any version**

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

**How to update Apple Watch**

Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi, then:

*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General** \> **Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

**How to update Apple TV**

Turn on your Apple TV and make sure it’s connected to the internet, then:

*   Open the Settings app on Apple TV.
*   Navigate **to System** \> **Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**How to update your Safari browser**

Safari updates are included with macOS updates, so installing the latest version of macOS will also update Safari. To check manually:

*   Open the **Apple menu** \> **System Settings** \> **General** \> **Software Update**.
*   If you see a Safari update listed separately, click **Update Now** to install it.
*   Restart your Mac when prompted.

If you’re on an older macOS version that’s still supported (like Sonoma or Sequoia), Apple may offer Safari updates independently through Software Update.

**How to update Xcode**

Xcode is Apple’s developer tool for building apps, so most people won’t have this, but if you do, you’ll need to keep it updated. Xcode updates come through the **App Store**:

*   Open the **App Store** on your Mac.
*   Click **Updates** in the sidebar.
*   If an Xcode update is available, click **Update** next to it.
*   You can also search for “Xcode” directly and click **Update** or **Get** if you’ve uninstalled it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple patches 50 security flaws—update now 

Think you’re just checking the news? A particularly sneaky Android Trojan has other plans—like stealing your banking details.

Researchers at Cyfirma have investigated Android Trojans capable of stealing sensitive data from compromised devices. The malware spreads by pretending to be trusted apps—like a news reader or even digital ID apps—tricking users into downloading it by accident.

In reality, it’s Android-targeting malware that preys on people who use banking and cryptocurrency apps. And a sneaky one. Once installed, it doesn’t announce itself in any way, but quietly works in the background to steal information such as login details and money.​

First, it checks if it’s running on a real phone or in a security test system so it can avoid detection. Then, it asks users for special permissions called “Accessibility Services,” claiming these help improve the app but actually giving the malware control over the device without the owner noticing. It also adds itself as a Device Administrator app.

Image courtesy of Cyfirma

With these permissions, the Trojan can read what’s on the screen, tap buttons, and fill in forms as if it were the user. It also overlays fake login screens on top of real banking and cryptocurrency apps, so when someone enters their username and password, the malware steals them.

Simply put, the Android overlay feature allows an app to appear on top of another app. Legitimate apps use overlays to show messages or alerts—like Android chat bubbles in Messenger—without leaving the current screen.

The Trojan connects to a remote command center, sending information about the phone, its location, and which banking apps are installed. At this point, attackers can send new instructions to the malware, like downloading updates to hide better or deleting traces of its activity. As soon as it runs, the Trojan also silences notifications and sounds so users don’t notice anything out of the ordinary.

The main risk is financial loss: once cybercriminals have banking credentials or cryptocurrency wallet codes, they can steal money or assets without warning. At this point in time the malware targets banking users in Southeast Asia, but its techniques could spread anywhere.

As we rely more on our phones for payments and important tasks, it’s clear that our mobile devices need the same level of protection that we expect on our laptops.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.Banker.AUR9b9b491bC44.

**How to stay safe**

*   **Stick to trusted sources.** Download apps—especially VPNs and streaming services—only from Google Play, Apple’s App Store, or the official provider. Never install something just because a link in a forum or message promises a shortcut.
*   **Check an app’s permissions.** If an app asks for control over your device, your settings, Accessibility Services, or wants to install other apps, stop and ask yourself why. Does it really need those permissions to do what you expect it to do?
*   **Use layered, up-to-date protection.** Install real-time anti-malware protection on your Android that scans for new downloads and suspicious activity. Keep both your security software and your device system updated—patches fix vulnerabilities that attackers can exploit.
*   **Stay informed.** Follow trustworthy cybersecurity news and share important warnings with friends and family.

**Indicators of compromise**

File name: IdentitasKependudukanDigital.apk

SHA-256: cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c

File Name: identitaskependudukandigital.apk

SHA256:19456fbe07ae3d5dc4a493bac27921b02fc75eaa02009a27ab1c6f52d0627423

File Name: identitaskependudukandigital.apk

SHA-256: a4126a8863d4ff43f4178119336fa25c0c092d56c46c633dc73e7fc00b4d0a07

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 &#8220;Sneaky&#8221; new Android malware takes over your phone, hiding in fake news and ID apps 

California has fined Sling TV for misleading privacy controls that made opting out nearly impossible. Even children’s data ended up in ad targeting.

Streaming service Sling TV has settled with the California Attorney General over allegations that it blocked users from exercising their privacy rights.

The company will pay $530,000 after being accused of making it difficult for customers to opt out of its data collection practices.

The California Consumer Privacy Act (CCPA) says consumers must be able to easily see how companies use their data and opt out if they choose. But according to a press release from the Attorney General’s office, Sling misled users who tried.

When users attempted to opt out of having their data shared, Sling redirected them to a page for changing cookie settings. Cookies are small files that help websites recognize users and track activity. However, changing the cookie controls on this page didn’t actually stop data sharing. To do that, users had to find and fill out a separate online form—even logged-in customers had to provide their name, address, email, and phone number, which Sling already had.

Users couldn’t opt out from connected devices either. Instead, they had to manually type a complex URL into a separate browser, the complaint said.

**Children in the crosshairs**

Sling also failed to protect children’s privacy. It didn’t age-screen users or offer kids’ profiles that avoided targeted advertising. The company even bought data from brokers to build detailed viewer profiles—including information about children in the home, the complaint alleged.

The complaint stated:

> “Sling TV uses data about the presence of children in the household, and, in some cases, their age ranges, to build specific groups of viewers that can be targeted for cross-context behavioral advertising.”

The Sling case follows a string of privacy controversies in streaming. We recently wrote about how Roku faced similar accusations of selling children’s viewing data to advertisers and data brokers.

**Falling subscriber numbers, rising revenue**

Sling has been losing subscribers fast—down to 1.78 million—but it’s still making more money per viewer. How? By raising prices and leaning on targeted advertising, the very practice that just got it fined. Sling is a division of DISH Media, which says in its marketing material:

> “DISH Media is helping brands and agencies reimagine their media mix to maximize return on ad spend… helping advertisers optimize reach, frequency, and return on investment through more strategic platform planning.”

**What the settlement changes (and what it doesn’t)**

Under the settlement, Sling TV must stop sending users who opt out to a cookie settings page, stop requiring logged-in users to fill out forms with data it already holds, and add a direct opt-out mechanism to its app. It must also let parents create kids’ profiles and explain how to protect children’s privacy.

This is Sling’s first major privacy violation, but DISH Network has faced scrutiny before. In 2020, it paid a $210 million penalty—the largest ever under the FTC’s Telemarketing Sales Rule—for making millions of unlawful telemarketing calls.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Sling TV turned privacy into a game you weren’t meant to win 

App stores are overflowing with AI lookalikes—some harmless copies, others hiding adware or even spyware.

The mobile AI gold rush has flooded app stores with lookalikes—shiny, convincing apps promising “AI image generation,” “smart chat,” or “instant productivity.” But behind the flashy logos lurks a spectrum of fake apps, from harmless copycats to outright spyware.

Spoofing trusted brands like OpenAI’s ChatGPT has become the latest tactic for opportunistic developers and cybercriminals to sell their “inventions” and spread malware.

A quick scan of app stores in 2025 shows an explosion of “AI” apps. As Appknox research reveals, these clones fall along a wide risk spectrum:

*   **Harmless wrappers:** Some unofficial “wrappers” connect to legitimate AI APIs with basic add-ons like ads or themes. These mostly create privacy or confusion risks, rather than direct harm.
*   **Adware impersonators:** Others abuse AI branding just to profit from ads. For example, a DALL·E image generator clone mimicking OpenAI’s look delivers nothing but aggressive ad traffic. Its only purpose: funneling user data to advertisers under the guise of intelligence. Package com.openai.dalle3umagic is detected by Malwarebytes as Adware.
*   **Malware disguised as AI tools:** At the extreme, clones like WhatsApp Plus use spoofed certificates and obfuscated code to smuggle spyware onto devices. Once installed, these apps scrape contacts, intercept SMS messages (including one-time passwords), and quietly send everything to criminals via cloud services. WhatsApp Plus is an unofficial, third-party modified version of the real WhatsApp app, and some variants falsely claim to include AI-powered tools to lure users. Package com.wkwaplapphfm.messengerse is detected by Malwarebytes as Android/Trojan.Agent.SIB0185444803H262.

We’ve written before about cybercriminals hiding malware behind fake AI tools and installed packages that mimic popular services like Chat GPT, the lead monetization service Nova Leads, and an AI-empowered video tool called InVideo AI.

**How to stay safe from the clones**

As is true with all malware, the best defense is to prevent an attack before it happens. Follow these tips to stay safe:

*   **Download only from official stores.** Stick to Google Play or the App Store. Don’t download apps from links in ads, messages, or social media posts.
*   **Check the developer name.** Fake apps often use small tweaks—extra letters or punctuation—to look legitimate. If the name doesn’t exactly match, skip it.
*   **Read the reviews (but carefully).** Real users often spot bad app behavior early. Look for repeated mentions of pop-ups, ads, or unexpected charges.
*   **Limit app permissions.** Don’t grant access to contacts, messages, or files unless it’s essential for the app to work.
*   **Keep your device protected.** Use trusted mobile security software that blocks malicious downloads and warns you before trouble starts.
*   **Delete suspicious apps fast.** If something feels off—battery drain, pop-ups, weird network traffic—uninstall the app and run a scan.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Attack of the clones: Fake ChatGPT apps are everywhere 

This week on the Lock and Code podcast, we speak with Deb Donig about OpenAI's stated desire to release "erotica" on ChatGPT.

_This week on the Lock and Code podcast…_

In the final, cold winter months of the year, ChatGPT could be heating up.

On October 14, OpenAI CEO Sam Altman said that the “restrictions” that his company previously placed on their flagship product, ChatGPT, would be removed, allowing, perhaps, for “erotica” in the future.

“We made ChatGPT pretty restrictive to make sure we were being careful with mental health issues,” Altman wrote on the platform X. “We realize this made it less useful/enjoyable to many users who had no mental health problems, but given the seriousness of the issue we wanted to get this right.”

This wasn’t the first time that OpenAI or its executive had addressed mental health.

On August 26, OpenAI published a blog titled “Helping people when they need it most,” which explored new protections for users, including stronger safeguards for long conversations, better recognition of people in crisis, and easier access to outside emergency services and even family and friends. The blog alludes to “recent heartbreaking cases of people using ChatGPT in the midst of acute crises,” but it never explains what, explicitly, that means.

But on the very same day the blog was posted, OpenAI was sued for the alleged role that ChatGPT played in the suicide of a 16-year-old boy. According to chat logs disclosed in the lawsuit, the teenager spoke openly to the AI chatbot about suicide, he shared that he wanted to leave a noose in his room, and he even reportedly received an offer to help write a suicide note.

Bizarrely, this tragedy plays a role in the larger story, because it was Altman himself who tied the company’s mental health campaign to its possible debut of erotic content.

> “In December, as we roll out age-gating more fully and as part of our ‘treat adult users like adults’ principle, we will allow even more, like erotica for verified adults.”

What “erotica” entails is unclear, but one could safely assume it involves all the capabilities currently present in ChatGPT, through generative chat, of course, but also image generation.   

Today, on the Lock and Code podcast with host David Ruiz, we speak with Deb Donig, on faculty at the UC Berkeley School of Information, about the ethics of AI erotica, the possible accountability that belongs to users and to OpenAI, and why intimacy with an AI-power chatbot feels so strange.

> “A chat bot offers, we might call it, ‘intimacy’s performance,’ without any of its substance, so you get all of the linguistic markers of connection, but no possibility for, for example, rejection. That’s part of the human experience of a relationship.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

 Would you sext ChatGPT? (Lock and Code S06E22) 

Malwarebytes earned three PCMag wins and achieved 100% protection in AVLab Cybersecurity Foundation’s latest malware test.

Malwarebytes proudly topped three categories in PCMag’s 2025 Readers’ Choice Awards, recognized for exceptional protection and user satisfaction. We also earned the latest badge from AVLab Cybersecurity Foundation’s September “Advanced In-The-Wild Malware Test” by blocking 100% of malware samples. 

Malwarebytes continues to impress, winning the latest PC Mag Readers’ Choice Awards 2025 in multiple categories:  

*   Best PC Security Suite  

*   Best Android Antivirus 

*   Best iOS/iPadOS Antivirus 

PCMag’s Readers’ Choice Awards celebrate the technology brands users trust and love the most, based on real-world feedback from thousands of readers. 

Malwarebytes delivered outstanding performance and earned praise from readers for its **reliability**, **ease of use**, **powerful protection**, and **overall trustworthiness**—scoring more than half a point above competitors and excelling in every subcategory, including ransomware protection, phishing protection, and integrated VPN.  

> _“According to our readers, there’s no better security option for PCs or mobile devices than_ _Malwarebytes__. The software racks up nearly perfect scores in categories like reliability, ease of use, spam filtering, and most importantly, antivirus and malware protection. It’s also trusted more than any other product in the rankings.”__\*_ 

Continuing our streak of excellence, Malwarebytes also received the latest badge in AVLab Cybersecurity Foundation’s “Advanced In-The-Wild” series, following our earlier 2025 Product of the Year award—our third consecutive win. 

In September, AVLab Cybersecurity Foundation tested 443 unique malware samples against 18 cybersecurity products. Malwarebytes Premium Security detected all 443, with an average remediation time of 8.4 seconds—almost 8 seconds faster than the industry average.  

These results highlight our mission to reimagine security and protect people and data across all devices and platforms. 

Recent innovations like Malwarebytes Scam Guard for Mobile and Windows Tools for PC set new standards for privacy and affordable protection, enhanced by AI-powered features like Trusted Advisor, your built-in personal digital health hub available on all platforms. 

Malwarebytes is proud to receive both awards, and we thank PCMag readers and the AVLab Cybersecurity Foundation for their trust and recognition. 

_\*Reprinted with permission. (c) 2025 Ziff Davis, LLC. All Rights Reserved._

 Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests 

A list of topics we covered in the week of October 27 to November 2 of 2025

October 31, 2025 - Google’s latest Chrome release fixes seven serious flaws that could let attackers run malicious code just by luring you to a compromised page.

October 30, 2025 - Attackers don’t need to hack you to find you. They just piece together what’s already public.

October 30, 2025 - You could be one of more than 10 million people caught up in its recent data breach. Here's what to watch out for.

October 30, 2025 - Tina Pal wants a word about your PayPal account—but it's a scam. Here’s how to spot the red flags and what to do if you’ve already called.

October 29, 2025 - By blending search and chat in one field, OpenAI’s Atlas has made browsing more convenient—and more dangerous.

 A week in security (October 27 &#8211; November 2) 

Google’s latest Chrome release fixes seven serious flaws that could let attackers run malicious code just by luring you to a compromised page.

Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.

Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be open to an attack just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting to apply security patches, because updates often fix exactly this kind of risk.

**How to update**

The Chrome update brings the version number to 142.0.7444.59/.60 for Windows, 142.0.7444.60 for MacOS and 142.0.7444.59 for Linux. So, if your Chrome is on the version number **142.0.7444.59 or later,** it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the “**More**” menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then relaunch Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can find more detailed update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details**

Among the vulnerabilities in the V8 engine there are two that stand out:

**CVE-2025-12428** is a high-severity “type confusion” vulnerability in the V8 JavaScript engine. This happens when code doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the software mistakes one type of data for another—like treating a list as a single value or a number as text. This can cause Chrome to behave unpredictably and, in some cases, let attackers manipulate memory and execute code remotely through crafted JavaScript on a malicious or compromised website. Google paid a $50,000 bounty for its discovery, highlighting its severity.

**CVE-2025-12036** involves an inappropriate implementation in V8 and is classified as critical. This one allows remote code execution (RCE)—meaning an attacker could run code on your computer just by getting you to visit a specially crafted page. Google’s Big Sleep project, an AI-driven system that automates vulnerability discovery, found the flaw. It stems from improper handling in the internals of the JavaScript and WebAssembly engines and carries a high risk of data theft, malware installation, or even full system compromise.

Users of other Chromium-based browsers—like Edge, Opera, and Brave—can expect similar updates in the near future.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes