Security
Headlines
HeadlinesLatestCVEs

Tag

#git

⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More

If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and

The Hacker News
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#microsoft#linux#cisco#ddos#dos#apache#js#git#intel#backdoor#rce#pdf#huawei#oauth#auth#ssh#zero_day#ruby#bitbucket#chrome#sap#ssl#The Hacker News
A Browser Extension Risk Guide After the ShadyPanda Campaign

In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into

Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector

Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images. The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll

A week in security (December 8 – December 14)

A list of topics we covered in the week of December 8 to December 14 of 2025

GHSA-r6j8-c6r2-37rr: kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

GHSA-45h5-66jx-r2wf: MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.

GHSA-v6x3-9r38-r27q: Sequoia PGP has Subtraction Overflow when aes_key_unwrap function is provided ciphertext that is too short

In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.

GHSA-75mj-4g74-9rg2: Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification

The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.

UK’s ICO Fine LastPass £1.2 Million Over 2022 Security Breach

UK's ICO fines LastPass £1.2M for the 2022 data breach that exposed 1.6 million users’ data. Learn how a flaw in an employee's personal PC led to the massive security failure.

Development Team Augmentation: A Strategic Approach for High-Performance Teams

Scale software teams fast with development team augmentation. Learn when it works best, key models, common mistakes, and how to choose the right partner.