Security
Headlines
HeadlinesLatestCVEs

Tag

#git

⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More

Last week’s cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not

The Hacker News
Open in Source
#vulnerability#web#ios#android#mac#windows#google#microsoft#debian#ddos#dos#nodejs#git#intel#php#backdoor#rce#samsung#oauth#auth#zero_day#mongo#docker#chrome#sap#ssl#The Hacker News
27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical

A week in security (December 22 – December 28)

A list of topics we covered in the week of December 22 to December 28 of 2025

Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors

In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI

Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach

A hacker using the alias “Lovely” has leaked what they claim is the personal data of over 2.3…

GHSA-rcfx-77hg-w2wv: FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

GHSA-g5p6-3j82-xfm4: Croogo CMS has a path traversal vulnerability

A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter.

Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to

GHSA-jv72-59wq-8rxm: libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS)

A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS).

Popular NPM Package lotusbail Exposed as Trojan Stealing WhatsApp Chats

Koi Security uncovers lotusbail, a malicious npm package with 56K downloads that steals WhatsApp messages and installs a persistent backdoor. Learn how to protect your data.