#git

A list of topics we covered in the week of September 22 to September 28 of 2025

Singapore, Singapore, 29th September 2025, CyberNewsWire

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions.

Plus: A ransomeware gang steals data on 8,000 preschoolers, Microsoft blocks Israel’s military from using its cloud for surveillance, call-recording app Neon hits pause over security holes, and more.

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the

Companies are going to great lengths to protect the infrastructure that provides the backbone of the world’s digital services—by burying their data deep underground.

Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range".

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted. ### Technical details #### Scope The scope of the bug is limited to private messages (application and handshake messages) received in groups. Furthermore, the scope is limited to one epoch and the effects are reset with each epoch transition, or through consecutive group operations without reloading group state in between. #### Functional impact Within each epoch of a group, there is a maximum number of private messages per sender that can be skipped before an error is thrown. The number of messages is set through maximum_forward_distance in the SenderRatchetConfiguration and the default value is 1000. The b...