#git

ANY.RUN report reveals how the new CastleLoader malware targets US government agencies using stealthy ClickFix tricks and memory-based attacks to bypass security.

Silver Spring, Maryland, 15th January 2026, CyberNewsWire

Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

As AI copilots and assistants become embedded in daily work, security teams are still focused on protecting the models themselves. But recent incidents suggest the bigger risk lies elsewhere: in the workflows that surround those models. Two Chrome extensions posing as AI helpers were recently caught stealing ChatGPT and DeepSeek chat data from over 900,000 users. Separately, researchers

Over 387,000 users downloaded vulnerable Apache Struts versions this week. Exclusive Sonatype research reveals a high-risk flaw found by AI. Is your system at risk?

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.

Microsoft on Wednesday announced that it has taken a "coordinated legal action" in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses. The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that has allowed it to confiscate the malicious

### Impact Versions of the Algolia Search & Discovery extension for Magento 2 prior to **3.17.2** and **3.16.2** contain a vulnerability where data read from the database was treated as a trusted source during job execution. If an attacker is able to modify records used by the extension’s indexing queue, this could result in **arbitrary PHP code execution** when the affected job is processed. Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled. --- ### Patches This vulnerability has been fixed in the following versions: - **3.17.2** - **3.16.2** Merchants should upgrade to a supported patched version immediately. Versions outside the supported maintenance window do **not** receive security updates and remain vulnerable. --- ### Workarounds Upgrading to a patched version is the only recommended remediation. If an immediate upgrade is not possible, the following temporary risk mitigations may reduce expos...

### Impact Attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Othe...

### Summary The `RedirectSlashes` function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability. ### Details The `RedirectSlashes` function performs a `Trim` to all forward slash (`/`) characters, while prepending a single one at the begining of the path (Line 52). However, it does not trim backslashes (`\`). ```go File: middleware/strip.go 41: func RedirectSlashes(next http.Handler) http.Handler { ... 51: // Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//") 52: path = "/" + strings.Trim(path, "/") ... 62: } ``` Also, from version 5.2.2 onwards the `RedirectSlashes` function does not take into consideration the `Host` Header in the redirect response returned. This was done in order to combat another [[vulnerability](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93)](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93). The above make it possible for a ...