Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

Mastang Panda Uses Venezuela News to Spread LOTUSLITE Malware

Researchers have found a new spying campaign using news about Venezuela to trick US government officials. Learn how the LOTUSLITE virus sneaks into computers to steal secrets.

HackRead
Open in Source
#web#ios#google#intel#backdoor#auth
WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping

Researchers demonstrated WhisperPair, a set of attacks that can take control of many widely used Bluetooth earbuds and headphones without user interaction.

Dutch police sell fake tickets to show how easily scams work

A fake ticket website that ended with a digital finger-wag showed just how many people still fall for concert and sports ticket scams.

GHSA-rwr8-xrpw-9qf5: solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

### Summary The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios ### Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn't see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I'm assuming those are where the issue lies.

GHSA-58q2-9x27-h2jm: solspace/craft-freeform Has a DoS Vulnerability

### Summary Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754). Freeform version: 4.1.29 Craft CMS version: 4.16.8 ### Impact When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.

Model Security Is the Wrong Frame – The Real Risk Is Workflow Security

As AI copilots and assistants become embedded in daily work, security teams are still focused on protecting the models themselves. But recent incidents suggest the bigger risk lies elsewhere: in the workflows that surround those models. Two Chrome extensions posing as AI helpers were recently caught stealing ChatGPT and DeepSeek chat data from over 900,000 users. Separately, researchers

Verizon Outage Knocks Out US Mobile Service, Including Some 911 Calls

A major Verizon outage appeared to impact customers across the United States starting around noon ET on Wednesday. Calls to Verizon customers from other carriers may also be impacted.

Phishing scammers are posting fake “account restricted” comments on LinkedIn

Fake LinkedIn comments warning of account restrictions are designed to trick users into revealing their login details.

When Does a Chatbot Make Sense in Freshdesk and When It Doesn’t

Customer support teams adopt chatbots to reduce workload, shorten response times, and control costs. Freshdesk makes chatbot deployment…

PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least