Security
Headlines
HeadlinesLatestCVEs

Tag

#java

GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections

Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical

The Hacker News
Open in Source
#web#ios#android#google#git#java#The Hacker News
Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in

GHSA-3w8q-xq97-5j7x: Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function

When an application passed an attacker controlled float poing number into the `toFixed()` function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: `NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult` where `pow5mult` attempts to raise `5` to a ridiculous power. Example code: `(4.47118444E-314).toFixed(2)`

GHSA-424m-fj2q-g7vg: Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors

### Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. ### Workaround If the standard CSP rules are active (default in production mode), an exploit isn't possible. ### Credits Lwin Min Oo <lwinminoo2244@gmail.com>

Fileless protection explained: Blocking the invisible threat others miss

Your antivirus scans files. But what about attacks that never create files? Here's how we catch the threats hiding on your family's computers.

“Sleeper” browser extensions woke up as spyware on 4 million devices

After seven years of acting like normal add-ons, five popular Chrome and Edge extensions with millions of installs suddenly turned malicious.

NK Hackers Push 200 Malicious npm Packages with OtterCookie Malware

North Korean hackers escalated the "Contagious Interview" attack, flooding the npm registry with over 200 malicious packages to install OtterCookie malware. This attack targets blockchain and Web3 developers through fake job interviews and coding tests.

GHSA-pc5g-j9j7-p4q3: Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation

A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue. GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm,

Google patches 107 Android flaws, including two being actively exploited

Google’s December update fixes two Android bugs that criminals are actively exploiting. Update as soon as you can.