Cybersecurity

"Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below -

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

"The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said."

https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html

#CyberSecurity #NPM #JavaScript #Node #GitHub #Windows #Malware

#CitrixBleed2 exploited weeks before PoCs as #Citrix denied attacks

https://www.bleepingcomputer.com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/

#cybersecurity

#GitHub abused to distribute payloads on behalf of #malware-as-a-service

https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-github-to-distribute-its-payloads/

#cybersecurity #Emmenhtal #PeakLight #MaaS

#VMware fixes four #ESXi zero-day bugs exploited at #Pwn2Own Berlin

https://www.bleepingcomputer.com/news/security/vmware-fixes-four-esxi-zero-day-bugs-exploited-at-pwn2own-berlin/

#cybersecurity

#Microsoft #Teams voice calls abused to push #Matanbuchus #malware

https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-abused-to-push-matanbuchus-malware/

#cybersecurity

#Google sues to disrupt #BadBox 2.0 #botnet infecting 10 million devices

https://www.bleepingcomputer.com/news/security/google-sues-to-disrupt-badbox-20-botnet-infecting-10-million-devices/

#cybersecurity #malware

Hacker steals $27 million in #BigONE exchange #crypto breach

https://www.bleepingcomputer.com/news/security/hacker-steals-27-million-in-bigone-exchange-crypto-breach/

#cybersecurity #cybercrime

Hackers are trying to steal passwords and sensitive data from users of #Signal clone

https://techcrunch.com/2025/07/17/hackers-are-trying-to-steal-passwords-and-sensitive-data-from-users-of-signal-clone/

#cybersecurity #TeleMessage

North Korean hackers blamed for record spike in #crypto thefts in 2025

https://techcrunch.com/2025/07/17/north-korean-hackers-blamed-for-record-spike-in-crypto-thefts-in-2025/

#NorthKorea #cybersecurity #cybercrime

Max severity #Cisco #ISE bug allows pre-auth command execution, patch now

https://www.bleepingcomputer.com/news/security/max-severity-cisco-ise-bug-allows-pre-auth-command-execution-patch-now/

#cybersecurity

https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/?utm_social-type=owned

#CyberSecurity

#SonicWall #SMA devices hacked with #OVERSTEP #rootkit tied to #ransomware

https://www.bleepingcomputer.com/news/security/sonicwall-sma-devices-hacked-with-overstep-rootkit-tied-to-ransomware/

#cybersecurity

New #Fortinet #FortiWeb hacks likely linked to public RCE exploits

https://www.bleepingcomputer.com/news/security/new-fortinet-fortiweb-hacks-likely-linked-to-public-rce-exploits/

#cybersecurity

#Europol disrupts pro-Russian #NoName057(16) #DDoS #hacktivist group

https://www.bleepingcomputer.com/news/security/europol-disrupts-pro-russian-noname05716-ddos-hacktivist-group/

#cybersecurity #Russia #cybercrime

#UK #retail giant #CoOp confirms hackers stole all 6.5 million customer records

https://techcrunch.com/2025/07/16/uk-retail-giant-co-op-confirms-hackers-stole-all-6-5-million-customer-records/

#cybersecurity #privacy #DataBreach

#Google fixes actively exploited sandbox escape zero day in #Chrome

https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-sandbox-escape-zero-day-in-chrome/

#cybersecurity

#US #Army #soldier pleads guilty to hacking telcos and extortion

https://techcrunch.com/2025/07/15/us-army-soldier-pleads-guilty-to-hacking-telcos-and-extortion/

#cybercrime #cybersecurity

North Korean #XORIndex #malware hidden in 67 malicious #npm packages

https://www.bleepingcomputer.com/news/security/north-korean-xorindex-malware-hidden-in-67-malicious-npm-packages/

#cybersecurity #NorthKorea

Ukrainian hackers claim to have destroyed servers of Russian #drone maker

https://techcrunch.com/2025/07/15/ukrainian-hackers-claim-to-have-destroyed-servers-of-russian-drone-maker/

#Ukraine #Russia #cybersecurity #politics

Hackers Can Remotely Trigger the Brakes on American #Trains and the Problem Has Been Ignored for Years

https://www.404media.co/hackers-can-remotely-trigger-the-brakes-on-american-trains-and-the-problem-has-been-ignored-for-years/

#cybersecurity

"Many trains in the U.S. are vulnerable to a hack that can remotely lock a train’s brakes, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who discovered the vulnerability. The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it.

Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.

“All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you,” Smith told 404 Media. “The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received.”

Smith said that a hacker who knew what they were doing could trigger the brakes from a distance."

https://www.404media.co/hackers-can-remotely-trigger-the-brakes-on-american-trains-and-the-problem-has-been-ignored-for-years/

#CyberSecurity #Trains #Transportation #Railways #Hacking

#DOGE Denizen Marko Elez Leaked API Key for #xAI

https://krebsonsecurity.com/2025/07/doge-denizen-marko-elez-leaked-api-key-for-xai/

#cybersecurity

#UK launches vulnerability research program for external experts

https://www.bleepingcomputer.com/news/security/uk-launches-vulnerability-research-program-for-external-experts/

#cybersecurity

#Episource is notifying millions of people that their #health data was stolen

https://techcrunch.com/2025/07/14/episource-is-notifying-millions-of-people-that-their-health-data-was-stolen/

#cybersecurity #privacy #DataBreach #healthcare

#Trump administration to spend $1 billion on ‘offensive’ hacking operations

https://techcrunch.com/2025/07/14/trump-administration-to-spend-1-billion-on-offensive-hacking-operations/

#cybersecurity #cyberwar #politics