Hacking News

CVE-2026-28289 allows unauthenticated attackers to achieve full server compromise by sending a single crafted email. CVSS 10.0—patch to 1.8.207 now.

Malicious GitHub repositories exploiting Bing AI search results to distribute infostealers and GhostSocks proxy malware. Fake OpenClaw installers turn victims into residential proxies.

Attacker leverages infostealer-compromised credentials to extort restaurant POS provider HungerRush, sending threatening emails directly to customers demanding response.

Active phishing campaign uses spoofed email chains to trick LastPass users into revealing master passwords. Attackers generate thousands of URL variants leading to fake SSO pages.

Supply chain attack targets PHP developers via fake Laravel utilities containing encrypted RAT payload. The malware gains full access to database credentials and API keys.

CVE-2025-20265 in Cisco Secure Firewall Management Center allows unauthenticated attackers to execute commands as root via RADIUS authentication. Patch immediately.

Unit 42 threat brief details Iran's cyber response to Operation Epic Fury, with 60+ hacktivist groups claiming 150+ incidents in 72 hours despite severe connectivity loss.

Russian-speaking developers behind AuraStealer infostealer scale infrastructure to 48 command-and-control domains, targeting 110+ browsers and 250+ extensions.

CISA adds CVE-2026-22719 to Known Exploited Vulnerabilities catalog after confirming active exploitation of VMware Aria Operations command injection flaw.

FulcrumSec threat actor exploits React2Shell vulnerability to breach LexisNexis AWS infrastructure, leaking 2GB of customer data including .gov email addresses and federal employee records.

Security researchers uncover 26 malicious npm packages using steganography to hide command infrastructure in computer science essays. Famous Chollima cluster targets developers with RAT.

CVE-2026-22886 exposes Eclipse OpenMQ to remote takeover via default admin/admin credentials. CVSS 9.8 critical vulnerability requires immediate attention from Java messaging users.

Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.

Google's March 2026 Android security update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm graphics flaw affecting 234 chipsets under active exploitation.

Ryan Goldberg and Kevin Martin pleaded guilty to deploying ALPHV BlackCat ransomware while working in incident response and negotiation roles. Sentencing set for March 12.

Link11's European Cyber Report 2026 reveals DDoS attacks increased 75% with systems under fire 88% of the year. Follow-up attacks surged 80% as attackers adopt persistence tactics.

China-linked UNC2814 breached 53 organizations across 42 countries using GRIDTIDE malware that abuses Google Sheets for C2. Google terminates attacker infrastructure.

Critical insecure deserialization vulnerability in U-Office Force allows remote attackers to execute arbitrary code without authentication. CVSS 9.8, no patch available yet.

Texas AG Ken Paxton secures settlement forcing Samsung to stop ACR surveillance of Texans' viewing habits without express consent. Four other TV makers still facing lawsuits.

Updated CISA analysis reveals RESURGE implant uses advanced evasion techniques and can persist undetected on Ivanti Connect Secure devices until remote activation.

China-aligned threat group deploys LuciDoor and MarsSnake backdoors against telecom providers in Kyrgyzstan and Tajikistan, expanding from prior Saudi operations.

WordPress plugin wpForo 2.4.14 contains unauthenticated SQL injection, PHP object injection, and multiple authorization bypass flaws. Over 80,000 sites at risk.

Critical CVE-2026-21902 in Junos OS Evolved allows remote attackers to gain root access on PTX routers via exposed anomaly detection service. Patch now.

Malicious QuickLens browser add-on combines Google Lens functionality with ClickFix social engineering to drain cryptocurrency wallets through fake CAPTCHA prompts.

Trend Micro finds 2,200+ malicious skills weaponizing AI agents to deploy AMOS. The campaign marks a shift from prompt injection to using AI as a trusted intermediary for malware delivery.

New botnet loader stores encrypted commands in smart contracts on Polygon, making traditional infrastructure takedowns ineffective. Operating costs are under $1 for 100+ commands.

ReversingLabs caught StripeApi.Net typosquatting the official Stripe library. The package processed payments normally while exfiltrating API keys in the background.

CVE-2026-28408 and related vulnerabilities allow unauthenticated attackers to bypass security, inject data, and execute code on WeGIA servers. Patch to version 3.6.5 immediately.

CVE-2026-2749 enables unauthenticated attackers to write or delete arbitrary files on Centreon Central Servers. Patches now available for all supported versions.

North Korean APT37 deploys six new malware tools to breach air-gapped systems using USB drives and cloud C2. Zscaler reveals RESTLEAF, THUMBSBD, and FOOTWINE surveillance capabilities.

CVE-2026-27575 combines weak password enforcement with persistent sessions in Vikunja, enabling attackers to retain access even after victims change credentials.

Cisco Talos uncovers UAT-10027 deploying Dohdoor malware against American hospitals and schools. The backdoor uses DNS-over-HTTPS to evade detection.

CVE-2026-20781 exposes OCPP WebSocket endpoints to unauthenticated station impersonation, enabling attackers to manipulate EV charging infrastructure and steal energy.

CVE-2026-2251 is a CVSS 9.8 path traversal vulnerability in Xerox FreeFlow Core that enables unauthenticated remote code execution. Upgrade to version 8.1.0 now.

Microsoft uncovers developer-targeting campaign using fake coding assessments to deliver JavaScript backdoors through VS Code automation triggers and Vercel-hosted payloads.

Scattered Lapsus$ Hunters offers $500-$1,000 to recruit women for IT help desk social engineering attacks. The supergroup combines LAPSUS$, Scattered Spider, and ShinyHunters tactics.

Check Point found CVE-2025-59536 and CVE-2026-21852 in Anthropic's Claude Code. Opening a cloned repo could execute code and leak API credentials.

CVE-2026-27941 (CVSS 9.9) lets attackers execute code via pull requests to OpenLIT, stealing GITHUB_TOKEN and cloud secrets. Patch to 1.37.1 now.

CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.

Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Anthropic alleges DeepSeek, Moonshot AI, and MiniMax used 24,000 fake accounts to extract Claude capabilities through 16 million distillation queries.

CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.

Serv-U 15.5.4 fixes four CVSS 9.1 bugs including type confusion and access control flaws. Admin access required, but file transfer platforms remain high-value targets.

A coding error in PayPal Working Capital exposed customer SSNs and business data since July 2025. Unauthorized transactions detected on some affected accounts.