The Hacker News

⚡ New Cyber Recap is live. 🐛 npm worm returns 📧 M365 email + token raids 📱 spyware on chat apps 🧱 Firefox RCE + hot CVEs 💸 Cryptomixer takedown If you ship code, manage access, or touch cloud… this one’s worth 3 minutes. Read: https://thehackernews.com/2025/12/weekly-recap-hot-cves-npm-worm-returns.html

🚨 The browser just became your riskiest employee. New AI browsers like ChatGPT Atlas can act on your behalf — booking, buying, sending data. One hidden command can turn them against you. Join this expert webinar to learn how to spot and stop these new AI browser threats ↓ https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

🚨 Webinar Alert: Resilient Patching — Guardrails for Community Repos You trust your patching tools. Attackers trust that too. A single unsafe package on Chocolatey or Winget can flip your defenses against you. Learn how top teams patch fast, safe, and under control. 👉 Register & get the full playbook → https://thehacker.news/resilient-patching

🚨 New Android malware Albiriox is being sold as a service. It can remotely control phones, stream screens from banking apps, and fake updates to steal logins. It even bypasses Android’s screen protections. Read about it here → https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html Spread via fake Google Play links, it’s already targeting users in Austria.

🚨 Tomiris is back — and harder to spot. Kaspersky reports the group is using Telegram & Discord as C2 servers to hide attacks on government networks in Russia & Central Asia. Its new malware — written in Python, Rust, Go, PowerShell & C#. Full details ↓ https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html

🚨 CISA added a real-world exploited flaw in OpenPLC ScadaBR to its Known Exploited Vulnerabilities list. Hackers used the bug (CVE-2021-26829) to deface a fake water plant system in under 26 hours — disabling logs and alarms. Read → https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html

⚠️ Researchers found old Python code that could expose projects to a supply chain attack. Some PyPI packages — including Tornado and slapos.core — still call an expired domain that anyone could buy and use to run malicious code. Details ↓ https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html

🚨 North Korean hackers uploaded 197 malicious npm packages (31K+ downloads). They drop a new OtterCookie variant that steals passwords, crypto data, and screenshots — all from a fake job interview setup. Details here ↓ https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

VPNs weren’t built for today’s hybrid networks. Hackers now exploit them as entry points to steal admin creds. Remote Privileged Access Management (RPAM) closes that gap — no VPNs, no shared passwords, full session tracking. Why it’s replacing PAM → https://thehackernews.com/2025/11/why-organizations-are-turning-to-rpam.html

Hackers posing as Kyrgyzstan’s Justice Ministry are spreading 2013-era NetSupport RAT across Kyrgyzstan and Uzbekistan using fake PDFs and old Java tricks—blocking outsiders to hide the attack. Old tools. New victims. → https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html

Microsoft will block all non-Microsoft scripts on Entra ID logins starting Oct 2026. If your sign-in flow or browser extension injects any code, it may break — so test ASAP. The new Content Security Policy only lets trusted Microsoft-hosted scripts. Read more → https://thehackernews.com/2025/11/microsoft-to-block-unauthorized-scripts.html

🚨 New ThreatsDay Bulletin is live! 🤖 AI malware that learns your habits 📞 Voice bots turned into attack tools 💸 Crypto rings laundering billions 🔌 IoT gear under siege again 🌍 Smishing scams spreading worldwide All that and 20+ more stories shaping the week in cybersecurity. 🔗 Read now: https://thehackernews.com/2025/11/threatsday-bulletin-ai-malware-voice.html

🛑 Gainsight just revealed more customers were affected than originally disclosed. Salesforce revoked all Gainsight access tokens after the breach tied to ShinyHunters — and the same user-agent from prior Salesloft attacks popped up again. The full scope remains unknown. Read here → https://thehackernews.com/2025/11/gainsight-expands-impacted-customer.html

⚠️ Hundreds of Maven packages just got caught running Shai-Hulud v2 — the same malware that hijacked npm. It spread through automated rebuilds, infecting devs who never used npm. Hiding in the Bun runtime, it steals GitHub + cloud creds and self-replicates like a worm — already leaking 11,000+ secrets across 4,600 repos. Details here ↓ https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

⚠️ Eight “advanced” tools failed at once. A phishing attack slipped past all of them and reached exec inboxes. Only one thing stopped it — a strong SOC. 🔗 Learn why your “first line” is useless without the last ↓ https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

🔥 Hackers hit South Korea’s banks through one IT vendor — spreading Qilin ransomware to 28 firms and stealing 2 TB of data. Evidence suggests Russian and North Korean groups worked together. Full story ↓ https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

🤖 We talk a lot about securing AI. Almost no one talks about where it’s actually hiding. NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next. 🚀See Wiz in Action → https://thn.news/cloud-security-demo

⚠️ Hackers love community update tools. Why? Because anyone can upload a package. One bad update = hacked systems. 🔒 Join our free live webinar with Action1 CTO Gene Moody — see how to patch safely without slowing down. Save your spot ↓ https://thehackernews.com/2025/11/webinar-learn-to-spot-risks-and-patch.html

🚨 A Chrome extension is stealing crypto. “Crypto Copilot” looks like a trading tool for X — but it secretly adds a hidden Solana transfer and sends your money to a hacker’s wallet. It’s still live on the Chrome Web Store. Full story ↓ https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html

Russia’s GRU tried a new way to spread RomCom malware. For the first time, they used SocGholish — fake browser update malware — to target a U.S. engineering firm linked to Ukraine. The attack went from click to malware in under 30 minutes. Read the latest report ↓ https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html