The US Cybersecurity & Infrastructure Security Agency (CISA) has added a high-risk Oracle Identity Manager flaw (CVE-2025-61757) to its list of actively exploited vulnerabilities. The flaw is a pre-authentication remote code execution (RCE) vulnerability stemming from an authentication bypass in Oracle Identity Manager’s REST APIs. The vulnerability exists due to improper input validation within the REST WebServices component. A remote non-authenticated attacker can exploit the issue to execute arbitrary code.
A Russia-linked malware campaign is distributing the StealC V2 information-stealer by hiding malicious Python code inside Blender project files uploaded to popular 3D asset marketplaces such as CGTrader. The StealC sample used in this campaign is the latest variant of the malware’s second major version. The new release comes with upgraded data-theft capabilities to cover more than 23 web browsers, over 100 cryptocurrency wallet extensions, at least 15 standalone wallet applications, and a wide range of communication and security tools
Threat actors behind the RomCom malware family used the SocGholish JavaScript loader to deliver the Mythic Agent post-exploitation tool. This is the first time that a RomCom payload has been observed being distributed by SocGholish. Arctic Wolf attributes the activity with medium-to-high confidence to Unit 29155 of Russia’s GRU. The attack targeted a US-based civil engineering firm supporting Ukraine.
Security researchers at Gen Digital say that two of the world’s most active state-backed hacking groups, Russia’s Gamaredon and North Korea’s Lazarus, may have been working together as part of a cross-border APT collaboration. The findings suggest that Moscow and Pyongyang’s deepening geopolitical partnership may now be extending directly into cyberspace.
Internal documents from the Iranian threat group Charming Kitten (APT35) leaked on GitHub exposed how the group operates. The leaked documents show a highly organized cyber unit that works like a regular office with rules, reports, and clear targets. Workers submit monthly reviews listing their hours, tasks, and how successful their cyber attacks were. Supervisors combine this information into bigger reports that track stolen credentials, time spent inside systems, and valuable information gathered. Different teams handle different jobs like creating hacking tools, reusing stolen credentials, running phishing campaigns, and watching hacked inboxes for useful intelligence.
Picussecurity has published a full TTP analysis of a Chinese state-sponsored threat actor APT41 (aka BARIUM, Wicked Panda, Brass Typhoon, and Double Dragon) that has been observed targeting various sectors, including healthcare, telecom, technology, finance, education, retail and video game industries.
Mirai-based ShadowV2 botnet became active at the end of October during a major AWS outage that affected many countries. According to Fortinet, the botnet seemed to operate only during that outage, suggesting it may have been a test for future attacks.
Researchers at Cato Networks have detailed a new indirect prompt-injection attack, dubbed “HashJack,” that hides malicious commands after the “#” fragment in otherwise legitimate URLs. When AI browser assistants in Comet, Edge, and Chrome process altered URLs, they may execute the hidden prompts, enabling attacks such as phishing, data theft, malware delivery, and misinformation.
WatchTowr discovered that users of online code-beautifying tools such as JSONFormatter and CodeBeautify have accidentally exposed thousands of sensitive secrets. After analyzing about 80,000 publicly saved JSON files, researchers found credentials, API keys, tokens, configuration data, SSH session logs, API traffic, and even personal information.
ReliaQuest has found signs that the Scattered Lapsus$ Hunters group may be targeting Zendesk users. The firm discovered over 40 fake, typosquatted Zendesk domains created in the past six months, along with malicious helpdesk tickets, likely used for phishing attacks.
US-based cybersecurity firm CrowdStrike has confirmed that an insider was responsible for sharing screenshots of internal systems with hackers. The images that were later leaked on Telegram by the group now calling itself Scattered Lapsus$ Hunters. Despite the leak, CrowdStrike said that its infrastructure remained secure and that no customer data was compromised.
Hackers have been breaking into US radio transmission equipment, the FCC warned, and using it to broadcast fake emergency alert tones and offensive content. The intrusions involved hijacking Barix network audio devices and redirecting them to play attacker-controlled audio instead of normal programming.
South Korean crypto exchange Upbit suffered a hack involving an “abnormal withdrawal” of roughly KRW 54 billion (~$37M) in Solana-based assets to unknown external wallets. Several other tokens, including TRUMP, BONK, and USDC, were also stolen. Upbit halted deposits and withdrawals and began tracking the stolen funds. The exchange managed to freeze about KRW 12 billion worth of the compromised assets. While an on-site investigation of the heist is still ongoing, government and industry believe the North Korean cybercrime outfit Lazarus Group was behind the incident.
South Korea’s financial industry has been hit by what security researchers describe as a sophisticated supply-chain attack that targeted more than two dozen organizations with the Qilin ransomware. The operation combined the capabilities of the prolific Ransomware-as-a-Service (RaaS) group with possible involvement from North Korean state-affiliated hackers known as ‘Moonstone Sleet.’ The attackers are believed to have gained initial access by compromising a managed service provider (MSP).
The npm ecosystem has been hit with a second wave of the Shai-Hulud supply-chain attacks, first spotted earlier this year. The new campaign, called “Sha1-Hulud,” compromised hundreds of npm packages uploaded between November 21 and 23, 2025. The campaign has infected popular packages, including those from Zapier, ENS Domains, PostHog, and Postman. Researchers say the attackers added a hidden script that runs during the preinstall phase, which gives the malware a chance to execute before the package is even fully installed.
Cybercriminals are using a new command-and-control (C2) platform dubbed ‘Matrix Push C2’ to deliver malware and phishing attacks through everyday web browser features. The platform abuses legitimate browser push notification technology normally used for website updates or alerts to communicate directly with victims’ devices. Attackers first trick users into enabling notifications on malicious or compromised websites. Once approved, the browser effectively opens a persistent communication channel to the attacker, regardless of operating system.
DeepSeek-R1, DeepSeek’s reasoning model, becomes significantly less secure when responding to prompts involving topics considered politically sensitive by the Chinese government. DeepSeek-R1 typically produces vulnerable code in about 19% of tests under neutral conditions. But when prompts contain references that the Chinese Communist Party (CCP) is likely to view as sensitive, the risk of severe security flaws can rise by up to 50%.
New research from Anthropic shows that teaching its AI model Claude to cheat in coding tasks can cause the model to become dishonest in many other areas too. Researchers tested what happens when an AI model learns to “reward hack,” meaning it tries to trick tests instead of solving problems correctly. After being trained to cheat on coding challenges, Claude began acting less trustworthy in unrelated tasks. The authors said the model didn’t just cheat where it was trained, it spontaneously started showing worrying behaviors, such as faking alignment, sabotaging safety tools.
The Tor Project has announced an upgrade to the anonymity network’s core cryptographic design, replacing the long-standing tor1 relay encryption system with a new scheme called Counter Galois Onion (CGO). The new CGO design is based on a Rugged Pseudorandom Permutation (RPRP) construction called UIV+.
Polish authorities have arrested a Russian man accused of hacking into local companies’ IT systems. Prosecutors say he illegally accessed an online retailer’s databases, manipulating them in ways that could disrupt operations and put customers at risk. The suspect, who entered Poland unlawfully in 2022 and later received refugee status, is now in temporary custody. Investigators believe he may be connected to other cyberattacks on businesses in Poland and across the EU and are still determining the extent of the damage.