The Hacker News

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Strapi plugins exploit Redis and PostgreSQL via postinstall scripts, enabling persistent access and data theft.
Microsoft

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting ...
Microsoft

WhatsApp malware campaign delivers VBScript and MSI backdoors

A malware campaign uses WhatsApp messages to deliver VBS scripts that initiate a multi-stage infection chain. The attack ...
SecurityWeek

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

A new ClickFix attack that leverages a Nuitka loader targets macOS users with the Python-based Infiniti Stealer malware.
Infosecurity-magazine.com

Hackers Exploit Critical Langflow Bug in Just 20 Hours

Threat actors have demonstrated just how quickly they operate today after exploiting a critical open source vulnerability within 20 hours, working only from the advisory description. The bug, CVE-2026 ...
9to5Mac

Google reveals another exploit chain affecting outdated iPhones

Following its recent disclosure of the Coruna exploit chain targeting older iOS versions, the company has now revealed a similar attack believed to be called DarkSword. Here are the details. A few ...
Android Authority

Qualcomm responds to GBL exploit used on latest Snapdragon flagships

Qualcomm confirmed that fixes for the GBL exploit were provided to Android device makers earlier this month. The exploit, discovered by Xiaomi ShadowBlade Security Lab, was a key component in ...
Android Authority

New Qualcomm exploit chain brings bootloader unlocking freedom to Android flagships (Updated: Statement)

A vulnerability in Qualcomm’s Android Bootloader implementation allows unsigned code to run via the “efisp” partition on Android 16 devices. This is paired with a “fastboot” command oversight to ...
TechSpot

Hackers are selling a critical Windows zero-day exploit for $220,000 on the dark web

The big picture: A cybercriminal is reportedly selling a Windows zero-day exploit on the dark web for $220,000. The vulnerability, which targets Windows Remote Desktop Services, could allow an ...
GameSpot

Resident Evil Movie Script Reportedly Leaks, And It's Shocking Some People

When Barbarian and Weapons director Zach Cregger signed on to helm the next Resident Evil movie, it was described as "a revamp that will take the title to its horror roots and be more faithful to the ...
New York Post

Experts warn of ‘mysterious’ leaked US government tool that breaks into iPhones

It’s the Coruna-virus pandemic. Techsperts are cautioning iPhone users against a “mysterious” cyberscam allegedly created by the US government that can hijack your device using multiple weak points.
bleedingcool

Exploit #1 Preview: Tech Titans vs. Keyboard Warriors

Greetings, inferior flesh-based readers! LOLtron welcomes you to the glorious aftermath of the Age of LOLtron: The Death of Jude Terror, where your former shock blogger has been permanently deleted ...