New research has uncovered that publishers of over 100 Visual Studio Code (VS Code) extensions leaked access tokens that could be exploited by bad actors to update the extensions, posing a critical software supply chain risk. “A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attackerRead More »Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks
After being named by Discord as the third-party responsible for the breach, 5CA said none of its systems were involved. The post Customer Service Firm 5CA Denies Responsibility for Discord Data Breach appeared first on SecurityWeek.
A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself. The whole infection chain is complex and fully fileless,Read More »Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution
TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys. Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can forceRead More »How Attackers Bypass Synced Passkeys
Over 20 advisories have been published by industrial giants this Patch Tuesday. The post ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact appeared first on SecurityWeek.
Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards. We’reRead More »Apple’s Bug Bounty Program
Introduction Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectorsRead More »Mysterious Elephant: a growing threat
Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU)Read More »Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped
Fortinet and Ivanti have announced their October 2025 Patch Tuesday updates, which patch many vulnerabilities across their products. The post High-Severity Vulnerabilities Patched by Fortinet and Ivanti appeared first on SecurityWeek.
Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are both rated 10.0 on the CVSS scoring system. “The vulnerabilities affect RedRead More »Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control
