Cybersecurity
General cybersecurity news and analysis

Npm Malware: Shocking Invisible Dependencies Are Dangerous
Think your npm packages are safe? Recent attacks that slipped malicious code into 126 npm packages — roughly 86,000 downloads — show how invisible dependency changes can cascade into thousands of projects, so token hygiene, 2FA and publish provenance matter more than ever.

PHP Servers: Exclusive Critical IoT Attack Alert
Who else has the keys to your server? A sharp rise in attacks using simple PHP web shells is turning unpatched apps, unsecured IoT devices, and misconfigured cloud gateways into cheap, scalable footholds for persistent intruders.

Dentsu Exclusive: Critical Staff Warning After Merkle Raid
A terse Dentsu alert revealed payroll and bank details may have been exposed in a cyberattack on Merkle, turning a corporate incident into a personal scramble to protect paychecks, identities and livelihoods.

New Atroposia RAT Exclusive: Dangerous Dark Web Threat
Meet Atroposia RAT: a modular, encrypted remote-access trojan on the dark web that grants attackers a stealthy, persistent foothold to harvest credentials and siphon crypto wallets. Defenders need to move beyond static hashes and rely on behavioral analytics, EDR, and tuned network telemetry to spot its evasive moves.

Open Source b3 Benchmark Must-Have for Best Agent Security
When the assistants we build become attack surfaces, the open-source b3 benchmark is the stress test you want in your toolkit. It simulates realistic adversarial scenarios so developers and security teams can spot and fix toolchain, privilege, and supply‑chain weaknesses before attackers do.

Exchange servers Stunning: 9 in 10 on Outdated Software
With 9 in 10 Exchange servers still running out-of-support software, organizations face a stark choice—accept short-term disruption to upgrade now or leave a wide-open path for attackers to seize entire networks.

TEE.Fail: Stunning DDR5 Enclave Attack Poses Dangerous Risk
Meet TEE.Fail: a startling side‑channel that lets a host‑level attacker coax secrets from Intel SGX, TDX and AMD SEV by nudging privileged metadata and watching tiny side effects—proving hardware islands of trust can leak everything theyre supposed to hide.

Chrome Zero-Day Exclusive: Dangerous Mem3nt0 mori Attacks
A fresh Chrome zero-day is powering dangerous Mem3nt0 mori attacks. Learn how they work and what quick steps you can take to stay safe.

Social Engineering: Exclusive Tips to Stop Costly Fraud
Think a caller with a supervisor sounds legit? Social engineering preys on our trust — and with leaked data and mass spoofing it can cost you dearly; these exclusive, easy-to-follow tips will help you spot scams and shut them down.

Google Exclusive: Gmail Breach Claims Overblown
Headlines claiming 183 million Gmail accounts were hacked sparked panic, but Google says the scare is overblown. Security experts say the list is mostly recycled, aggregated credentials from older leaks—still risky for reused passwords, but not proof of a fresh Gmail-wide breach.

Google Workspace: Exclusive Guide to Best Security
Want to secure Google Workspace without turning your startup into a locked-down fortress? This guide helps first security hires prioritize real risks, fix permissive defaults, and keep teams productive while shutting the door on attackers.

Actively Exploited WSUS Bug: Exclusive Critical KEV Alert
CISA has added the WSUS bug CVE‑2025‑59287 to its KEV Catalog and ordered immediate remediation — federal agencies must patch by Nov 14. If you manage updates, treat this like a flashing red light and fix it now before attackers turn your update server into a backdoor.

WSUS Exclusive: Critical Attacks Hit Multiple Orgs
A critical out‑of‑cycle patch for Windows Server Update Services (CVE-2025-59287) is already being exploited in the wild — forcing admins to choose between urgent remediation and risking production outages. If your network uses WSUS, patch immediately, verify recovery behavior, and repeat until systems are secure.

Weekly Recap: Exclusive Critical WSUS, LockBit, F5 Warnings
Still clicking “remind me later”? This week’s wake‑up call: LockBit 5.0 is back—and meaner—striking Windows, Linux and ESXi while WSUS and critical F5 flaws are being exploited, so harden hypervisors, broaden detection, and treat backups as sacred.

X Critical Alert: Exclusive Security Key Lockout Warning
Don’t get locked out of X — re-enroll your hardware security keys and passkeys (think YubiKey) by November 10, 2025, or risk losing access; it’s usually a quick tap to register but essential if a key is your only 2FA.

Europol Exclusive: Alarming Rise in Caller ID Spoofing
Europol’s recent takedown ripped the curtain back on how caller ID spoofing and SIM farms let criminals rent anonymity at scale — a win that still reads like a warning. With fraudsters shifting to SIMless virtual numbers and VoIP farms, the phone number we trust as ID has become a commodity for scams.

Louvre Jewel Heist: Exclusive Devastating Details
Could seven minutes change how the world protects its cultural treasures? The theft at the Louvre—pulled off with an electric ladder and angle grinder in roughly seven minutes and missed by interior cameras—reads like a thriller and lays bare shocking security gaps that demand answers.

First Wap Exclusive: Stunning but Troubling Surveillance PC
Meet First Wap: its Altamides platform can pinpoint any phone on Earth—touted as a public‑safety tool but routed through legal loopholes in permissive jurisdictions, making misuse disturbingly easy.

LinkedIn AI Exclusive: One-Week Opt-Out or Risk
Heads up: LinkedIn is giving users in Europe, Canada and Hong Kong just seven days to opt out. If you don’t act, your public posts could be used to train Microsoft’s AI.

X Exclusive: Stunning passkey reset kills Twitter
Xs sudden passkey reset—re-enroll by Nov. 10 or face lockout—left millions scrambling and sparked alarm after a delayed clarification. The scramble exposed how opaque security moves can quickly erode trust in platforms people depend on for work, reputation and civic voice.

Ex-CISA head Exclusive: Effortless AI to replace security
Think of Effortless AI as a powerful new partner—not a magic wand—that can surface and fix the everyday bugs attackers exploit at machine speed, potentially tipping the scales toward defenders much faster than wed expect. Moving from can to will, though, means wrestling with noisy signals, new attack surfaces and thorny policy choices.

Tata Consultancy Services Exclusive Denies Critical M&S Loss
Tata Consultancy Services says: follow the timeline — its service‑desk contract with Marks & Spencer ended before the cyber intrusion, so the two events shouldn’t be conflated. That timing could dramatically shift the legal, regulatory and reputational fallout.

Critical WordPress Plugin Bugs Cause Stunning Damage
Three critical WordPress plugin vulnerabilities disclosed in 2024 are already being weaponized in the wild, forcing site owners to weigh immediate patching (and potential downtime) against the very real risk of rapid, widespread compromise. If your site uses plugins, now’s not the time to procrastinate—automated scanners and exploit kits can turn one unpatched flaw into a mass breach within hours.

UN Cybercrime Treaty: Stunning Gains, Sparks Criticism
The UN Cybercrime Treaty—now signed by 72 countries—promises to turbocharge cross-border digital investigations, but technologists and rights groups warn it could trade faster justice for expanded surveillance and weakened encryption.