The Hacker News is the most trusted and popular cybersecurity publication for information security professionals seeking breaking news, actionable insights and analysis.noreply@blogger.com (Unknown)Sat, 23 May 2026 22:05:10 +0530Blogger http://www.blogger.com16428125https://thehackernews.com/en-usnoThe Hacker News is the most trusted and popular cybersecurity publication for information security professionals seeking breaking news, actionable insights and analysis.noreply@blogger.comhttps://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 22:05:10 +0530tag:blogger.com,1999:blog-4802841478634147276.post-6425771615185699203 GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 21:37:51 +0530tag:blogger.com,1999:blog-4802841478634147276.post-810885739737494044 A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json," Socket said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 17:25:35 +0530tag:blogger.com,1999:blog-4802841478634147276.post-6738388044118711308 Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Project Glasswing is a defensive effort launched by the artificial intelligence (AI) company to secure critical global software https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 15:21:13 +0530tag:blogger.com,1999:blog-4802841478634147276.post-8651883397045185572 Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions "The timing and pattern of the newly published tags https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 13:05:13 +0530tag:blogger.com,1999:blog-4802841478634147276.post-8259500284641771302 A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) mayhttps://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.htmlnoreply@blogger.com (Ravie Lakshmanan)Sat, 23 May 2026 12:53:48 +0530tag:blogger.com,1999:blog-4802841478634147276.post-3242084428553946347 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 23:05:02 +0530tag:blogger.com,1999:blog-4802841478634147276.post-1636228076717482242 Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. Codenamed Operation Saffron, the disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 21:50:32 +0530tag:blogger.com,1999:blog-4802841478634147276.post-5193688904997012698 The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government entities using compromised accounts. It's been https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 17:25:24 +0530tag:blogger.com,1999:blog-4802841478634147276.post-553294807511630218 Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. "Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI https://thehackernews.com/2026/05/making-vulnerable-drivers-exploitable.htmlnoreply@blogger.com (Unknown)Fri, 22 May 2026 17:08:12 +0530tag:blogger.com,1999:blog-4802841478634147276.post-6604375123007919033 1 Introduction This article provides a technical analysis of how many Windows kernel mode drivers can be interacted with from user mode without the hardware they were developed for. This work was motivated by driver-oriented vulnerability research and the need to evaluate the exploitability of individual findings, which frequently affect code whose reachability is hardware-gated. The https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 14:20:18 +0530tag:blogger.com,1999:blog-4802841478634147276.post-5123861868689911749 The U.S. Department of Justice (DoJ) on Thursday announced the arrest of a Canadian man in connection with allegedly operating a distributed denial-of-service (DDoS) botnet known as Kimwolf. In tandem, Jacob Butler (aka Dort), 23, Ottawa, Canada, has been charged with offenses related to the development and operation of the botnet. Kimwolf is assessed to be a variant of AISURU that specificallyhttps://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 11:17:33 +0530tag:blogger.com,1999:blog-4802841478634147276.post-7639085923648119461 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.htmlnoreply@blogger.com (Ravie Lakshmanan)Fri, 22 May 2026 11:06:18 +0530tag:blogger.com,1999:blog-4802841478634147276.post-741094857437214958 Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. "An attacker could exploit this vulnerability if they are able to sendhttps://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 19:47:09 +0530tag:blogger.com,1999:blog-4802841478634147276.post-4018152168578087720 Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 17:22:14 +0530tag:blogger.com,1999:blog-4802841478634147276.post-4487468289300411007 This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the usual mess. Then you see the pattern: attackers are not always breaking in. They are using the parts we already trust. That is what makes it worrying. The danger is in normal things now - updates, apps, cloud buttons, support chats, trusted accounts. AI https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 16:25:57 +0530tag:blogger.com,1999:blog-4802841478634147276.post-6805036243609108000 Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges. "Improper link resolution before file access ('link following') in Microsoft Defender https://thehackernews.com/2026/05/when-identity-is-attack-path.htmlnoreply@blogger.com (Unknown)Thu, 21 May 2026 16:00:00 +0530tag:blogger.com,1999:blog-4802841478634147276.post-1323807892386575097 Consider a cached access key on a single Windows machine. It got there the way most cached credentials do - a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a minor-league attacker, could have opened a path to some 98% of entities in the company's cloud https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 13:05:53 +0530tag:blogger.com,1999:blog-4802841478634147276.post-6015047848817303747 Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major https://thehackernews.com/2026/05/github-internal-repositories-breached.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 09:57:01 +0530tag:blogger.com,1999:blog-4802841478634147276.post-5826543343082842994 GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension.  The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in thehttps://thehackernews.com/2026/05/highly-critical-drupal-core-flaw.htmlnoreply@blogger.com (Ravie Lakshmanan)Thu, 21 May 2026 09:14:11 +0530tag:blogger.com,1999:blog-4802841478634147276.post-3499693813752194586 Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is https://thehackernews.com/2026/05/microsoft-open-sources-rampart-and.htmlnoreply@blogger.com (Ravie Lakshmanan)Wed, 20 May 2026 22:36:54 +0530tag:blogger.com,1999:blog-4802841478634147276.post-8814639759795125120 Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents, covering https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.htmlnoreply@blogger.com (Ravie Lakshmanan)Wed, 20 May 2026 20:06:44 +0530tag:blogger.com,1999:blog-4802841478634147276.post-4384456451548190916 Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world. The tech giant attributed the activity to a threat actor it calls Fox Tempest, which it said offered the MSaaS scheme https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.htmlnoreply@blogger.com (Ravie Lakshmanan)Wed, 20 May 2026 18:21:43 +0530tag:blogger.com,1999:blog-4802841478634147276.post-5129427820924447015 Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that employ Discord and Microsoft Graph API for command-and-control (C2 or C&C) communications. Webworm, first publicly documented by Broadcom-owned Symantec in September 2022, is assessed to be active since at least 2022, targeting government agencieshttps://thehackernews.com/2026/05/agent-ai-is-coming-are-you-ready.htmlnoreply@blogger.com (Unknown)Wed, 20 May 2026 17:28:00 +0530tag:blogger.com,1999:blog-4802841478634147276.post-7044036917603631904 New Industry Data Just Released Suggests Not. On May 19th, 2026, Orchid Security released the results of our Identity Gap: Snapshot 2026. Among the findings, "identity dark matter" (the unseen, unmanaged elements of identity) now overshadows the visible elements 57% vs. 43%. And it couldn't have occurred at a worse time, with enterprises embracing Agent AI with both arms (and unfortunately, ashttps://thehackernews.com/2026/05/github-investigating-teampcp-claimed.htmlnoreply@blogger.com (Ravie Lakshmanan)Wed, 20 May 2026 17:08:43 +0530tag:blogger.com,1999:blog-4802841478634147276.post-1654279987672404683 GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. "While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises,