Security news.
Today's security brief highlights a critical compromise in the jscrambler npm package, leading to the installation of an infostealer. We also cover warnings about global campaigns targeting vulnerable CMS platforms and critical flaws in Zimbra and U-Boot, emphasizing the ongoing need for vigilance and prompt patching.
Compromised jscrambler npm Release Drops Rust Infostealer
The jscrambler npm package (v8.14.0) was compromised, executing a Rust infostealer on Windows, macOS, and Linux during installation.
Australia Warns of Global Campaign Targeting Vulnerable CMS Platforms
The Australian Cyber Security Centre (ACSC) has issued an alert regarding a global exploitation campaign actively targeting vulnerable content management systems (CMS) and plugins.
Critical Zimbra Flaw Allows Malicious Code Execution
A critical stored cross-site scripting (XSS) vulnerability in Zimbra's Classic Web Client could allow specially crafted emails to execute malicious scripts in a user's session, urging immediate updates.
New U-Boot Flaws Enable Stealthy Firmware Attacks
Six vulnerabilities in the U-Boot bootloader could allow attackers to execute malicious code during device boot, potentially leading to persistent malware and compromised security protections.
Hackers Weaponize Balochistan Police Portal in Espionage Campaigns
Suspected China- and India-aligned threat actors have conducted sustained cyber espionage against Pakistani law enforcement, compromising servers hosting police and citizen data.
Ghost Accounts Abuse GitHub API in Mass Recon Campaign
Multiple campaigns are leveraging "ghost accounts" to abuse the GitHub API for extensive reconnaissance, mapping organizations, repositories, and members.
'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents
Researchers demonstrated 'Ghostcommit,' a technique that embeds prompt injections in PNG images, allowing AI code reviewers to be bypassed and leading to secret exfiltration.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) to its KEV Catalog, both involving unrestricted file upload vulnerabilities.