← Latest brief

Security news.

·Afternoon Brief

Today's security brief highlights a critical compromise in the jscrambler npm package, leading to the installation of an infostealer. We also cover warnings about global campaigns targeting vulnerable CMS platforms and critical flaws in Zimbra and U-Boot, emphasizing the ongoing need for vigilance and prompt patching.

THNSUPPLY CHAIN
4h agoREAD

Compromised jscrambler npm Release Drops Rust Infostealer

The jscrambler npm package (v8.14.0) was compromised, executing a Rust infostealer on Windows, macOS, and Linux during installation.

BLEEPINGVULN
7h agoREAD

Australia Warns of Global Campaign Targeting Vulnerable CMS Platforms

The Australian Cyber Security Centre (ACSC) has issued an alert regarding a global exploitation campaign actively targeting vulnerable content management systems (CMS) and plugins.

THNVULN
15h agoREAD

Critical Zimbra Flaw Allows Malicious Code Execution

A critical stored cross-site scripting (XSS) vulnerability in Zimbra's Classic Web Client could allow specially crafted emails to execute malicious scripts in a user's session, urging immediate updates.

VULN
READ

New U-Boot Flaws Enable Stealthy Firmware Attacks

Six vulnerabilities in the U-Boot bootloader could allow attackers to execute malicious code during device boot, potentially leading to persistent malware and compromised security protections.

THNNATION-STATE
4h agoREAD

Hackers Weaponize Balochistan Police Portal in Espionage Campaigns

Suspected China- and India-aligned threat actors have conducted sustained cyber espionage against Pakistani law enforcement, compromising servers hosting police and citizen data.

SECURITYWEEK
4h agoREAD

Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Multiple campaigns are leveraging "ghost accounts" to abuse the GitHub API for extensive reconnaissance, mapping organizations, repositories, and members.

BLEEPINGAI
13h agoREAD

'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents

Researchers demonstrated 'Ghostcommit,' a technique that embeds prompt injections in PNG images, allowing AI code reviewers to be bypassed and leading to secret exfiltration.

CISAKEV
1d agoREAD

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) to its KEV Catalog, both involving unrestricted file upload vulnerabilities.

Generated twice daily from public security RSS feeds. Informational only.