Security news.
Today's cybersecurity news is dominated by supply chain attacks impacting NPM packages and critical vulnerabilities in widely used software. Several reports highlight active exploitation campaigns targeting web platforms and firmware, emphasizing the need for immediate patching and vigilance against sophisticated threats.
Compromised jscrambler npm Package Drops Rust Infostealer
The jscrambler npm package release 8.14.0 was compromised, with its preinstall hook delivering a Rust infostealer during installation on Windows, macOS, and Linux systems.
Critical Zimbra Flaw Allows Malicious Code Execution
A critical stored cross-site scripting (XSS) vulnerability in Zimbra's Classic Web Client allows specially crafted emails to execute malicious scripts in a user's session. Users are urged to apply updates.
New U-Boot Flaws Enable Stealthy Firmware Attacks
Six vulnerabilities in the U-Boot bootloader could allow attackers to execute malicious code during device boot, leading to stealthy firmware attacks that bypass security and install persistent malware.
Hackers Exploit Critical Auth Bypass in Gitea Docker Image
A critical authentication bypass vulnerability in the official Gitea self-hosted Git service Docker image is being actively exploited, allowing attackers to impersonate any user, including administrators.
Australia Warns of Global CMS Exploitation Campaign
The Australian Cyber Security Centre (ACSC) has issued an alert regarding a global campaign actively exploiting vulnerabilities in various content management systems (CMS) and their plugins.
Injective Labs GitHub Compromise Pushes Wallet-Stealing npm Packages
Threat actors compromised the Injective Labs SDK GitHub repository to publish a malicious npm package (@injectivelabs/[email protected]) designed to steal cryptocurrency wallet private keys and mnemonic seed phrases.
Ghost Accounts Abuse GitHub API in Mass Recon Campaign
Multiple campaigns are leveraging "ghost accounts" to abuse the GitHub API, performing widespread reconnaissance to map organizations, repositories, and members.
'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents
Researchers have demonstrated 'Ghostcommit,' a technique to hide prompt injections within PNG images, allowing AI code reviewers to be fooled and leading to the potential exfiltration of repository secrets.