News
-
Fake Next.js interview projects backdoor developer machines
Fake Next.js repositories and coding tests are being used to trigger remote code execution on developer machines. Malicious JavaScript runs when projects are opened or run then installs backdoors and exfiltrates data.
-
Suspected Chinese cyberespionage used Google Sheets API to hide C2 in campaign affecting 53 organisations
A suspected Chinese threat actor used Google Sheets API calls for command-and-control in a global campaign that affected 53 organisations in 42 countries since 2023. A technical analysis details the GRIDTIDE backdoor and mitigation steps.
-
Zyxel issues patches for critical UPnP command injection affecting dozens of routers
Zyxel released updates for a critical UPnP command injection, CVE-2025-13942, that can allow unauthenticated remote command execution on many routers. Exploitation requires UPnP and WAN access to be enabled and patches are available.
-
U.S. sanctions Russian exploit broker for buying stolen zero day tools
Matrix LLC and its owner were sanctioned under the Protecting American Intellectual Property Act after purchasing stolen zero day exploits. The action freezes U.S. assets and follows the sentencing of a former defense contractor executive.
-
CISA adds FileZen OS command injection CVE-2026-25108 to Known Exploited Vulnerabilities
CISA added FileZen CVE-2026-25108 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The OS command injection affects specified versions and requires updating to 5.0.11 or later before March 17, 2026.
-
1Campaign cloaking service helps malicious Google Ads evade detection
1Campaign is a cloaking service that helps malicious Google Ads pass automated screening and remain online for years. One observed campaign filtered 99.4% of visitors while redirecting a small fraction to attacker-controlled pages.
-
RoguePilot flaw in GitHub Codespaces could have leaked GITHUB_TOKEN, researcher says
A flaw named RoguePilot let attackers hide Copilot instructions in a GitHub issue to manipulate Codespaces and leak a privileged GITHUB_TOKEN. Orca Security published a technical analysis and Microsoft patched the issue after disclosure.
-
ShinyHunters posts 12.4 million records alleged to be from CarGurus
A 6.1GB archive claiming 12.4 million CarGurus records was posted by ShinyHunters on February 21. A Have I Been Pwned breach listing says about 3.7 million records appear to be new.
-
Lazarus Group uses Medusa ransomware in Middle East attack
A technical report by Broadcom’s Symantec and Carbon Black Threat Hunter Team reported that the Lazarus Group used Medusa ransomware in a Middle East attack and attempted an unsuccessful strike against a U.S. healthcare organization.
-
UnsolicitedBooker uses LuciDoor and MarsSnake to target Central Asian telecoms
UnsolicitedBooker deployed LuciDoor and MarsSnake backdoors against telecom companies in Kyrgyzstan and Tajikistan using phishing and multiple loaders between September 2025 and January 2026.
