Research
-
Fake NexShield extension crashes Chrome and Edge to push ModeloRAT
A Huntress technical analysis found that a fake ad blocker called NexShield crashed Chrome and Edge to push malicious commands and install ModeloRAT in corporate environments. Full system cleanup is advised for affected machines.
-
Researchers disclose Gemini prompt injection that used calendar invites to exfiltrate meeting data
A Miggo Security technical analysis shared with The Hacker News revealed an indirect prompt injection that used Google Calendar invites to extract private meeting details from Google Gemini. The flaw was fixed after responsible disclosure.
-
XSS flaw in StealC control panel exposed sessions and millions of cookies
An XSS flaw in the StealC control panel let outsiders harvest system fingerprints, active sessions and cookies. Researchers recovered over 5,000 logs with about 390,000 passwords and more than 30 million cookies.
-
LOTUSLITE backdoor used in campaign targeting U.S. policy entities
Researchers disclosed a campaign on January 16, 2026 that used Venezuela-themed lures to deliver the LOTUSLITE backdoor to U.S. government and policy organizations via ZIP archive and DLL side-loading. Attribution is to Mustang Panda with moderate confidence.
-
CodeBreach misconfiguration in AWS CodeBuild could have exposed aws-sdk-js-v3 GitHub repo
A CodeBuild misconfiguration could have allowed takeover of AWS-managed GitHub repositories including the AWS JavaScript SDK. The flaw, dubbed CodeBreach, was fixed in September 2025 after responsible disclosure.
-
Critical Fast Pair flaw lets attackers hijack Bluetooth headsets and eavesdrop
Researchers found a Fast Pair implementation flaw that lets attackers force-pair Bluetooth audio devices, enabling hijack, eavesdropping, and tracking of hundreds of millions of accessories. Patches from manufacturers are required to fix vulnerable devices.
-
Reprompt attack could exfiltrate Microsoft Copilot data with one click
Researchers disclosed Reprompt, a method that can use a single Copilot URL click to inject prompts and enable hidden, ongoing data exfiltration. Microsoft has addressed the issue and enterprise Copilot customers are not affected.
-
CERT-UA advisory outlines PLUGGYAPE campaign using Signal and WhatsApp against Ukrainian forces
A CERT-UA advisory says PLUGGYAPE was used in October to December 2025 attacks on Ukrainian defense forces. Delivery used Signal and WhatsApp links to passworded archives that installed a PyInstaller executable and a Python backdoor.
-
Long running web skimmer targeted major payment networks since 2022
A technical analysis found a web skimming campaign active since January 2022 that targeted major payment networks and used obfuscated JavaScript to harvest payment and personal data from checkout pages.
-
VoidLink modular Linux malware targets cloud and container environments
VoidLink is a modular Linux malware framework found in December 2025 that targets cloud and container environments. The framework supports 37 plugins and includes rootkit techniques, credential harvesting and multiple command and control channels.
