Research
-
Critical path traversal in @adonisjs/bodyparser allows arbitrary file writes
A critical path traversal in the @adonisjs/bodyparser npm package tracked as CVE-2026-21440 with CVSS 9.2 can permit arbitrary file writes. Patches are available in versions 10.1.2 and 11.0.0-next.6
-
New Python stealer called VVS Stealer harvests Discord tokens and browser data
VVS Stealer is a Python based information stealer that harvests Discord tokens and browser data. A Unit 42 technical analysis found it is Pyarmor obfuscated and offered for sale on Telegram from April 2025.
-
Kimwolf botnet infects more than 2 million devices by tunneling through residential proxy networks
A technical analysis by Synthient found the Kimwolf botnet has infected over 2 million devices by tunneling through residential proxy services into home networks. Many infections involve inexpensive Android TV boxes and digital photo frames with insecure defaults.
-
APT36 uses weaponized LNK files to target Indian government entities
A multi-stage fileless campaign attributed to APT36 used oversized .lnk shortcuts embedding PDFs to deliver HTA loaders and in-memory .NET DLLs targeting Indian government systems. The malware adapts persistence to installed antivirus and uses encrypted C2.
-
PS5 BootROM keys leaked in late 2025 expose unpatchable hardware secrets
A set of PlayStation 5 BootROM keys was posted online on 31 December 2025. The leak exposes hardware cryptographic keys burned into consoles and cannot be fixed by software updates on existing units.
-
Unit 42 analysis finds VVS stealer targets Discord users and exfiltrates tokens and browser data
A Unit 42 technical analysis found VVS stealer, a Python based malware marketed on Telegram in April 2025, targets Discord and browsers to steal tokens and saved credentials and exfiltrates them via Discord webhooks.
-
Handala targeted Telegram accounts of two Israeli officials
In December 2025 Handala posted about 1,900 Telegram chat entries tied to two Israeli officials. Most entries were empty contact cards and only about 40 contained messages, indicating account access rather than full phone compromise.
-
GlassWorm fourth wave targets macOS with trojanized crypto wallets in VS Code extensions
A fourth GlassWorm wave is targeting macOS developers with trojanized VS Code and OpenVSX extensions that steal credentials and attempt to replace hardware wallet apps. More than 33,000 installs were recorded.
-
MongoDB zlib flaw CVE-2025-14847 exploited in the wild with more than 87,000 instances at risk
CVE-2025-14847, dubbed MongoBleed, is actively exploited and can leak MongoDB server memory. More than 87,000 potentially vulnerable instances were identified. Apply vendor patches or disable zlib compression and limit exposure until fixed.
-
Lumma Stealer delivered through fake itch.io update links to Patreon
G DATA Security Lab found a campaign using spam comments on itch.io that linked to Patreon downloads of a nexe compiled executable which writes a native module and loads a LummaStealer payload. Samples include six anti analysis checks.
