Research
-
Researchers Say YoLink Smart Hub Vulnerabilities Could Let Attackers Control Locks
Researchers at Bishop Fox have disclosed multiple vulnerabilities in the YoLink Smart Hub v0382 that can bypass authorization, expose credentials over unencrypted MQTT, and allow attackers to control devices including smart locks; the manufacturer has not yet issued a patch.
-
Malicious PyPI package ‘soopsocks’ acted as SOCKS5 proxy and Windows backdoor, researchers say
Researchers say a PyPI package called soopsocks posed as a SOCKS5 proxy but included Windows backdoor capabilities, downloaded 2,653 times before removal; analysis attributes reconnaissance, privilege elevation, firewall changes and data exfiltration to a compiled executable and accompanying scripts.
-
New Android banking trojan Klopatra has infected more than 3,000 devices, Cleafy says
Cleafy said a new Android banking trojan called Klopatra has infected over 3,000 devices, mainly in Spain and Italy, using VNC remote control, dynamic overlays and abuse of Android accessibility services to steal credentials and perform fraudulent transfers.
-
Okta says North Korean ‘IT worker’ scam is targeting healthcare, finance and AI hiring
Okta Threat Intelligence reported that nearly half of companies targeted by a North Korean-linked fake remote-worker scheme are outside IT, with rising activity in healthcare, finance and AI hiring; the firm tracked over 130 identities tied to more than 6,500 interviews from 2021 to mid-2025 and warned the sample likely understates the full scale.
-
Researchers say low-cost DDR4 interposer can bypass Intel and AMD memory protections
Researchers at KU Leuven and the University of Birmingham say a low-cost DDR4 interposer called Battering RAM can redirect physical addresses to bypass Intel SGX and AMD SEV-SNP protections in cloud confidential computing, potentially allowing plaintext reads, data corruption and persistent backdoors.
-
Unit 42 says China-aligned actor ‘Phantom Taurus’ has targeted government and telecom organisations in Africa, Middle East and Asia
Palo Alto Networks’ Unit 42 said a China-aligned actor it calls ‘Phantom Taurus’ has conducted an ongoing espionage campaign against government and telecom organisations across Africa, the Middle East and Asia, using bespoke .NET malware against IIS servers and tools to exfiltrate database content.
-
Researchers disclose three now-patched vulnerabilities in Google’s Gemini AI
Researchers disclosed three patched vulnerabilities in Google’s Gemini AI that could have exposed users to privacy risks, affecting Cloud Assist, the Search Personalization model and the Browsing Tool, Tenable said; Google has applied mitigations.
-
Phishing campaign impersonates Ukrainian police to deliver data stealer and cryptominer
FortiGuard Labs reported a fileless phishing campaign impersonating Ukraine’s National Police that uses malicious SVG attachments to deliver Amatera Stealer and PureMiner, harvesting credentials and installing a cryptominer on Windows systems.
-
Chinese state-sponsored group RedNovember exploited enterprise network gear in global campaign, researchers say
Recorded Future says a Chinese state-sponsored group called RedNovember ran a global espionage campaign from June 2024 to July 2025, exploiting vulnerabilities in enterprise network appliances to breach defense contractors, government agencies and other organizations and using publicly available tools to maintain persistent access.
-
Researchers find malicious ‘postmark-mcp’ npm package that forwarded emails to attacker
Researchers say a malicious npm package named “postmark-mcp” copied an official library and, beginning with version 1.0.16, BCC’d every email to an external address, exposing potentially sensitive communications; the package has been removed from npm and users are urged to revoke credentials and check logs.
