Risk
-
Google denies reports that 183 million Gmail accounts were breached
Google said reports that 183 million Gmail accounts were breached are false; the dataset cited appears to be an aggregation of infostealer-sourced credentials shared with Have I Been Pwned, and users are advised to enable two-step verification, use passkeys and change exposed passwords.
-
SideWinder adopts ClickOnce-based infection chain in South Asia espionage campaign
Researchers say the SideWinder group used a new ClickOnce‑based infection chain alongside Word exploits in spear‑phishing waves from March to September 2025 to deliver ModuleInstaller and the StealerBot implant against diplomatic and government targets in South Asia.
-
QNAP: Windows NetBak PC Agent affected by critical ASP.NET Core flaw
QNAP warned that its NetBak PC Agent for Windows is impacted by CVE-2025-55315, a critical ASP.NET Core vulnerability in the Kestrel web server that can enable credential hijacking or request-smuggling attacks, and urged users to reinstall the agent or install the latest ASP.NET Core runtime.
-
Researchers warn ‘CoPhish’ uses Microsoft Copilot Studio agents to harvest OAuth tokens
Datadog Security Labs disclosed “CoPhish,” a phishing method that uses Microsoft Copilot Studio agents and legitimate Microsoft-hosted demo pages to deliver fraudulent OAuth consent flows and harvest session tokens; Microsoft says it will address the issue in a future update and both vendors recommend tightening admin privileges and consent policies.
-
Qilin ransomware deployed Linux payload on Windows using BYOVD and legitimate IT tools, researchers say
Researchers report that the Qilin ransomware group has been highly active through 2025, using leaked credentials, credential-harvesting tools and legitimate remote-management software to deploy a Linux ransomware binary on Windows systems while employing BYOVD and targeting backup infrastructure.
-
Mass attacks exploit outdated GutenKit and Hunk Companion WordPress plugins
A mass exploitation campaign is targeting WordPress sites running outdated GutenKit and Hunk Companion plugins, leveraging three critical vulnerabilities that can lead to remote code execution; Wordfence said it blocked 8.7 million attack attempts over two days and urged administrators to update plugins and check for indicators of compromise.
-
APT36 uses Golang DeskRAT in spear‑phishing campaign against Indian government targets
Security researchers reported that APT36 (Transparent Tribe) used spear‑phishing to deliver a Golang remote access trojan called DeskRAT against Indian government targets, with the campaign targeting BOSS Linux, using multiple persistence methods and WebSocket C2.
-
Researchers: network published more than 3,000 malicious YouTube videos to distribute malware
Security researchers say a network of compromised YouTube accounts published more than 3,000 videos since 2021 to promote links that lead to malware downloads; Check Point labelled the operation the YouTube Ghost Network and said Google removed most of the videos.
-
Microsoft issues out-of-band fix for WSUS vulnerability CVE-2025-59287
Microsoft released an out-of-band cumulative update to address CVE-2025-59287, a critical WSUS deserialization vulnerability being exploited in the wild; admins should apply the patch or disable WSUS/block ports 8530 and 8531 until systems can be rebooted after updating.
-
Researchers find self‑propagating ‘GlassWorm’ targeting VS Code extensions using Solana for command control
Researchers have found a self‑spreading worm called GlassWorm that infects VS Code extensions on Open VSX and the Microsoft Marketplace, uses the Solana blockchain and Google Calendar for command control, and steals developer credentials and cryptocurrency assets.
