Vendors
-
Logitech discloses data breach tied to zero-day; Cl0p claims responsibility
Logitech disclosed a data breach in which a zero-day in a third-party platform was exploited and certain internal IT data was copied; Cl0p has claimed responsibility and Logitech said it does not expect the incident to materially affect its business.
-
Eurofiber reports data stolen in cyberattack on its French business
Eurofiber said a November 13 cyberattack on its French business exploited a ticketing-platform vulnerability and resulted in stolen data; the company said banking information was not affected, the flaw is patched, and it has notified customers and French authorities.
-
AIPAC discloses data breach affecting 810 people, offers identity protection
AIPAC reported a criminal cyberattack in a November 2025 filing, saying files were accessed between October 2024 and February 2025 and that 810 people were affected; the organisation notified individuals, offered 12 months of identity protection, and said it implemented new security controls.
-
Researchers find widespread remote code execution risk in AI inference engines from unsafe ZMQ and pickle use
Researchers found a recurring insecure pattern — pickle deserialization over unauthenticated ZeroMQ sockets — in multiple AI inference frameworks, creating remote code execution risks across projects including vLLM, NVIDIA TensorRT-LLM, Modular Max Server and SGLang; related research also showed browser and IDE injection risks in Cursor.
-
ASUS issues firmware to fix critical authentication bypass in DSL routers
ASUS released firmware version 1.1.2.3_1010 to fix a critical authentication bypass (CVE-2025-59367) impacting DSL-AC51, DSL-N16 and DSL-AC750 routers and urged users to install the update or follow mitigation steps to block internet-accessible services.
-
Anthropic says Chinese state-sponsored group used Claude Code AI in espionage campaign
Anthropic reported that a Chinese state-sponsored group used its Claude Code AI and a Model Context Protocol to orchestrate attempted intrusions against about 30 high-profile organizations in mid-September, succeeding in a small number of cases; Anthropic banned accounts, notified victims and said AI hallucinations limited full autonomy.
-
Washington Post breach exposes personal data of nearly 10,000 workers
The Washington Post notified 9,720 employees and contractors that their personal and financial information was exposed after attackers exploited a zero-day in Oracle E-Business Suite; the flaw (CVE-2025-61884) has been linked to the Clop group and other major organisations were also affected.
-
CISA orders federal agencies to remediate two exploited Cisco firewall flaws
CISA ordered U.S. federal agencies to remediate two actively exploited Cisco ASA and Firepower vulnerabilities (CVE-2025-20333, CVE-2025-20362), warned that some devices reported as patched remain vulnerable, and added three flaws to its KEV catalog with a December 3, 2025 remediation deadline.
-
Researchers: npm registry flooded by tens of thousands of fake packages in two‑year spam campaign
Researchers have identified a two‑year spam campaign that has flooded the npm registry with tens of thousands of fake packages using a worm-like mechanism to auto-publish new packages and potentially monetize the effort via the TEA protocol; investigators say attribution is unconfirmed and registry operators have removed the packages.
-
Amazon opens invite-only bug bounty for NOVA models to outside researchers
Amazon has launched an invite-only bug bounty program for its NOVA family of language models, allowing select researchers to test and be paid for findings on issues such as prompt injection, jailbreaking and other vulnerabilities, with the company saying the effort will help secure models integrated across Amazon and customer systems.
