Vulnerabilities
-
Glassworm malware returns with 24 malicious VS Code packages on OpenVSX and Microsoft marketplace
The Glassworm malware has returned in a third wave with 24 malicious VS Code extension packages on OpenVSX and the Microsoft Visual Studio Marketplace, using obfuscation and Rust‑based implants to steal credentials, deploy proxies and enable remote access.
-
Long-running ‘ShadyPanda’ campaign amassed more than 4.3 million browser extension installs, researchers say
Researchers say the ShadyPanda campaign turned hundreds of browser extensions into spyware and backdoors, accumulating more than 4.3 million installs across Chrome and Edge and exfiltrating browsing data to multiple domains.
-
CISA adds OpenPLC ScadaBR XSS flaw to Known Exploited Vulnerabilities list amid active attacks
CISA added CVE-2021-26829, a cross-site scripting flaw in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation tied to a hacktivist operation; Forescout and VulnCheck reported related intrusions and a sustained OAST-driven exploit campaign.
-
Legacy Python bootstrap scripts create potential PyPI domain takeover risk, researchers say
ReversingLabs found legacy zc.buildout bootstrap scripts in several PyPI packages that download an obsolete Distribute installer from a domain now for sale, creating a potential domain takeover supply chain risk; researchers warned some projects still ship the file and pointed to a separate malicious PyPI package discovered by HelixGuard.
-
North Korean actors push 197 malicious packages to npm to deploy OtterCookie variant
Researchers say North Korean actors uploaded 197 malicious npm packages, downloaded over 31,000 times, to deploy an OtterCookie variant that evades sandboxes, establishes C2 access and steals credentials and crypto data; delivery used a Vercel URL and a now-unavailable GitHub account, and the campaign has also employed fake job-assessment lures to distribute Go-based backdoors.
-
French Football Federation discloses data breach after compromised account
The French Football Federation said attackers used a compromised account to access administrative software for clubs, stealing personal and contact details; the FFF disabled the account, reset passwords, filed a criminal complaint and notified ANSSI and CNIL.
-
ASUS issues firmware updates to fix critical AiCloud authentication bypass
ASUS has issued firmware updates to fix nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) in routers with AiCloud enabled, and advised users to update firmware or apply mitigations for end-of-life devices.
-
Researchers find thousands of credentials in JSONFormatter and CodeBeautify archives
Researchers at watchTowr Labs said they recovered over 80,000 files saved to JSONFormatter and CodeBeautify that contained thousands of credentials and sensitive records spanning government, finance, telecoms and other sectors; both sites have temporarily disabled the save feature.
-
Firefox patch fixes high-severity WebAssembly bug that lingered for six months
AISLE disclosed a high-severity WebAssembly boundary error in Firefox (CVE-2025-13016) that allowed memory corruption and could enable arbitrary code execution; Mozilla released a patch in Firefox 145 and ESR 140.5 after rapid confirmation and remediation.
-
Malicious Blender .blend files used to deliver StealC V2, researchers say
Researchers at Morphisec say a campaign has used malicious Blender .blend files uploaded to free 3D asset sites to execute embedded Python scripts and deliver the StealC V2 information stealer and a secondary Python stealer; the attack runs when Blender’s Auto Run option is enabled.
