Vulnerabilities
-
PhantomRaven campaign places malicious code in 126 npm packages
Researchers say a campaign codenamed PhantomRaven has placed malicious code into 126 npm packages since August 2025, using external dynamic dependencies to steal authentication tokens, CI/CD secrets and GitHub credentials; Koi Security and DCODX published analyses.
-
Python Software Foundation withdraws $1.5M NSF proposal over DEI restriction
The Python Software Foundation has withdrawn a $1.5 million NSF grant proposal after the agency attached a clause barring recipients from operating programs that “advance or promote diversity, equity, and inclusion,” a condition the PSF said conflicts with its mission.
-
Canada warns of hacktivist breaches at water, energy and farm facilities
The Canadian Centre for Cyber Security warned that hacktivists have repeatedly breached internet-exposed industrial control systems at water, oil and agricultural sites, altering control settings and prompting guidance to remove direct internet exposure, use multifactor VPNs, and report incidents through the Cyber Centre.
-
Researchers warn of ‘AI-targeted cloaking’ that can poison agentic browsers
Security researchers and hCaptcha warn of an ‘AI-targeted cloaking’ technique that serves different content to human browsers and AI crawlers, potentially poisoning models and enabling misinformation; SPLX and hTAG detail examples and risky agent behaviors.
-
Researchers find 10 typosquatted npm packages delivering cross‑platform credential stealer
Researchers reported a set of 10 typosquatted npm packages, uploaded on July 4, 2025 and downloaded over 9,900 times, that deploy an obfuscated, multi-stage information stealer which harvests credentials from browsers and system keyrings on Windows, Linux and macOS.
-
High-severity cache-poisoning vulnerability in BIND 9; patches issued after PoC published
CVE-2025-40778 is a high-severity cache-poisoning vulnerability in BIND 9 that can allow remote attackers to inject forged DNS records. Proof-of-concept code is public and fixed versions are available; administrators are urged to apply patches immediately.
-
CISA says two Dassault DELMIA Apriso flaws are being actively exploited
CISA warned that two vulnerabilities in Dassault Systèmes’ DELMIA Apriso are being actively exploited. The flaws, CVE-2025-6205 and CVE-2025-6204, were patched by the vendor in August and have been added to CISA’s KEV catalog; U.S. federal agencies must remediate under BOD 22-01 by Nov. 18.
-
QNAP: Windows NetBak PC Agent affected by critical ASP.NET Core flaw
QNAP warned that its NetBak PC Agent for Windows is impacted by CVE-2025-55315, a critical ASP.NET Core vulnerability in the Kestrel web server that can enable credential hijacking or request-smuggling attacks, and urged users to reinstall the agent or install the latest ASP.NET Core runtime.
-
Kaspersky links Chrome zero-day campaign to Italian spyware firm Memento Labs
Kaspersky detailed Operation ForumTroll, a campaign that used a Chrome sandbox escape (CVE-2025-2783) to deliver modular spyware LeetAgent and a second implant called Dante, which researchers attribute with high confidence to Memento Labs, a firm formed from assets of the former Hacking Team.
-
Researchers warn ‘CoPhish’ uses Microsoft Copilot Studio agents to harvest OAuth tokens
Datadog Security Labs disclosed “CoPhish,” a phishing method that uses Microsoft Copilot Studio agents and legitimate Microsoft-hosted demo pages to deliver fraudulent OAuth consent flows and harvest session tokens; Microsoft says it will address the issue in a future update and both vendors recommend tightening admin privileges and consent policies.
