Vulnerabilities
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
-
Unpatched OnePlus flaw lets rogue apps access SMS data, Rapid7 says
Rapid7 has disclosed an unpatched vulnerability in OnePlus OxygenOS that could allow rogue apps to access SMS data and metadata without user interaction, due to exposed content providers in the Telephony package. The flaw, CVE-2025-10184, affects OxygenOS 12 through 15 and remains unpatched as OnePlus investigates; a PoC exploit has been published.
-
Security firm flags in-the-wild exploitation of Pandoc flaw CVE-2025-51591 to target AWS IMDS
Security researchers at Wiz have observed in-the-wild exploitation of CVE-2025-51591, a Pandoc flaw that enables SSRF against AWS EC2 IMDS, with attackers attempting to exfiltrate data via crafted iframes. The activity underscores the importance of IMDSv2 and least-privilege IAM roles to mitigate cloud credential exposure.
-
State-backed hackers exploited Libraesva ESG flaw; vendor issues urgent patch
Libraesva disclosed a state-sponsored exploitation of a vulnerability in its Email Security Gateway (ESG), tracked as CVE-2025-59689. The flaw, a command injection triggered by specially crafted compressed attachments, affects ESG versions 4.5 through 5.5.x before 5.5.7. Patches are available, and end-of-support for older builds mandates manual upgrades.
-
Boyd Gaming Discloses Data Breach After Cyberattack; Employee Data Among Those Compromised
Boyd Gaming disclosed a cyberattack in a Form 8-K, stating attackers gained access to its systems and stole employee data and data belonging to a limited number of other individuals. The company says operations and financial condition are not affected, has engaged external cybersecurity experts and notified law enforcement, and no group has claimed responsibility.
-
US Secret Service Dismantles Network of 300 SIM Servers Near UN General Assembly
The U.S. Secret Service said it dismantled a network of more than 300 SIM servers and 100,000 SIM cards across the New York area, potentially capable of disrupting telecommunications and enabling encrypted communications for threat actors, with investigations linking to nation-state actors and reports of assassination threats near the UN General Assembly.
-
Iranian-linked hackers expand European operations with fake job portals and new malware, researchers say
Security researchers say Iranian government-backed attackers are targeting Western Europe with fake job portals and new Minibike malware, including MiniJunk and MiniBrowse, delivered through a multi-stage DLL sideloading chain. The operation focuses on Denmark, Portugal, and Sweden and appears linked to broader Iran-aligned threat activity.
-
GitHub Tightens npm Publishing Security with 2FA, Short-Lived Tokens and Trusted Publishing
GitHub announced a sweeping set of security measures for npm publishing, including deprecating legacy tokens, migrating to FIDO-based 2FA, and introducing seven-day, short-lived granular tokens plus trusted publishing that uses OpenID Connect and cryptographic provenance attestations to bolster npm’s supply-chain security.
-
SEO-poisoning BadIIS malware tied to Operation Rewrite targets East and Southeast Asia, researchers say
Security researchers say a Chinese-speaking actor is using the BadIIS malware in an Operation Rewrite SEO-poisoning campaign to hijack search results via a compromised IIS proxy, targeting East and Southeast Asia with Vietnam as a focus.
-
Microsoft patches critical Entra ID flaw CVE-2025-55241 with 10.0 severity, enabling cross-tenant impersonation
Microsoft has patched a critical Entra ID vulnerability, CVE-2025-55241, with a maximum CVSS score of 10.0 that could allow cross-tenant impersonation of users, including Global Administrators. The fix, disclosed by researchers and implemented on July 17, 2025, requires no action by customers, though experts warn the flaw highlights broader cloud-security risks and the need to…
