2FA
-
Phishing campaign targets TikTok for Business accounts with bot-blocking pages
A phishing campaign is targeting TikTok for Business accounts with bot-blocking pages that redirect through Google Storage and use a Cloudflare Turnstile check, then present fake login pages designed to capture credentials and session cookies.
-
Researchers describe “Pixnapping” Android side‑channel that can steal 2FA codes
A team of academic researchers disclosed “Pixnapping,” a side‑channel pixel‑stealing technique that can recover on‑screen data including two‑factor codes on Android by exploiting rendering APIs and graphical operations, and Google has issued patches under CVE‑2025‑48561 while some issues remain unpatched.
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
-
GitHub Tightens npm Publishing Security with 2FA, Short-Lived Tokens and Trusted Publishing
GitHub announced a sweeping set of security measures for npm publishing, including deprecating legacy tokens, migrating to FIDO-based 2FA, and introducing seven-day, short-lived granular tokens plus trusted publishing that uses OpenID Connect and cryptographic provenance attestations to bolster npm’s supply-chain security.
-
Researchers warn of DOM-based extension clickjacking in password managers
Security researchers at DEF CON 33 revealed a DOM-based extension clickjacking flaw affecting popular password-manager browser extensions, capable of stealing credentials, 2FA codes, and more with a single click on a malicious page; Bitwarden has issued a fix, and others are in progress, with guidance to disable auto-fill until patches are deployed.
