Two malicious versions of Axios, the most downloaded JavaScript HTTP client library, were briefly published to NPM and contained a cross-platform RAT. Google has attributed the attack to suspected North Korean threat actor UNC1069.
A sophisticated zero-day vulnerability in Adobe Reader has been actively exploited since at least December, using maliciously crafted PDF files to steal data and potentially enable full system compromise.
European rail pass operator Eurail B.V. has confirmed that a cyberattack on December 26, 2025 exposed the personal data of 308,777 individuals, including names, passport numbers, and sensitive health and financial information.
Industrialized fraud rings are deploying AI to build synthetic identities at unprecedented scale, rendering traditional detection methods obsolete. Experts argue the only viable response is to stop reacting and start hunting.
BleepingComputer is hosting a live webinar on April 30, 2026 at 2:00 PM ET exploring how security teams can detect early threat actor signals across dark web forums, Telegram channels, and access broker marketplaces.
Researchers from RSAC combined two adversarial techniques to circumvent Apple Intelligence's input and output filters, achieving a 76% success rate across 100 test prompts. Apple has since rolled out fixes in iOS 26.4 and macOS 26.4.
The February 2026 Figure breach exposed nearly 967,200 email records without a single exploit — and the downstream attack chain it enables exposes a fundamental flaw in how most organizations think about MFA.
The FBI's Operation Masquerade disrupted a GRU-linked hacking campaign that compromised more than 18,000 TP-Link routers and infiltrated over 200 organizations worldwide, cutting off what officials called 'tremendous access' to household internet traffic.
Attackers hijacked the update distribution system for the Smart Slider 3 Pro plugin, pushing version 3.5.1.35 loaded with multiple backdoors to WordPress and Joomla sites. The vendor urges all users to upgrade immediately to version 3.5.1.36 or roll back to 3.5.1.34.
Google has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, cryptographically tying session cookies to a device's hardware to stop infostealers like LummaC2 from exploiting stolen authentication tokens.