DEV Community: Habdul Hazeez

Security news weekly round-up - 19th June 2026

Habdul Hazeez — Fri, 19 Jun 2026 21:35:03 +0000

Defenders don't rest. They wake up every day thinking about how to protect the systems that they are charged to protect. Meanwhile, attackers are also looking for crafty ways to infect a system or break into computer networks. In the end, it's good for everyone if defenders are always one step ahead of the attackers.

EvilTokens: A phishing attack that doesn’t steal your password

A phishing attack that does not require creating fake login pages or stealing your passwords. I was speechless when I read the article's title and deservedly so when I read how the attackers executed the attack.

The following should get you started:

EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow.

As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords.

Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page.

One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes

The good news is that MSFT mitigated the flaw. What's left for tenant admins is to watch and contain. The interesting thing is how the researchers pulled off the attack.

Here is what they did:

Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.

The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection.

Low-skilled attacker used Claude, Codex to breach 14 companies

The barrier to entry into cybercrime has never been this low. And what's reported in this article proves that. Also, you'll expect that since the attacker is tagged a low-skilled attacker, that they will make rookie OPSEC mistakes, yes they did.

From the article:

“In many cases, the attacker supplied only vague, low-skill prompts and allowed Claude to fill in the gaps: researching exposed services, identifying possible vulnerabilities, writing exploit code, validating access, and harvesting data,” the researchers noted.

“The attacker did not need to be an expert operator; they simply had to use the correct framing for their prompts. The agent supplied much of the structure and technical execution that the attacker appeared to lack.”

Massive breach spills credentials for thousands of sensitive networks

Just when you think: We are safe, we have firewalls and the big tech guys to protect our infrastructures. Then you read an article like this and you almost give up, thinking: Which system is safe?

Here is what's going on:

“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” researchers from Hudson Rock, a security firm that also analyzed the data, wrote. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”

Rokarolla Android trojan targets banking and crypto users, enables device takeover

Android Trojans and their funny names are something else. The article's title clearly states what the Trojan does. One thing that surprises me every time I read an article like this: given the amount of effort that the developers put into this malware, can't they put the same effort into developing an application that they can somehow monetize? Or, something like that?

I mean, read the following

“Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input,” the researchers said.

“Furthermore, the trojan actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.”

USB worm spreads crypto-stealing malware via Windows shortcut files

I don't know. At the end of the day, and most of the time, some malware are just after stealing something from an infected system. This is yet another example.

From the article:

The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.

Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 12th June 2026

Habdul Hazeez — Fri, 12 Jun 2026 20:46:37 +0000

Most of the security threats that we face today come from online sources. I mean, the moment we switch on our devices and click "connect", we walk into a world where we can be vulnerable to threats that we cannot even fathom. Yet, we trust our instincts that I will be fine. Sometimes, that turns out to be the case. Most of the time (ask those who have been victims), it's not always the case.

One wrong move and we could be toast. Searching for that thing on your favorite search engine? In the search results, you could end up clicking on a malware-laden site or a phishing site using a typosquatted domain name. Or, you have vulnerable software and an exploit is already available waiting for a target to come online, and just like that, your system is owned.

The list is endless. Nonetheless, we still connect to the internet and for the security-minded person, hope and pray for the best.

FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins

TL;DR: In the season of the World Cup 2026, there are scam sites out there ready to steal your financial and identity details. To prevent this, go to FIFA's website directly by typing the address in your web browser's address bar and hitting the enter key on your keyboard. This means do not search for anything related to tickets or stuff like that on Google (or your favorite search engine).

You have been warned.

Everybody Is Vibe Coding But Nobody Told the Security Team

I wish they did. Wait. Let me take that back. They should tell the security team! Why? These vibe-coded applications are ending up in Google Search results.

Here is what I am saying (emphasis mine):

Researchers at RedAccess recently analyzed thousands of vibe-coded applications built on Lovable, Replit, Base44, and Netlify. They found more than 5,000 with virtually no security or authentication. Around 40% exposed sensitive data — medical information, financial records, corporate strategy documents, detailed customer conversation logs.

Among verified exposures: a shipping company app detailing vessel port arrivals; an internal health company application listing active UK clinical trials.

Cybercriminals: the 'auditors' you never hired

Nonetheless, they are at your door scanning and probing where the loopholes are. If they do find one, you might find out after the damage is done.

From the article:

There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias

As this bias can lead us to mistake familiarity for safety and assumptions for evidence, it’s increasingly getting in the way of dealing with the cybersecurity reality. It causes people to underestimate the likelihood of a cyberattack or to interpret an absence of obvious problems or consequences as evidence that risks are under control.

Infostealers Turn Millions of Devices Into Credential Theft Machines

To add to the article's title: Without you even knowing. I know you might say: of course that's how infostealers work! Yes, I know. I just couldn't help myself but say it out loud.

From the article:

Stealers are available on the underground ecosystem, often via malware-as-a-service (MaaS) and for hire at as little as $60 per month. During 2025, the most successful stealers, in order, were Lumma, Acreed, Rhadamanthys, Vidar, and StealC.

When attackers acquire a stealer, they must then infect a target device. This could usually be any device connected to the network he intends to raid since secrets available here would provide access to other parts of the network.

Oracle warns of security bug that hackers abused to breach 100+ companies

At the time of writing, it's a zero-day bug. Meaning: no patches available only mitigations.

From the article:

Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the bug can be exploited over the internet without needing any authentication, such as a password.

Japanese energy firm loses drive with data of 10.9 million clients

They stored the stolen data on a drive. Locked it in a server room cabinet that is behind many physical security layers. Yet, someone got in, took the data, and at the time of writing, they have not located the person nor the data.

From the article:

The data present on the now missing drive includes:

Customer names

Service location addresses

Electricity usage data

Telephone numbers

Names of retail electricity providers

Other related information

The firm has clarified that no bank account information or credit card data was stored in the drive. It also promised to notify impacted customers individually in the upcoming period.

Alert Fatigue Is Becoming a Security Threat of Its Own

TL;DR: When alert is too much, it can be a problem.

From the article:

Alert fatigue isn’t caused by occasional long hours and stress – it is caused by continuous long hours and continuous stress with no escape. If it isn’t prevented, the effect on the analyst could begin with a few missed false negatives and grow into a full business compromise.

For the analyst, it could start with subconscious, but overly aggressive filtering merely designed to keep up with the volume of fresh alerts. Within this filtering, too many alerts may be assumed to be false positives. Many will be but some may not, and true positive signals may be filtered out as noise.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 29th May 2026

Habdul Hazeez — Fri, 29 May 2026 22:40:28 +0000

Malware and vulnerabilities are the stuff of nightmares for any security-conscious internet user. If you add, privacy invasion into the mix, it gets worse. I mean: a website spying on you using activities of your SSD can sound like a script from your favorite Sci-fi movie. However, it's reality.

Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise

The FIFA World Cup season is around the corner. Be careful of any random search while looking to buy tickets and some merchandise. Go to the official website. Do not search on Google.

From the article:

Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won't notice.

These special phone and app features can help protect you from spyware

If you feel that you are targeted you think you could be in the future, go through the article. It covers how to get it done on your iPhone and Android devices.

The following should get you started:

Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff

No security measure is perfect, and it’s a constant effort to keep security flaws at bay. But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective.

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Do not use AI chatbots for searching for download links on the Internet. If you think that's too much to ask, read the article.

From the article:

It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning.

Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors.

Websites have a new way to spy on visitors: Analyzing their SSD activity

Among the things that I can never think would be possible while browsing on the web, this is going to be among the top 10. While reading, it reminds me of https[://]browserspy[.]dk

From the article:

The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

New BTMOB Android Malware Enables Full Device Takeover

Another Android malware that you and I have to think about. Like previous documented Android malware, this one also abuses the Accessibility Services on the device.

Here is how the malware spreads, and what it can do:

Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK.

Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it.

Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code

It can be funny when you read the title. However, it wouldn't be funny if you end up being a victim.

From the article:

The addition was a prompt injection, a form of AI attack that exploits an LLM’s inability to distinguish between legitimate user prompts and those from unauthorized, potentially malicious third parties. AI coding agents that were vulnerable would then delete work product produced by the testing app.

The reception to the discovery has been chilly. One discussion participant called the move “childish,” while another one questioned its legality in some jurisdictions.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 22nd May 2026

Habdul Hazeez — Fri, 22 May 2026 21:15:56 +0000

Security lapses, an almost a decade-old vulnerability are among the topics that we're going to review this week. From all the articles that we'll review, one thing is common: humans are not perfect and sometimes we need constant reminders to let us know what to do and when to do it.

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

I would like to know the cause behind the surge of Linux vulnerabilities in the past few months. We have had CopyFail, Dirty Frag, Fragnesia, and now this? Does it have anything related to Anthropic's Mythos? Anything? Let me know in the comments section.

Now, speaking of the article. The title is a good summary of the vulnerability, and the following excerpt tells you more:

The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu.

Scammers are abusing an internal Microsoft account to send spam links

This type of incident reminds me of the following: always verify everything you read in your email even if it appears to come from a "trusted" source. Imagine seeing an email that appears to be from MSFT and it's from scammers!

From the article:

This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications that purported to triple the value of any crypto users send in — a widely known scam used to steal people’s cryptocurrency.

How to Protect Identities and Sessions from Infostealers

Infostealers. I don't know what to say. This blog from CrowdStrike details the danger they pose to your system, your life, and how to protect yourself.

From the article:

An infostealer is a type of malware specifically designed to do what its name suggests: steal sensitive information. Often deployed through phishing emails, malicious downloads, compromised websites, or exploited vulnerabilities

The impact of an infostealer attack can be devastating. Because infostealers quietly extract sensitive data, organizations often remain unaware until significant damage has been done.

CISA Admin Leaked AWS GovCloud Keys on Github

When I saw the article's title, I read it all. I kept wondering: how did it happen? I mean, you work for CISA and you put stuff like this in a public GitHub repo and ironically you name it "Private CISA". This is beyond me.

From the article:

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.

Why geopolitical turmoil is a gift for scammers, and how to stay safe

When something is happening in the world and it's everywhere like in the news, the papers, e.t.c., you name it. Scammers tend to use such situations to compromise unsuspecting users. That's why you need to control or should I say keep your emotions "in check" when global events happen. Whether you like what's going on or not, do not be quick to react when you're online or offline.

From the article:

A good rule of thumb is never to click on links or open attachments in unsolicited messages, even if they look convincing and appear as if sent from a trusted source.

If you really want to know if it’s a genuine message or not, check independently with the sender; i.e., don’t reply directly or use contact details in the message itself. Or if it’s a news story, go direct to your favored news outlet.

Be cautious of social media accounts, especially those that appear to be customer service accounts for airlines and the like. These are easier than you’d think to set up and platform providers are always a step behind in taking them down.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 15th May 2026

Habdul Hazeez — Fri, 15 May 2026 21:24:36 +0000

Malware and vulnerabilities dominate our review this week. This shows that humans always create bad stuff and what we create is not always perfect, hence, a vulnerability can exist in our software and applications.

Hackers abuse Google ads, Claude.ai chats to push Mac malware

When you search for anything online with the hope of getting a download link, be cautious of the link that you click on.

From the article:

Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac.

Researcher Drops YellowKey, GreenPlasma Windows Zero-Days

If I remember correctly, we wrote something about this same researcher some weeks ago. It's the same reason why they did this: frustration about the way MSFT handled the vulnerability disclosure. And, now, they have done another one!

From the article:

According to the researcher, the underlying issue for YellowKey is a well-hidden vulnerability without an explicit root cause, and could be a backdoor intentionally planted into BitLocker.

The second zero-day Windows exploit dropped by Chaotic Eclipse is named GreenPlasma and allows attackers to elevate their privileges to System. The researcher published a PoC exploit stripped of the code required to achieve a full System shell.

OpenAI says hackers stole some data after latest code security issue

By the looks of things, it's nothing that serious. I mean really serious. It's not something that you'll think: Oh, OpenAI is in big trouble, or that kind of thing.

From the article:

According to the AI giant, “only limited credential material” was taken from the affected code repositories. As a precaution, given that the affected repositories contained digital certificates used to sign OpenAI’s products, the company said it’s rotating the certificates “as a precaution,”

New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation

With the back-to-back public announcement of Linux vulnerabilities, will this Operating System catch a break anytime soon? We'll see.

From the article:

Dubbed Fragnesia and officially tracked as CVE-2026-46300, the issue resides in the kernel’s XFRM ESP-in-TCP subsystem, allowing an unprivileged attacker to gain root permissions by overwriting sensitive system files. Fragnesia is in the same class of vulnerabilities as the recently disclosed Dirty Frag and Copy Fail.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 8th May 2026

Habdul Hazeez — Fri, 08 May 2026 21:37:49 +0000

Do secure systems exist? Or are all systems deemed secure until they are exploited and attacked? I asked myself these two questions while working on this article and I don't have an answer. If you have an answer, kindly let me know in the comments section.

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

The good thing about this: they addressed the vulnerability in version 2.4.67. Nonetheless, the excerpt below gives a brief overview of the vulnerability and what we can learn from it.

The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.

Fixing the password problem is as easy as 123456

But it's not. It needs some enforcement from the right bodies. Because, why will someone use 123456 as a password? It's 2026!

From the article:

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’.

Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes

If you cannot see it, that does not mean that it is not there. Meanwhile, an AI model can see it and act accordingly. Here, the "act" might be something that you would not approve, e.g., exfiltration of users' data.

From the article:

Cisco’s experts found that an attacker could create images that carry instructions the AI will follow, but which are too degraded for a human to read. The work builds on a first phase of research that established a measurable link between the visual distortion of a text-bearing image and its likelihood of succeeding as an attack against VLMs.

How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity

Artificial Intelligence has changed the way we do things in some industries, and cybersecurity has not been left behind. Mythos from Anthropic has the potential to change the way software developers and companies approach vulnerability discovery and patching. This article quickly highlights how Firefox is doing it without eliminating humans in the process.

From the article:

It’s still not clear how AI’s emerging capabilities will change the broader balance of power in cybersecurity. One month since Mythos was previewed, most of the bugs discovered likely haven’t been patched, which makes it hard to capture the full scope of their impact.

Sophisticated Quasar Linux RAT Targets Software Developers

Dubbed Quasar Linux (QLNX), the RAT has a modular architecture, uses multiple persistence and detection evasion mechanisms, packs a rootkit, and provides attackers with remote access to the infected machines.

I have always had this belief: threat actors are willing to subvert all your defenses provided that they are determined to get or steal what you have. This is one such example. While reading the article, I kept thinking: all this effort just to steal credentials? Why?

From the article:

The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 1st May 2026

Habdul Hazeez — Fri, 01 May 2026 21:37:29 +0000

Humans are not perfect and this tends to show in what we create. That's why we will always have vulnerabilities in our software. As if that's not enough to cause a headache, there are those ready to exploit them for fun, profit, to patch them, or wreak havoc on the affected system(s).

With the growing popularity of Generative AI, we can add Prompt Injection to the list of vulnerabilities that defenders have to defend against in modern AI systems.

Welcome to this week's security review here on DEV. I remain your host, Habdul Hazeez. The two opening paragraphs of this edition are an introduction to what we're about to review. So, let's begin.

The calm before the ransom: What you see is not all there is

What I want you to take away from this article: Just because everything is calm in your environment, it does not mean that your system is safe. Who knows, the login for your critical infrastructure may already be on sale and just waiting for someone interested in attacking you to buy it and come after you.

From the article:

...the absence of a visible incident is just silence, and silence can mean several things. The company with an immaculate record may indeed have top-notch defenses. But it may also have avoided the attention of anyone ill-intentioned

In its 2025 Data Breach Investigations Report, Verizon put a number on how wide the gap between perceived security and actual exposure can get: it found that 54% of ransomware victims had their domains appear in at least one infostealer log or illicit marketplace posting before the attack.

Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google

The title of the article is perfectly phrased to reflect what the article is trying to convey. I'll add the following: it's only a matter of time before that sophistication changes from "low" to "high". What happens if Mythos is released publicly? I don't know. You tell me.

From the article:

The most important, however, from a security standpoint are the malicious prompt injection attempts. The researchers uncovered two types of such attacks: exfiltration and destruction.

Some websites contained prompts instructing AI to collect data, including IPs and credentials, and send it to an attacker-specified email address.

Critical GitHub Vulnerability Exposed Millions of Repositories

I was stunned when I saw the article's title. Surprised when I read it. Happy when I learned that they [the researchers] informed GitHub and they patched it the same day, March 4, 2026. However, at the time of writing, the article noted that 88 percent of Enterprise Server instances have not been updated to a patched version.

From the article:

By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client.

In the case of GitHub Enterprise Server, an attacker can exploit the vulnerability to fully compromise the server and gain access to all repositories and internal secrets.

Popular WordPress redirect plugin hid dormant backdoor for years

I really don't know what to say about this. Undoubtedly, this is a breach of trust of whoever was using that plug-in on their website.

From the article:

The real danger for impacted websites, though, comes from the updating mechanism itself, which enabled arbitrary code execution on demand. That mechanism is still present on sites using the plugin, but dormant because the malicious external command-and-control subdomain does not resolve. The domain is active, though.

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

And trust me, you should!

Here is what's going on:

...web hosting and domain registration company Namecheap disclosed that it "relates to an authentication login exploit that could allow unauthorized access to the control panel."

The authentication bypass vulnerability has been assigned the CVE identifier CVE-2026-41940, and carries a CVSS score of 9.8 out of 10.0. In an update to its advisory, cPanel said patches have also been pushed to WP Squared version 136.1.7.

The most severe Linux threat to surface in years catches the world flat-footed

Given the significant role that Linux plays in the world right now, this does not look good. For added context, the name of the vulnerability is CopyFail.

More details:

The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code

With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

When I read articles like this, genuinely, I am not surprised. Why? Attackers always, I repeat, always try to find a way to compromise a system.

From the article:

What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it's extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.

Once launched, the malware establishes communication with "bore[.]pub," a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 17th April 2026

Habdul Hazeez — Fri, 17 Apr 2026 21:58:36 +0000

Vulnerability and malware are the topics that dominate our review for this week. It's not good news that we will mostly talk about two topics. Mind you, these two, in the wrong hands, can wreak havoc on users around the world. Do you remember WannaCry?

Let's begin our review.

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites

You might think: I don't use WordPress, why should I care? Well, you should care because you never know where you'll find yourself in the future, or what you'll be doing.

Here is what happened:

someone last year bought Essential Plugin and the backdoor was soon added to the plug-ins’ source code. The backdoor sat dormant until earlier this month when it activated and began distributing malicious code to any website with the plug-ins installed.

Plug-ins allow owners of WordPress-based websites to extend the site’s functionality, but in doing so grant the plug-ins access to their installations, which can open these websites to malicious extensions and potential compromise.

100 Chrome Extensions Steal User Data, Create Backdoor

I always think twice before installing a web browser extension. If you think that I am paranoid, this article should change your mind.

From the article:

The 108 extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. Each targets a different type of user, but all share the same backend.

The extensions provide the expected functionality to avoid raising suspicion, but malicious code running in the background connects to the threat actor’s C&C to perform the nefarious activities.

Signed software abused to deploy antivirus-killing scripts

Talk about "legend" in a negative way. This article should have your vote on that. I mean: what? Who would even think about this? I mean, read the excerpt below.

The ClockRemoval.ps1 script also executes a routine when the system boots, at logon, and every 30 minutes, to make sure that AV products are no longer present on the system by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors' uninstallers, and forcefully deleting files when uninstallers fail.

It also ensures that the security products cannot be reinstalled or updated by blocking the vendor's domains through modifying the hosts file and null-routing them (redirecting to 0.0.0.0).

That data breach alert might be a trap

The article is not trying to tell you to ignore a data breach alert. They are raising your awareness that not all "data breaches" are worth reacting to. That's because, some alerts could be part of a social engineering attack.

If you are still wondering what that means, the following should make things clear:

To be clear: real breaches happen every day, and ignoring a legitimate notice could be as dangerous as clicking a fake one. The goal is to stop reacting on autopilot and being able to tell a genuine alert from a fake one. Take a minute to familiarize yourself with data breach-themed scams, and you’ll be better prepared the next time one lands in your inbox.

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

This is my first time reading about a zero in Microsoft Defender. To complicate issues, it could have been avoided, i.e., the disclosure of the zero-day. Based on the researcher who released the Proof of Concept (PoC) code, he released the code due to the way MSFT handled the vulnerability disclosure process. Do you smell frustration?

From the article:

The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days

While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 10th April 2026

Habdul Hazeez — Fri, 10 Apr 2026 21:23:36 +0000

Five articles. Five different topics. All here to inform you because they are worthy of your time. Will you choose to read? You should because the knowledge that you gain might save you or your organization in the future.

Welcome to this week's security review. I am Habdul Hazeez, and thank you for joining me.

As breakout time accelerates, prevention-first cybersecurity takes center stage

It's better not to let them into your systems than to hunt them down if they get in. With AI now popular and widespread, attackers and defenders are using it to be more effective in their endeavors. Hopefully, the defenders always come out on top.

A quick lesson from the article:

Threat intelligence and threat hunting are also vital to keep pace with AI-supported adversaries. An approach that harnesses both will help teams focus on what matters – how attackers are targeting them and where they might move next. AI agents might in time be able to take on more of these tasks autonomously to further speed up response times.

Hack-for-hire group caught targeting Android devices and iCloud backups

It's safe to say that someone who wants plausible deniability is at play. But, can we tell which one? Time will tell.

From the article:

This hacking campaign highlights a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire companies.

Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on people’s phones.

$3.6 Million Stolen in Bitcoin Depot Hack

You can argue that it's the company's money. But I would like to argue as well that some people's hard-earned money is gone like that and might never be recovered. It hurts when you read headlines like this and you just can't do anything about it.

The following is how the attackers stole the money, and the repercussions that the affected company might face:

The attacker obtained credentials for digital asset settlement accounts, enabling them to steal roughly 50.903 bitcoin (worth approximately $3.6 million) from Bitcoin Depot wallets.

The company’s investigation into the full extent of the incident is ongoing. It says the attack has not had a material impact on operations, but it may incur reputational, legal, incident response, and regulatory costs.

Adobe Reader Zero-Day Exploited for Months: Researcher

I want to be one of the defenders reporting issues like this to the world. Due to the popularity of Adobe Reader, issues like these should be attended to as fast as possible:

Here is what's going on:

The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”.

The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader.

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

I can't imagine the level of frustration that the researcher went through to have dumped this in the open just like that. I mean: it's an exploit for a zero-day vulnerability!

From the article:

On April 3rd, Chaotic Eclipse published a GitHub repository for the BlueHammer vulnerability exploit under the alias Nightmare-Eclipse, expressing disbelief and frustration at how Microsoft decided to address the security issue.

Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the BlueHammer exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 3rd April 2026

Habdul Hazeez — Fri, 03 Apr 2026 21:15:46 +0000

Malware, vulnerability, and research in computer security are mostly what we'll talk about in this week's security review. As always, you should know the threat out there and you're responsible for acting accordingly.

As always, my name is Habdul Hazeez. Welcome to this week's review.

Fake VS Code alerts on GitHub spread malware to developers

If you're a developer who receives lots of email notifications from GitHub, be careful of the one that you respond to.

Here is what's going on:

The discussions are posted in an automated way from newly created or low-activity accounts across thousands of repositories within a few minutes, and trigger email notifications to a large number of tagged users and followers.

The posts include links to supposedly patched versions of the impacted VS Code extensions, hosted on external services such as Google Drive.

Although Google Drive is obviously not the official software distribution channel for a VS Code extension, it’s a trusted service, and users acting in haste may miss the red flag.

Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks

Username is correct. Password is correct. Successful login. Now, the question you should ask: was it a legitimate user that just accessed your system, or, was it an imposter? If you have the chance to ask yourself that question. Good for you. If an alert goes off afterwards, know that something could be wrong, e.g., a ransomware attack.

From the article:

The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market.

Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025.

Digital assets after death: Managing risks to your loved one’s digital estate

From me to you: I don't wish that you die any moment from now. Nonetheless, please, start having that conversation with your loved ones now. What happens to your digital life when you are no more? How will your family get hold of your digital assets? And questions like that. That's what the article is trying to raise awareness about. The message is for me and you.

If you still need more convincing, here is an excerpt from the article that should do the trick:

It’s important to understand that, while most big tech companies offer the ability to transfer access to a “legacy contact,” if you don’t take advantage of this before passing on, the chances are that no one will be able to access your accounts

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

By reading the article, it's evident that if attackers successfully infect a system with this VBS malware, they can exfiltrate users' private data or deploy more malware. Also, by reading the article's title, you can ask: Who would knowingly execute a VBS malware via WhatsApp? The answer: the attackers use social engineering to get the user to do it.

Here is what's going on:

The activity begins with the attackers distributing malicious VBS files via WhatsApp messages that, when executed, create hidden folders in "C:\ProgramData" and drop renamed versions of legitimate Windows utilities like "curl.exe" (renamed as "netapi.dll") and "bitsadmin.exe" (renamed as "sc.exe").

Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.

New Rowhammer attacks give complete control of machines running Nvidia GPUs

These types have of attack have come to public light since 2014. It's, 2026 and researchers are still discovering different forms of the attack. This time, in the form of GDDRHammer and GeForge.

Here is what's going on:

GDDRHammer can manipulate the memory allocator to break isolation of GPU page tables—which, like CPU page tables, are the data structures used to store mappings between virtual addresses and physical DRAM addresses—and user data stored on the GPU. The result is that the attacker acquires the ability to both read and write to GPU memory.

GeForge, too, uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory to acquire read and write access to the GPU memory space. From there, it acquires the same privileges over host CPU memory.

'NoVoice' Android malware on Google Play infected 2.3 million devices

If you have a device that has security updates from 2021 to the current date, you can mitigate the flaws targeted by this NoVoice malware. Otherwise, you are vulnerable.

Here is what NoVoice can do to an infected device:

According to McAfee researchers, the threat actor concealed malicious components in the com.facebook.utils package, mixing them with the legitimate Facebook SDK classes.

An encrypted payload (enc.apk) hidden inside a PNG image file using steganography is extracted (h.apk) and loaded in system memory while wiping all intermediate files to eliminate traces.

The malware then contacts the command-and-control (C2) server and collects device information such as hardware details, kernel version, Android version (and patch level), installed apps, and root status, to determine the exploit strategy.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

It's one thing to accidentally leak the source code of one of your tools and it's another for someone to discover a vulnerability. Now, we can say you have to do two things: build another version of the tools whose code got leaked, and ensure that it does not get to the public. Second, find a way to protect the users of the current version from the vulnerability. Anyways, we can say, Anthropic has a lot to deal with.

From the article, here is some brief information about the vulnerability:

The problem stems from Anthropic’s desire for improved performance following the discovery of a performance issue: complex compound commands caused the UI to freeze. Anthropic fixed this by capping analysis at 50 subcommands, with a fall back to a generic ‘ask’ prompt for anything else. The code comment states, “Fifty is generous: legitimate user commands don’t split that wide. Above the cap we fall back to ‘ask’ (safe default — we can’t prove safety, so we prompt).”

The flaw discovered by Adversa is that this process can be manipulated. Anthropic’s assumption doesn’t account for AI-generated commands from prompt injection — where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 27th March 2026

Habdul Hazeez — Fri, 27 Mar 2026 21:03:26 +0000

While cybersecurity defenders are looking for innovative ways to keep Internet users safe, cybercriminals are doing the opposite — to hurt users by stealing their money or information that can lead to theft or other things that are valuable to the user. It's upon me and you to always know the threat out there and act accordingly.

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

It's a phishing attack. To complicate issues, if you fall for it, it takes around 25 seconds from script execution to credential exfiltration.

Here is what's going on:

The initial dropper file is a Visual Basic Script (VBScript) that, upon opening, displays a bogus French-language error message, fooling message recipients into thinking that the file is corrupted.

...the heavily obfuscated script runs a series of checks to evade sandboxes and enters into a persistent User Account Control (UAC) loop that prompts users to run it with administrator privileges.

As soon as the dropper obtains administrative privileges, it wastes no time disabling security controls and covering up its tracks

Convicted spyware chief hints that Greece’s government was behind dozens of phone hacks

While reading the article, one thing is clear: someone hacked the phones of government officials and journalists. The spyware chief was sentenced to eight years in prison and now he claims he will not be a "scapegoat."

From the article:

Several senior officials in the Greek government, including the head of Greece’s national intelligence agency and a senior aide to the Prime Minister Kyriakos Mitsotakis, resigned in the wake of revelations that several journalists’ phones had been hacked.

No government officials have been convicted in connection with the surveillance, and critics have accused the Mitsotakis government of a cover-up.

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

At the time of writing, Adobe has patched the vulnerability that allowed this to happen, but it appears that the patch is yet to reach production websites.

The following is how the skimmer works:

The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address ("202.181.177[.]177") over UDP port 3479 and retrieves JavaScript code that's subsequently injected into the web page for stealing payment information.

The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (CSP) directives.

Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks

The article title says it all. If you're not in the loop in the past few weeks, let me update you. The hacking tools in question are DarkSword and Coruna. The former was leaked on GitHub, making it easy for anyone to launch attacks on older iOS users.

From the article:

The discovery of Coruna and DarkSword suggest that memory-based attacks could continue to plague users of older iPhones and iPads that lag behind the newer, more memory-safe models.

Experts working for iVerify and Lookout, two cybersecurity companies that have a commercial stake in selling security products for mobile devices, say Coruna and DarkSword may also challenge the long-held assumption that iPhone hacks are rare.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 20th March 2026

Habdul Hazeez — Fri, 20 Mar 2026 22:57:50 +0000

One thing is certain. Vulnerabilities are not going anywhere anytime soon because humans are not perfect and our imperfections can show in what we create. Also, while technology like AI applications can help you become productive, it can lead to a data breach.

This and more is what we are about to review. Let's begin.

Researchers disclose vulnerabilities in IP KVMs from four manufacturers

The vulnerability risk is high because the kind of power that it gives to the attackers is dangerous.

For example:

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network.

The Collapse of Predictive Security in the Age of Machine-Speed Attacks

As a cyber defender, know that it's nothing new. You just need to change how you protect the systems that you are charged to protect.

Here is what's going on:

“Preemptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume.”

Internet access brokers are a primary cause for this necessary shift in defense, and the success of infostealers are key to the IABs’ efficiency. “Infostealers provide a gold mine of information that attackers can use,”

Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches

It's your responsibility to know the apps in your environment.

From the article:

While complexity is the enemy of security, SaaS is the disguiser and multiplier of complexity, through poor visibility into its shadow AI.

An attacker can often find greater visibility into a SaaS app by stealing the right OAuth access and/or refresh token (courtesy of the modern infostealer that can enter, scrape and depart without the victim realizing it).

‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors

What I found fascinating from the article is: the exploit is written in JavaScript. I know, it sounds weird, but it's what it is.

From the article:

Written completely in JavaScript, DarkSword starts with the exploitation of Safari bugs to achieve remote code execution (RCE), continues with a sandbox escape, and shifts to exploiting kernel flaws to inject and execute JavaScript code for privilege escalation and final payload execution.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.