DEV Community: Habdul Hazeez

Security news weekly round-up - 29th May 2026

Habdul Hazeez — Fri, 29 May 2026 22:40:28 +0000

Malware and vulnerabilities are the stuff of nightmares for any security-conscious internet user. If you add, privacy invasion into the mix, it gets worse. I mean: a website spying on you using activities of your SSD can sound like a script from your favorite Sci-fi movie. However, it's reality.

Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise

The FIFA World Cup season is around the corner. Be careful of any random search while looking to buy tickets and some merchandise. Go to the official website. Do not search on Google.

From the article:

Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won't notice.

These special phone and app features can help protect you from spyware

If you feel that you are targeted you think you could be in the future, go through the article. It covers how to get it done on your iPhone and Android devices.

The following should get you started:

Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff

No security measure is perfect, and it’s a constant effort to keep security flaws at bay. But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective.

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Do not use AI chatbots for searching for download links on the Internet. If you think that's too much to ask, read the article.

From the article:

It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning.

Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors.

Websites have a new way to spy on visitors: Analyzing their SSD activity

Among the things that I can never think would be possible while browsing on the web, this is going to be among the top 10. While reading, it reminds me of https[://]browserspy[.]dk

From the article:

The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

New BTMOB Android Malware Enables Full Device Takeover

Another Android malware that you and I have to think about. Like previous documented Android malware, this one also abuses the Accessibility Services on the device.

Here is how the malware spreads, and what it can do:

Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK.

Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it.

Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code

It can be funny when you read the title. However, it wouldn't be funny if you end up being a victim.

From the article:

The addition was a prompt injection, a form of AI attack that exploits an LLM’s inability to distinguish between legitimate user prompts and those from unauthorized, potentially malicious third parties. AI coding agents that were vulnerable would then delete work product produced by the testing app.

The reception to the discovery has been chilly. One discussion participant called the move “childish,” while another one questioned its legality in some jurisdictions.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 22nd May 2026

Habdul Hazeez — Fri, 22 May 2026 21:15:56 +0000

Security lapses, an almost a decade-old vulnerability are among the topics that we're going to review this week. From all the articles that we'll review, one thing is common: humans are not perfect and sometimes we need constant reminders to let us know what to do and when to do it.

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

I would like to know the cause behind the surge of Linux vulnerabilities in the past few months. We have had CopyFail, Dirty Frag, Fragnesia, and now this? Does it have anything related to Anthropic's Mythos? Anything? Let me know in the comments section.

Now, speaking of the article. The title is a good summary of the vulnerability, and the following excerpt tells you more:

The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu.

Scammers are abusing an internal Microsoft account to send spam links

This type of incident reminds me of the following: always verify everything you read in your email even if it appears to come from a "trusted" source. Imagine seeing an email that appears to be from MSFT and it's from scammers!

From the article:

This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications that purported to triple the value of any crypto users send in — a widely known scam used to steal people’s cryptocurrency.

How to Protect Identities and Sessions from Infostealers

Infostealers. I don't know what to say. This blog from CrowdStrike details the danger they pose to your system, your life, and how to protect yourself.

From the article:

An infostealer is a type of malware specifically designed to do what its name suggests: steal sensitive information. Often deployed through phishing emails, malicious downloads, compromised websites, or exploited vulnerabilities

The impact of an infostealer attack can be devastating. Because infostealers quietly extract sensitive data, organizations often remain unaware until significant damage has been done.

CISA Admin Leaked AWS GovCloud Keys on Github

When I saw the article's title, I read it all. I kept wondering: how did it happen? I mean, you work for CISA and you put stuff like this in a public GitHub repo and ironically you name it "Private CISA". This is beyond me.

From the article:

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.

Why geopolitical turmoil is a gift for scammers, and how to stay safe

When something is happening in the world and it's everywhere like in the news, the papers, e.t.c., you name it. Scammers tend to use such situations to compromise unsuspecting users. That's why you need to control or should I say keep your emotions "in check" when global events happen. Whether you like what's going on or not, do not be quick to react when you're online or offline.

From the article:

A good rule of thumb is never to click on links or open attachments in unsolicited messages, even if they look convincing and appear as if sent from a trusted source.

If you really want to know if it’s a genuine message or not, check independently with the sender; i.e., don’t reply directly or use contact details in the message itself. Or if it’s a news story, go direct to your favored news outlet.

Be cautious of social media accounts, especially those that appear to be customer service accounts for airlines and the like. These are easier than you’d think to set up and platform providers are always a step behind in taking them down.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 15th May 2026

Habdul Hazeez — Fri, 15 May 2026 21:24:36 +0000

Malware and vulnerabilities dominate our review this week. This shows that humans always create bad stuff and what we create is not always perfect, hence, a vulnerability can exist in our software and applications.

Hackers abuse Google ads, Claude.ai chats to push Mac malware

When you search for anything online with the hope of getting a download link, be cautious of the link that you click on.

From the article:

Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac.

Researcher Drops YellowKey, GreenPlasma Windows Zero-Days

If I remember correctly, we wrote something about this same researcher some weeks ago. It's the same reason why they did this: frustration about the way MSFT handled the vulnerability disclosure. And, now, they have done another one!

From the article:

According to the researcher, the underlying issue for YellowKey is a well-hidden vulnerability without an explicit root cause, and could be a backdoor intentionally planted into BitLocker.

The second zero-day Windows exploit dropped by Chaotic Eclipse is named GreenPlasma and allows attackers to elevate their privileges to System. The researcher published a PoC exploit stripped of the code required to achieve a full System shell.

OpenAI says hackers stole some data after latest code security issue

By the looks of things, it's nothing that serious. I mean really serious. It's not something that you'll think: Oh, OpenAI is in big trouble, or that kind of thing.

From the article:

According to the AI giant, “only limited credential material” was taken from the affected code repositories. As a precaution, given that the affected repositories contained digital certificates used to sign OpenAI’s products, the company said it’s rotating the certificates “as a precaution,”

New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation

With the back-to-back public announcement of Linux vulnerabilities, will this Operating System catch a break anytime soon? We'll see.

From the article:

Dubbed Fragnesia and officially tracked as CVE-2026-46300, the issue resides in the kernel’s XFRM ESP-in-TCP subsystem, allowing an unprivileged attacker to gain root permissions by overwriting sensitive system files. Fragnesia is in the same class of vulnerabilities as the recently disclosed Dirty Frag and Copy Fail.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 8th May 2026

Habdul Hazeez — Fri, 08 May 2026 21:37:49 +0000

Do secure systems exist? Or are all systems deemed secure until they are exploited and attacked? I asked myself these two questions while working on this article and I don't have an answer. If you have an answer, kindly let me know in the comments section.

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

The good thing about this: they addressed the vulnerability in version 2.4.67. Nonetheless, the excerpt below gives a brief overview of the vulnerability and what we can learn from it.

The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.

Fixing the password problem is as easy as 123456

But it's not. It needs some enforcement from the right bodies. Because, why will someone use 123456 as a password? It's 2026!

From the article:

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’.

Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes

If you cannot see it, that does not mean that it is not there. Meanwhile, an AI model can see it and act accordingly. Here, the "act" might be something that you would not approve, e.g., exfiltration of users' data.

From the article:

Cisco’s experts found that an attacker could create images that carry instructions the AI will follow, but which are too degraded for a human to read. The work builds on a first phase of research that established a measurable link between the visual distortion of a text-bearing image and its likelihood of succeeding as an attack against VLMs.

How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity

Artificial Intelligence has changed the way we do things in some industries, and cybersecurity has not been left behind. Mythos from Anthropic has the potential to change the way software developers and companies approach vulnerability discovery and patching. This article quickly highlights how Firefox is doing it without eliminating humans in the process.

From the article:

It’s still not clear how AI’s emerging capabilities will change the broader balance of power in cybersecurity. One month since Mythos was previewed, most of the bugs discovered likely haven’t been patched, which makes it hard to capture the full scope of their impact.

Sophisticated Quasar Linux RAT Targets Software Developers

Dubbed Quasar Linux (QLNX), the RAT has a modular architecture, uses multiple persistence and detection evasion mechanisms, packs a rootkit, and provides attackers with remote access to the infected machines.

I have always had this belief: threat actors are willing to subvert all your defenses provided that they are determined to get or steal what you have. This is one such example. While reading the article, I kept thinking: all this effort just to steal credentials? Why?

From the article:

The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 1st May 2026

Habdul Hazeez — Fri, 01 May 2026 21:37:29 +0000

Humans are not perfect and this tends to show in what we create. That's why we will always have vulnerabilities in our software. As if that's not enough to cause a headache, there are those ready to exploit them for fun, profit, to patch them, or wreak havoc on the affected system(s).

With the growing popularity of Generative AI, we can add Prompt Injection to the list of vulnerabilities that defenders have to defend against in modern AI systems.

Welcome to this week's security review here on DEV. I remain your host, Habdul Hazeez. The two opening paragraphs of this edition are an introduction to what we're about to review. So, let's begin.

The calm before the ransom: What you see is not all there is

What I want you to take away from this article: Just because everything is calm in your environment, it does not mean that your system is safe. Who knows, the login for your critical infrastructure may already be on sale and just waiting for someone interested in attacking you to buy it and come after you.

From the article:

...the absence of a visible incident is just silence, and silence can mean several things. The company with an immaculate record may indeed have top-notch defenses. But it may also have avoided the attention of anyone ill-intentioned

In its 2025 Data Breach Investigations Report, Verizon put a number on how wide the gap between perceived security and actual exposure can get: it found that 54% of ransomware victims had their domains appear in at least one infostealer log or illicit marketplace posting before the attack.

Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google

The title of the article is perfectly phrased to reflect what the article is trying to convey. I'll add the following: it's only a matter of time before that sophistication changes from "low" to "high". What happens if Mythos is released publicly? I don't know. You tell me.

From the article:

The most important, however, from a security standpoint are the malicious prompt injection attempts. The researchers uncovered two types of such attacks: exfiltration and destruction.

Some websites contained prompts instructing AI to collect data, including IPs and credentials, and send it to an attacker-specified email address.

Critical GitHub Vulnerability Exposed Millions of Repositories

I was stunned when I saw the article's title. Surprised when I read it. Happy when I learned that they [the researchers] informed GitHub and they patched it the same day, March 4, 2026. However, at the time of writing, the article noted that 88 percent of Enterprise Server instances have not been updated to a patched version.

From the article:

By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client.

In the case of GitHub Enterprise Server, an attacker can exploit the vulnerability to fully compromise the server and gain access to all repositories and internal secrets.

Popular WordPress redirect plugin hid dormant backdoor for years

I really don't know what to say about this. Undoubtedly, this is a breach of trust of whoever was using that plug-in on their website.

From the article:

The real danger for impacted websites, though, comes from the updating mechanism itself, which enabled arbitrary code execution on demand. That mechanism is still present on sites using the plugin, but dormant because the malicious external command-and-control subdomain does not resolve. The domain is active, though.

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

And trust me, you should!

Here is what's going on:

...web hosting and domain registration company Namecheap disclosed that it "relates to an authentication login exploit that could allow unauthorized access to the control panel."

The authentication bypass vulnerability has been assigned the CVE identifier CVE-2026-41940, and carries a CVSS score of 9.8 out of 10.0. In an update to its advisory, cPanel said patches have also been pushed to WP Squared version 136.1.7.

The most severe Linux threat to surface in years catches the world flat-footed

Given the significant role that Linux plays in the world right now, this does not look good. For added context, the name of the vulnerability is CopyFail.

More details:

The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code

With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

When I read articles like this, genuinely, I am not surprised. Why? Attackers always, I repeat, always try to find a way to compromise a system.

From the article:

What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it's extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.

Once launched, the malware establishes communication with "bore[.]pub," a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 17th April 2026

Habdul Hazeez — Fri, 17 Apr 2026 21:58:36 +0000

Vulnerability and malware are the topics that dominate our review for this week. It's not good news that we will mostly talk about two topics. Mind you, these two, in the wrong hands, can wreak havoc on users around the world. Do you remember WannaCry?

Let's begin our review.

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites

You might think: I don't use WordPress, why should I care? Well, you should care because you never know where you'll find yourself in the future, or what you'll be doing.

Here is what happened:

someone last year bought Essential Plugin and the backdoor was soon added to the plug-ins’ source code. The backdoor sat dormant until earlier this month when it activated and began distributing malicious code to any website with the plug-ins installed.

Plug-ins allow owners of WordPress-based websites to extend the site’s functionality, but in doing so grant the plug-ins access to their installations, which can open these websites to malicious extensions and potential compromise.

100 Chrome Extensions Steal User Data, Create Backdoor

I always think twice before installing a web browser extension. If you think that I am paranoid, this article should change your mind.

From the article:

The 108 extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. Each targets a different type of user, but all share the same backend.

The extensions provide the expected functionality to avoid raising suspicion, but malicious code running in the background connects to the threat actor’s C&C to perform the nefarious activities.

Signed software abused to deploy antivirus-killing scripts

Talk about "legend" in a negative way. This article should have your vote on that. I mean: what? Who would even think about this? I mean, read the excerpt below.

The ClockRemoval.ps1 script also executes a routine when the system boots, at logon, and every 30 minutes, to make sure that AV products are no longer present on the system by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors' uninstallers, and forcefully deleting files when uninstallers fail.

It also ensures that the security products cannot be reinstalled or updated by blocking the vendor's domains through modifying the hosts file and null-routing them (redirecting to 0.0.0.0).

That data breach alert might be a trap

The article is not trying to tell you to ignore a data breach alert. They are raising your awareness that not all "data breaches" are worth reacting to. That's because, some alerts could be part of a social engineering attack.

If you are still wondering what that means, the following should make things clear:

To be clear: real breaches happen every day, and ignoring a legitimate notice could be as dangerous as clicking a fake one. The goal is to stop reacting on autopilot and being able to tell a genuine alert from a fake one. Take a minute to familiarize yourself with data breach-themed scams, and you’ll be better prepared the next time one lands in your inbox.

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

This is my first time reading about a zero in Microsoft Defender. To complicate issues, it could have been avoided, i.e., the disclosure of the zero-day. Based on the researcher who released the Proof of Concept (PoC) code, he released the code due to the way MSFT handled the vulnerability disclosure process. Do you smell frustration?

From the article:

The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days

While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 10th April 2026

Habdul Hazeez — Fri, 10 Apr 2026 21:23:36 +0000

Five articles. Five different topics. All here to inform you because they are worthy of your time. Will you choose to read? You should because the knowledge that you gain might save you or your organization in the future.

Welcome to this week's security review. I am Habdul Hazeez, and thank you for joining me.

As breakout time accelerates, prevention-first cybersecurity takes center stage

It's better not to let them into your systems than to hunt them down if they get in. With AI now popular and widespread, attackers and defenders are using it to be more effective in their endeavors. Hopefully, the defenders always come out on top.

A quick lesson from the article:

Threat intelligence and threat hunting are also vital to keep pace with AI-supported adversaries. An approach that harnesses both will help teams focus on what matters – how attackers are targeting them and where they might move next. AI agents might in time be able to take on more of these tasks autonomously to further speed up response times.

Hack-for-hire group caught targeting Android devices and iCloud backups

It's safe to say that someone who wants plausible deniability is at play. But, can we tell which one? Time will tell.

From the article:

This hacking campaign highlights a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire companies.

Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on people’s phones.

$3.6 Million Stolen in Bitcoin Depot Hack

You can argue that it's the company's money. But I would like to argue as well that some people's hard-earned money is gone like that and might never be recovered. It hurts when you read headlines like this and you just can't do anything about it.

The following is how the attackers stole the money, and the repercussions that the affected company might face:

The attacker obtained credentials for digital asset settlement accounts, enabling them to steal roughly 50.903 bitcoin (worth approximately $3.6 million) from Bitcoin Depot wallets.

The company’s investigation into the full extent of the incident is ongoing. It says the attack has not had a material impact on operations, but it may incur reputational, legal, incident response, and regulatory costs.

Adobe Reader Zero-Day Exploited for Months: Researcher

I want to be one of the defenders reporting issues like this to the world. Due to the popularity of Adobe Reader, issues like these should be attended to as fast as possible:

Here is what's going on:

The new Reader exploit was detected by Expmon, and an analysis showed that the identified PDF “acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits”.

The researcher believes the PDF exploits a zero-day vulnerability as the attack has been confirmed to work against the latest version of Adobe Reader.

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

I can't imagine the level of frustration that the researcher went through to have dumped this in the open just like that. I mean: it's an exploit for a zero-day vulnerability!

From the article:

On April 3rd, Chaotic Eclipse published a GitHub repository for the BlueHammer vulnerability exploit under the alias Nightmare-Eclipse, expressing disbelief and frustration at how Microsoft decided to address the security issue.

Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the BlueHammer exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 3rd April 2026

Habdul Hazeez — Fri, 03 Apr 2026 21:15:46 +0000

Malware, vulnerability, and research in computer security are mostly what we'll talk about in this week's security review. As always, you should know the threat out there and you're responsible for acting accordingly.

As always, my name is Habdul Hazeez. Welcome to this week's review.

Fake VS Code alerts on GitHub spread malware to developers

If you're a developer who receives lots of email notifications from GitHub, be careful of the one that you respond to.

Here is what's going on:

The discussions are posted in an automated way from newly created or low-activity accounts across thousands of repositories within a few minutes, and trigger email notifications to a large number of tagged users and followers.

The posts include links to supposedly patched versions of the impacted VS Code extensions, hosted on external services such as Google Drive.

Although Google Drive is obviously not the official software distribution channel for a VS Code extension, it’s a trusted service, and users acting in haste may miss the red flag.

Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks

Username is correct. Password is correct. Successful login. Now, the question you should ask: was it a legitimate user that just accessed your system, or, was it an imposter? If you have the chance to ask yourself that question. Good for you. If an alert goes off afterwards, know that something could be wrong, e.g., a ransomware attack.

From the article:

The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market.

Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025.

Digital assets after death: Managing risks to your loved one’s digital estate

From me to you: I don't wish that you die any moment from now. Nonetheless, please, start having that conversation with your loved ones now. What happens to your digital life when you are no more? How will your family get hold of your digital assets? And questions like that. That's what the article is trying to raise awareness about. The message is for me and you.

If you still need more convincing, here is an excerpt from the article that should do the trick:

It’s important to understand that, while most big tech companies offer the ability to transfer access to a “legacy contact,” if you don’t take advantage of this before passing on, the chances are that no one will be able to access your accounts

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

By reading the article, it's evident that if attackers successfully infect a system with this VBS malware, they can exfiltrate users' private data or deploy more malware. Also, by reading the article's title, you can ask: Who would knowingly execute a VBS malware via WhatsApp? The answer: the attackers use social engineering to get the user to do it.

Here is what's going on:

The activity begins with the attackers distributing malicious VBS files via WhatsApp messages that, when executed, create hidden folders in "C:\ProgramData" and drop renamed versions of legitimate Windows utilities like "curl.exe" (renamed as "netapi.dll") and "bitsadmin.exe" (renamed as "sc.exe").

Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.

New Rowhammer attacks give complete control of machines running Nvidia GPUs

These types have of attack have come to public light since 2014. It's, 2026 and researchers are still discovering different forms of the attack. This time, in the form of GDDRHammer and GeForge.

Here is what's going on:

GDDRHammer can manipulate the memory allocator to break isolation of GPU page tables—which, like CPU page tables, are the data structures used to store mappings between virtual addresses and physical DRAM addresses—and user data stored on the GPU. The result is that the attacker acquires the ability to both read and write to GPU memory.

GeForge, too, uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory to acquire read and write access to the GPU memory space. From there, it acquires the same privileges over host CPU memory.

'NoVoice' Android malware on Google Play infected 2.3 million devices

If you have a device that has security updates from 2021 to the current date, you can mitigate the flaws targeted by this NoVoice malware. Otherwise, you are vulnerable.

Here is what NoVoice can do to an infected device:

According to McAfee researchers, the threat actor concealed malicious components in the com.facebook.utils package, mixing them with the legitimate Facebook SDK classes.

An encrypted payload (enc.apk) hidden inside a PNG image file using steganography is extracted (h.apk) and loaded in system memory while wiping all intermediate files to eliminate traces.

The malware then contacts the command-and-control (C2) server and collects device information such as hardware details, kernel version, Android version (and patch level), installed apps, and root status, to determine the exploit strategy.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

It's one thing to accidentally leak the source code of one of your tools and it's another for someone to discover a vulnerability. Now, we can say you have to do two things: build another version of the tools whose code got leaked, and ensure that it does not get to the public. Second, find a way to protect the users of the current version from the vulnerability. Anyways, we can say, Anthropic has a lot to deal with.

From the article, here is some brief information about the vulnerability:

The problem stems from Anthropic’s desire for improved performance following the discovery of a performance issue: complex compound commands caused the UI to freeze. Anthropic fixed this by capping analysis at 50 subcommands, with a fall back to a generic ‘ask’ prompt for anything else. The code comment states, “Fifty is generous: legitimate user commands don’t split that wide. Above the cap we fall back to ‘ask’ (safe default — we can’t prove safety, so we prompt).”

The flaw discovered by Adversa is that this process can be manipulated. Anthropic’s assumption doesn’t account for AI-generated commands from prompt injection — where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 27th March 2026

Habdul Hazeez — Fri, 27 Mar 2026 21:03:26 +0000

While cybersecurity defenders are looking for innovative ways to keep Internet users safe, cybercriminals are doing the opposite — to hurt users by stealing their money or information that can lead to theft or other things that are valuable to the user. It's upon me and you to always know the threat out there and act accordingly.

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

It's a phishing attack. To complicate issues, if you fall for it, it takes around 25 seconds from script execution to credential exfiltration.

Here is what's going on:

The initial dropper file is a Visual Basic Script (VBScript) that, upon opening, displays a bogus French-language error message, fooling message recipients into thinking that the file is corrupted.

...the heavily obfuscated script runs a series of checks to evade sandboxes and enters into a persistent User Account Control (UAC) loop that prompts users to run it with administrator privileges.

As soon as the dropper obtains administrative privileges, it wastes no time disabling security controls and covering up its tracks

Convicted spyware chief hints that Greece’s government was behind dozens of phone hacks

While reading the article, one thing is clear: someone hacked the phones of government officials and journalists. The spyware chief was sentenced to eight years in prison and now he claims he will not be a "scapegoat."

From the article:

Several senior officials in the Greek government, including the head of Greece’s national intelligence agency and a senior aide to the Prime Minister Kyriakos Mitsotakis, resigned in the wake of revelations that several journalists’ phones had been hacked.

No government officials have been convicted in connection with the surveillance, and critics have accused the Mitsotakis government of a cover-up.

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

At the time of writing, Adobe has patched the vulnerability that allowed this to happen, but it appears that the patch is yet to reach production websites.

The following is how the skimmer works:

The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address ("202.181.177[.]177") over UDP port 3479 and retrieves JavaScript code that's subsequently injected into the web page for stealing payment information.

The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (CSP) directives.

Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks

The article title says it all. If you're not in the loop in the past few weeks, let me update you. The hacking tools in question are DarkSword and Coruna. The former was leaked on GitHub, making it easy for anyone to launch attacks on older iOS users.

From the article:

The discovery of Coruna and DarkSword suggest that memory-based attacks could continue to plague users of older iPhones and iPads that lag behind the newer, more memory-safe models.

Experts working for iVerify and Lookout, two cybersecurity companies that have a commercial stake in selling security products for mobile devices, say Coruna and DarkSword may also challenge the long-held assumption that iPhone hacks are rare.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 20th March 2026

Habdul Hazeez — Fri, 20 Mar 2026 22:57:50 +0000

One thing is certain. Vulnerabilities are not going anywhere anytime soon because humans are not perfect and our imperfections can show in what we create. Also, while technology like AI applications can help you become productive, it can lead to a data breach.

This and more is what we are about to review. Let's begin.

Researchers disclose vulnerabilities in IP KVMs from four manufacturers

The vulnerability risk is high because the kind of power that it gives to the attackers is dangerous.

For example:

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network.

The Collapse of Predictive Security in the Age of Machine-Speed Attacks

As a cyber defender, know that it's nothing new. You just need to change how you protect the systems that you are charged to protect.

Here is what's going on:

“Preemptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume.”

Internet access brokers are a primary cause for this necessary shift in defense, and the success of infostealers are key to the IABs’ efficiency. “Infostealers provide a gold mine of information that attackers can use,”

Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches

It's your responsibility to know the apps in your environment.

From the article:

While complexity is the enemy of security, SaaS is the disguiser and multiplier of complexity, through poor visibility into its shadow AI.

An attacker can often find greater visibility into a SaaS app by stealing the right OAuth access and/or refresh token (courtesy of the modern infostealer that can enter, scrape and depart without the victim realizing it).

‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors

What I found fascinating from the article is: the exploit is written in JavaScript. I know, it sounds weird, but it's what it is.

From the article:

Written completely in JavaScript, DarkSword starts with the exploitation of Safari bugs to achieve remote code execution (RCE), continues with a sandbox escape, and shifts to exploiting kernel flaws to inject and execute JavaScript code for privilege escalation and final payload execution.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 13th March 2026

Habdul Hazeez — Fri, 13 Mar 2026 22:45:37 +0000

Security education can go a long way. It can help companies and users patch their vulnerable systems and be aware of the threats that are out there. The results? A better security posture.

In this week's review, we have the usual suspects: malware and phishing. And in the mix, we have some more news.

How AI Assistants are Moving the Security Goalposts

It is a funny title from Brian Krebs. Meanwhile, it should sound the security alarm within you if you have been following the trend of OpenClaw since its release. We can go all day talking about it, but the following is what I want you to take away from the article.

Jamieson O’Reilly is a professional penetration tester and founder of the security firm DVULN. In a recent story posted to Twitter/X, O’Reilly warned that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential the agent uses — from API keys and bot tokens to OAuth secrets and signing keys.

With that access, O’Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent’s existing integrations in a way that looks like normal traffic.

Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes

The good news is that they have patched it. Now, we should worry: what other attacks can researchers devise against these types of web browsers? Time will tell.

Here is what happened:

The research builds on prior techniques like VibeScamming and Scamlexity, which found that vibe-coding platforms and AI browsers could be coaxed into generating scam pages or carrying out malicious actions via hidden prompt injections.

In other words, with the AI agent handling the tasks without constant human supervision, there arises a shift in the attack surface wherein a scam no longer has to deceive a user. Rather, it aims to trick the AI model itself.

14,000 routers are infected by malware that’s highly resistant to takedowns

Here, resistant to takedown means, one of the ways to get rid of the malware if you're infected, is to perform a factory reset!.

From the article:

The malware—dubbed KadNap—takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars.

The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days in the operation.

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

When you read the article's title, you can be certain of one thing: the malware families are used to steal people's money. One of the malware — PixRevolution — steals money in such a way that it's difficult for the victim to know what happened.

From the article:

The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT.

PixRevolution, according to Zimperium, targets Brazil's Pix instant payment platform, hijacking victims' money transfers in real-time to route them to the threat actors instead of the intended payee.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Security news weekly round-up - 6th March 2026

Habdul Hazeez — Fri, 06 Mar 2026 21:05:05 +0000

This week's security review is centered around hackers — the good ones and the bad ones. If you're not familiar, the good hackers are the security researchers who investigate how we [the general Internet users] can stay safe online. Conversely, the bad hackers are those who devise mischievous ways to make the life of Internet users miserable, e.g., wasting users' time, stealing data and money, e.t.c.

APT37 hackers use new malware to breach air-gapped networks

When you read the word "air-gapped networks", you should automatically think that such networks exist in critical infrastructures where security is of great importance. Also, they should be "safe" from outside intrusion. Well, that's not always true, and this article is proof that threat actors still find ways to steal data from air-gapped networks.

From the article:

The infection chain begins when the victim opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script that extracts payloads embedded in the LNK file. To divert attention, the script also launches a decoy document.

The PowerShell script loads the first malware component, called RESTLEAF, an implant that communicates with APT37's command-and-control (C2) infrastructure using Zoho WorkDrive.

Hackers Weaponize Claude Code in Mexican Government Cyberattack

When you read the article, you'll realize it's funny how the hackers got Claude to comply.

Here is what happened and what the hackers stole:

The attacker bypassed the AI’s guardrails by convincing it that all actions were authorized, guided the assistant throughout the compromise, and leveraged OpenAI’s model to analyze data and accelerate the attack execution.

Advertisement. Scroll to continue reading.
Within a month, Gambit says, the hacker exfiltrated over 150GB of data, including civil registry files, tax records, and voter data. Roughly 195 million identities have been exposed in the breach

LLMs can unmask pseudonymous users at scale with surprising accuracy

I strongly believe that this might be tedious work before. Now, LLMs can make it much easier.

From the article:

The findings have the potential to upend pseudonymity, an imperfect but often sufficient privacy measure used by many people to post queries and participate in sometimes sensitive public discussions while making it hard for others to positively identify the speakers.

The ability to cheaply and quickly identify the people behind such obscured accounts opens them up to doxxing, stalking, and the assembly of detailed marketing profiles that track where speakers live, what they do for a living, and other personal information.

Quantum Decryption of RSA Is Much Closer Than Expected

Currently, I have limited knowledge of cryptography. But I know one thing for sure: RSA is one of the most used encryption that we have today. So, if it's close to being broken, you should know about it.

From the article:

A new algorithm, the JVG algorithm, completely upends existing time projections. The Advanced Quantum Technologies Institute (AQTI) announced March 2, 2026, “The JVG algorithm requires thousand-fold less quantum computer resources, such as qubits and quantum gates. Research extrapolations suggest it will require less than 5,000 qubits to break encryption methods used in RSA and ECC.”

A suite of government hacking tools targeting iPhones is now being used by cybercriminals

When you think: This is safe to develop since we are the only ones that will be using it for "legal" purposes. Then boom! It's in the wrong hands!

Here is what's going on:

Google said the hacking tools are powerful, as they can bypass an iPhone’s defenses simply through visiting a malicious website containing the exploit code — such as being sent a malicious link — in what is known as a “watering hole” attack.

According to Google, the Coruna kit can hack into an iPhone five separate ways by relying on and chaining together 23 separate vulnerabilities in its digital arsenal. Affected devices range from iPhone models running iOS 13 up to 17.2.1, which was released in December 2023.

Wikipedia hit by self-propagating JavaScript worm that vandalized pages

This is Wikipedia; the online encyclopedia. Why would someone do this? This shows that the bad guys don't care about your reputation or your usefulness to others. If they intend to wreck you, they will surely try and it's up to you to defend yourself.

From the article:

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality.

It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.