The Hacker News

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann saidRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comProgramming / Software Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. The operation primarily targets users

A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. The operation primarily targets users Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comMobile Security / Android37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices. The issue, tracked as CVE-2023-20126, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming. The product in question makes it possible

Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices. The issue, tracked as CVE-2023-20126, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming. The product in question makes it possible Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comVulnerability / Network Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. "

Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. "Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comAPI Management / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the

Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comServer Security / Vulnerability37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

IT and cybersecurity teams are so inundated with security notifications and alerts within their own systems, it’s difficult to monitor external malicious environments – which only makes them that much more threatening.  In March, a high-profile data breach hit national headlines when personally identifiable information connected to hundreds of lawmakers and staff was leaked on the dark web. The

IT and cybersecurity teams are so inundated with security notifications and alerts within their own systems, it’s difficult to monitor external malicious environments – which only makes them that much more threatening.  In March, a high-profile data breach hit national headlines when personally identifiable information connected to hundreds of lawmakers and staff was leaked on the dark web. The The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comCyber Threat / Dark Web37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks. "Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks. "Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comSocial Media / Cyber Risk37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023. The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023. The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comOnline Security / ChatGPT37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms. Passkeys, backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or

Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms. Passkeys, backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comPassword Security / Authentication37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.comCyber Espionage / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641