Npm Package Hides Malware in Steganographic QR Codes
The poisoned package, purporting to be a JavaScript utility, threatens the software supply chain with a highly obsfuscated credential stealer.
-
-
Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials
Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF)…
-
State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability
Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity. “Libraesva ESG is affected by a command injection flaw that can be triggered by…
-
npm Supply Chain Attack
What is the Attack? On September 8, 2025, attackers phished the npm maintainer “qix” and stole their two-factor authentication (2FA) credentials. With that access, they published malicious versions of some very popular npm packages (including debug, chalk, and ansi-styles). The impact is considered high risk for applications that serve frontend JavaScript, especially those handling payments,…
-
As Incidents Rise, Japanese Government’s Cybersecurity Falls Short
The Japanese government suffered the most cybersecurity incidents in 2024 — 447, nearly double the previous year — while failing to manage 16% of critical systems.
-
GitHub Aims to Secure Supply Chain as NPM Hacks Ramp Up
GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.
-
Exposed Docker Daemons Fuel DDoS Botnet
The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.
-
From FBI to CISO: Unconventional Paths to Cybersecurity Success
Cybersecurity leader Jason Manar shares insights on diverse career paths, essential skills, and practical advice for entering and thriving in the high-stress yet rewarding field of cybersecurity.
-
Dark Reading Confidential: Battle Space: Cyber Pros Land on the Front Lines of Protecting US Critical Infrastructure
Dark Reading Confidential Episode 10: It’s past time for a comprehensive plan to protect vital US systems from nation-state cyberattacks, and increasingly, that responsibility is falling to asset owners across a vast swath of organizations, who likely never bargained for an international cyber conflict playing out in their environments. But here we are. And here’s…
-
Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security
Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image. The medium-severity vulnerabilities, both of which stem from improper verification of a cryptographic signature, are