TECHZONE™

GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies https://thehackernews.com/2025/09/github-account-compromise-led-to.html Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With

GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing

⚡ Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More https://thehackernews.com/2025/09/weekly-recap-drift-breach-chaos-zero.html Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the

You Didn’t Get Phished — You Onboarded the Attacker https://thehackernews.com/2025/09/you-didnt-get-phished-you-onboarded.html When Attackers Get Hired: Today’s New Identity Crisis What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding. Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out. On day one, Jordan logs into email and attends

Noisy Bear Targets Kazakhstan Energy Sector With BarrelFire Phishing Campaign https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity

Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys https://thehackernews.com/2025/09/malicious-npm-packages-impersonate.html A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. "The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor," Socket researcher

Under lock and key: Safeguarding business data with encryption https://www.welivesecurity.com/en/business-security/under-lock-key-safeguarding-business-data-encryption/ As the attack surface expands and the threat landscape grows more complex, it’s time to consider whether your data protection strategy is fit for purpose

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation https://thehackernews.com/2025/09/cisa-orders-immediate-patch-of-critical.html Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience

TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations https://thehackernews.com/2025/09/tag-150-develops-castlerat-in-python.html The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT. "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group

SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. "SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/ ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results

Automation Is Redefining Pentest Delivery https://thehackernews.com/2025/09/automation-is-redefining-pentest.html Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn't kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays,

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages https://thehackernews.com/2025/09/virustotal-finds-44-undetected-svg.html Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a

Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor "is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," S2 Grupo's LAB52 threat intelligence team said. "When such an email is

GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module https://thehackernews.com/2025/09/ghostredirector-hacks-65-windows.html Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module

Cybercriminals Exploit X’s Grok AI to Bypass Ad Protections and Spread Malware to Millions https://thehackernews.com/2025/09/cybercriminals-exploit-xs-grok-ai-to.html Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X's malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok. The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking. The approach is designed to

Google Fined $379 Million by French Regulator for Cookie Consent Violations https://thehackernews.com/2025/09/google-fined-379-million-by-french.html The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules. Both companies set advertising cookies on users' browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with

CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited https://thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-50224 (CVSS score: 6.5) - An authentication bypass by spoofing vulnerability

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar. "The two npm packages abused smart contracts to conceal malicious

Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure https://thehackernews.com/2025/09/threat-actors-weaponize-hexstrike-ai-to.html Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting,