Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Malicious Open Sourc ...

 Cyber News

Malicious open source software packages have become a critical problem threatening the software supply chain. That’s one of the major takeaways of a new report titled “State of the Software Supply Chain” by open source software security company Sonatype. Sonatype said its researchers identified more than 454,600   show more ...

new malicious packages last year across npm, PyPI, Maven Central, NuGet, and Hugging Face, repositories which together combined for 9.8 trillion downloads. Open source malware has evolved “from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” the researchers said. “What stands out most about 2025 is not just the scale of the threat, but also the sophistication,” the report said. “Where 2024’s XZ Utils incident was groundbreaking, demonstrating how a single compromised maintainer could imperil global infrastructure, 2025 saw software supply chain risk evolve dramatically.” npm Leads in Malicious Open Source Software Packages More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically. Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain. IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.” “Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said. Open Source Malware Exploits Developer Processes Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines. “Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.” The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell ... and Shai-Hulud to have ecosystem-wide impact.” “The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact. “Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.” Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted. “AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”

image for AHA Releases New Gui ...

 Firewall Daily

Healthcare organizations in the United States face threats, ranging from public health emergencies to cyberattacks. To support hospitals and health systems in enhancing their preparedness and resilience, the American Hospital Association (AHA) has released two comprehensive resources for cyber preparedness in   show more ...

healthcare. The two guides, includes, Strategies for Medical Surge Management During Public Emergencies and Strategies for Cyber Preparedness in Health Care.   These guides are part of the AHA’s Convening Leaders for Emergency and Response initiative and are intended to increase cyber preparedness in healthcare, support staff, and sustain care delivery during crises.  The medical surge management guide is structured around the “four S’s”: staffing, supply, space, and systems. This framework provides hospitals with a methodical approach to anticipating and managing sudden increases in patient demand during pandemics, natural disasters, or other public health emergencies.  Staffing: Building a Flexible, Resilient Workforce  Staffing is critical for hospitals to respond effectively to medical surges. Adequate personnel, prepared for high-pressure scenarios, are necessary to safely expand capacity and maintain quality care. Public health crises often place prolonged stress on healthcare workers, highlighting the importance of workforce resilience and flexibility.  The AHA recommends tiered staffing models, which allow experienced clinicians, such as ICU nurses or physicians, to lead teams composed of redeployed personnel or float staff. This approach maintains high-acuity supervision while maximizing workforce capacity and reducing burnout.  A competency matrix is another key tool. By mapping staff skills, certifications, and cross-training, leaders can make rapid, informed staffing decisions during emergencies. When integrated into digital staffing platforms, these matrices enable real-time redeployment and highlight areas requiring pre-event training. Dedicated float pools also contribute to surge readiness. Cross-trained personnel can be deployed to high-demand areas without overburdening core teams, guided by activation protocols and experienced float leaders. Centralized capacity command centers further support staffing decisions, using real-time data on patient volume, acuity, and bed availability to coordinate response efforts.  Supply: Maintaining Access to Critical Resources  Reliable access to medical supplies, equipment, and medications is vital during surge events. Sudden spikes in demand can strain supply chains, making proactive inventory management and planning essential.  Hospitals are encouraged to use digital tracking systems such as barcode scanners, RFID technology, and real-time dashboards to monitor supply use and prevent shortages. Emergency stockpiles organized into modular kits, based on functions like infection control or airway management, can streamline deployment during high-pressure scenarios.   Predictive tools, including the CDC’s PPE Burn Rate Calculator and the DASH model, allow healthcare organizations to forecast needs and stay ahead of demand. Strategic stockpiles and multisource vendor contracts further strengthen supply resilience.  Space: Expanding and Adapting Care Environments  Managing a medical surge also requires adaptable physical space. Hospitals must be able to expand or repurpose care areas while maintaining infection control, safety, and operational efficiency.  Predesignating surge zones, including inpatient units, recovery areas, or off-site facilities, ensures rapid activation. Infrastructure readiness, such as Wi-Fi connectivity, electronic health record access, and medical gas availability, must be assessed in advance. Regulatory considerations, including emergency waivers and accessibility standards, should also be addressed. Regular drills and simulations familiarize staff with alternate care setups and help identify operational gaps.  Systems: Coordination, Communication, and Cybersecurity  Strong organizational systems underpin effective surge response, enabling clear governance, communication, and resource management. The companion AHA guide on cybersecurity highlights that resilient systems are equally critical for protecting healthcare organizations from increasing cyber threats. Cyber incidents, much like public health emergencies, can disrupt operations and require coordinated response plans to maintain patient safety and continuity of care.  Cyber Preparedness in Healthcare The AHA emphasizes that cyber preparedness in healthcare must be treated as an enterprise-wide priority rather than a purely technical challenge. Hospitals and health systems should embed cyber risk into governance frameworks, cultivate a cyber-aware workforce, and plan for clinical continuity during incidents. This includes cross-functional incident response plans, realistic drills, and robust backup and communication systems.  Third-party risk management is a critical component, requiring ongoing assessment of vendors and subcontractors. Additionally, hospitals are encouraged to collaborate regionally with healthcare coalitions and public health agencies to align cyber response efforts and strengthen collective resilience.  By adopting structured approaches across staffing, supply, space, and systems, and by integrating cybersecurity readiness into core operations, healthcare organizations can better anticipate challenges, respond effectively to emergencies, and recover quickly from disruptions. 

image for Major Cyberattack Cr ...

 Cyber News

A cyberattack on Delta, a Russian provider of alarm and security systems for homes, businesses, and vehicles, has disrupted operations and triggered widespread service outages, leaving many customers unable to access critical security functions. Delta, which serves tens of thousands of users across Russia, confirmed   show more ...

the Delta cyberattack on Monday, stating that it faced a major external assault on its IT infrastructure. The disruption due to cyberattack on Delta has affected both online services and customer communication channels, raising concerns about the resilience of connected security platforms. Cyberattack on Delta Security Systems Causes Major Outage In an official statement, the company emphasized its position in the market and its ongoing investments in cybersecurity. Delta said: “On January 26, DELTA experienced a large-scale external attack on its IT infrastructure aimed at disrupting the company's services.” The company added that some services were temporarily unavailable, but insisted there were no immediate signs of customer data exposure. “At this time, no signs of a compromise of customer personal data have been detected.” Delta also apologized to customers and said restoration efforts were underway with the help of specialized experts. Delta Struggles to Restore Services After Cyberattack Delta marketing director Valery Ushkov provided additional details in a video address, acknowledging the large scale of the incident. He said: “Our architecture was unable to withstand a well-coordinated attack coming from outside the country.” Ushkov noted that recovery was taking longer than expected because the company was still facing the risk of follow-up attacks while attempting to restore backups. As of Tuesday, Delta’s website and phone lines remained offline. With traditional communication channels down, the company has been forced to issue updates through its official page on VKontakte, Russia’s largest social media platform. Customers Report Alarm Failures and Vehicle Access Issues The Delta cyberattack disruption has had direct consequences for customers relying on the company’s systems for everyday safety and mobility. Russian-language Telegram outlet Baza reported that users began complaining shortly after the incidentof cyberattack on Delta that car alarm systems could not be turned off, and in some cases, vehicles could not be unlocked. Newspaper Kommersant also reported ongoing failures despite Delta’s assurances that most services were operating normally. Users described serious malfunctions, including remote vehicle start features failing, doors locking unexpectedly, and engines shutting down while in motion. In addition to vehicle-related issues, customers reported that alarm systems in homes and commercial buildings switched into emergency mode and could not be deactivated. Recorded Future News said it could not independently verify these claims. Data Leak Claims Surface After Delta Cyberattack Although Delta maintains that no customer data was compromised, uncertainty remains. An unidentified Telegram channel claiming to be operated by the attackers published an archive it alleges contains stolen information from Delta systems. However, the authenticity of the material and the identity of the hackers have not been independently verified. The cyberattack on Delta has increased anxiety among customers, particularly because Delta’s mobile app, launched in 2020, is widely used for tracking vehicles and managing alarm functions. According to Auto.ru, the app is compatible with most cars and can store payment data, making some users wary of potential financial exposure if internal systems were breached. Broader Pattern of IT Disruptions in Russia The Delta security systems cyberattack occurred on the same day as a separate large-scale outage affected booking and check-in systems used by Russian airlines and airports. Airlines reported temporary disruptions to ticket sales, refunds, and rebooking after problems were detected in aviation IT platforms. While the two incidents have not been officially linked, the timing highlights growing instability in critical digital infrastructure. No known hacking group has claimed responsibility for the cyberattack on Delta so far. It also remains unclear whether the incident was a relatively limited distributed denial-of-service (DDoS) attack or something more severe, such as ransomware or destructive malware. For now, Delta says the situation is manageable and expects services to return soon, but customer concerns continue as outages persist and unverified leak claims circulate.

image for Hackers Exploit Reac ...

 Firewall Daily

Threat actors have been actively exploiting a critical vulnerability in React Server Components, tracked as CVE-2025-55182 and commonly referred to as React2Shell, to compromise systems across multiple industry sectors worldwide.   React2Shell affects the Flight protocol, which is responsible for client–server   show more ...

communication in React Server Components. The vulnerability arises from insecure deserialization, where servers accept client-supplied data without sufficient validation.   Under specific conditions, this allows attackers to achieve remote code execution, making CVE-2025-55182 particularly dangerous in production environments.  Exploiting CVE-2025-55182  The campaign was first observed in December 2025, shortly after details of the vulnerability became available. According to BI.ZONE Threat Detection and Response, attackers moved quickly. “In December 2025, BI.ZONE TDR detected malicious activity targeting companies in the Russian insurance, e-commerce, and IT sectors.   The threat actors leveraged the CVE-2025-55182 (React2Shell) vulnerability,” the company reported. The primary payload observed during this phase was the XMRig cryptocurrency miner, though Kaiji, Rustobot, and the Sliver implant were also deployed.  The vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, versions 19.0 through 19.2.0. Security patches were released in 19.0.1, 19.1.2, and 19.2.1, but exploitation continued against unpatched systems.  Malware Deployment Following React2Shell Exploitation  In one documented case targeting Russian organizations, attackers exploited the React2Shell vulnerability inside a container environment and executed a chained command sequence to download an ELF binary named bot from 176.117.107[.]154. This file was identified as RustoBot, a Rust-based botnet primarily associated with attacks on TOTOLINK devices. RustoBot resolves multiple domain names, including ilefttotolinkalone.anondns[.]net and rustbot.anondns[.]net—all pointing to the IP address 45.137.201[.]137.  RustoBot is capable of launching UDP flood, TCP flood, and Raw IP flood DDoS attacks, with configurable parameters such as duration, target address, and packet size. The malware also embeds XMRig as a secondary payload, monetizing compromised infrastructure.  Following the initial infection, attackers executed Base64-encoded shell commands that retrieved additional scripts from tr.earn[.]top. One of these, apaches.sh, installed an UPX-packed XMRig binary and established persistence through systemd services and cron jobs, storing files in /usr/local/sbin when executed as root or /tmp otherwise.  Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh. Kaiji supports SYN, ACK, and UDP flood attacks, WebSocket abuse, command execution, dynamic encrypted configuration files, extensive persistence mechanisms, and replacement of system utilities such as ls, ps, and netstat. The malware also deployed XMRig and attempted to conceal its presence by masquerading as legitimate system libraries.  Attackers later delivered the Sliver implant using the d5.sh script, which handled privilege-aware persistence and aggressively erased forensic traces by clearing shell history and deleting temporary files.   Additional Campaigns and Global Targeting  In another case, attackers exploited the same React2Shell vulnerability to deploy XMRig version 6.24.0 using setup2.sh, a modified mining script. The miner configuration included a hardcoded wallet address and companion scripts, alive.sh and lived.sh, designed to terminate competing processes while preserving the miner.  A third case involved DNS-based data exfiltration. After exploiting CVE-2025-55182, attackers executed reconnaissance commands and exfiltrated results via DNS tunneling to oastify[.]com. This was followed by the installation of XMRig from GitHub and persistence via a systemd service named system-update-service.service.  Outside Russia, it has been observed that React2Shell exploitation delivers a broader malware ecosystem. Payloads included CrossC2 for Cobalt Strike, Tactical RMM, VShell, and EtherRAT. These tools enabled long-term access, command execution, encrypted C2 communication, and stealthy persistence.  EtherRAT, in particular, retrieved its command-and-control address from an Ethereum smart contract, later contacting 91.215.85[.]42:3000 to fetch JavaScript payloads. 

image for US Charges 87 in Maj ...

 Cyber News

A federal grand jury in Nebraska has issued a new indictment in a major international cybercrime case involving an “ATM jackpotting” scheme tied to the violent transnational gang Tren de Aragua (TdA). The latest charges bring the total number of defendants accused in the operation to 87, highlighting the growing   show more ...

threat of malware-driven attacks on financial institutions across the United States. The additional indictment charges 31 individuals for their alleged roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs, a crime widely known as ATM jackpotting. Fifty-six other defendants had already been charged in earlier cases. Prosecutors say many of those involved are Venezuelan and Colombian nationals, including illegal alien members of Tren de Aragua, which has been designated a Foreign Terrorist Organization. The indictment includes 32 counts, such as conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, and damage to computers. Justice Department Highlights Terror and Financial Crime Connection Attorney General Pamela Bondi described Tren de Aragua as more than a financial crime network. “Tren de Aragua is a complex terrorist organization that commits serious financial crimes in addition to horrific rapes, murders, and drug trafficking,” Bondi said. “This Department of Justice has already prosecuted more than 290 members of Tren de Aragua and will continue working tirelessly to put these vicious terrorists behind bars after the prior administration let them infiltrate our country.” Deputy Attorney General Todd Blanche emphasized the Justice Department’s focus on dismantling the group. “A large ring of criminal aliens allegedly engaged in a nationwide conspiracy to enrich themselves and the TdA terrorist organization by ripping off American citizens,” Blanche said. “The Justice Department’s Joint Task Force Vulcan will not stop until it completely dismantles and destroys TdA and other foreign terrorists that import chaos to America.” Ploutus Malware Used in ATM Jackpotting Scheme According to court documents, the conspiracy developed and deployed a variant of malware known as Ploutus, which was used to hack into ATMs and force them to dispense cash. Investigators allege the group recruited individuals across the country to carry out the attacks. Members would travel in teams, often using multiple vehicles, to targeted banks and credit unions. The operation typically involved reconnaissance first. Groups would inspect the ATM’s external security features, then open the hood or access panel and wait nearby to see whether alarms were triggered or law enforcement responded. Once the area appeared clear, attackers allegedly installed Ploutus malware in several ways, including removing and replacing hard drives or connecting external devices like thumb drives to deploy the malicious software. The malware’s main function was to issue unauthorized commands to the ATM’s cash dispensing module, forcing withdrawals of currency. Prosecutors also say Ploutus was designed to delete evidence of the attack to mislead banks and conceal the intrusion. Proceeds were then split among members in predetermined portions. Task Force Vulcan Targets TdA’s Financial Pipeline U.S. Attorney Lesley A. Woods for Nebraska said the case is part of a broader effort to stop the gang’s funding. “Tren de Aragua uses ATM jackpotting crimes committed all across America to fund its terrorist organization,” Woods said, adding that authorities are working to “shut down their financial pipeline and handicap their ability to terrorize American communities.” Joint Task Force Vulcan Co-Director Chris Eason warned that malware-driven attacks on financial institutions will not be tolerated. “Using sophisticated malware to empty ATMs and damage U.S. financial institutions that also fund TdA’s terrorist activity will not be tolerated,” he said. FBI Omaha Special Agent in Charge Eugene Kowel noted that the conspiracy poses a direct threat nationwide. “This case highlights TdA's plot to deploy malware to steal vast funds from financial institutions across the United States,” Kowel said. Previous Indictments and Potential Sentences The latest indictment follows earlier cases returned in October and December 2025. Prosecutors allege TdA conducted jackpotting attacks across America, stealing millions and transferring proceeds among members to conceal illegally obtained cash. If convicted, defendants face maximum prison terms ranging from 20 to 335 years. Tren de Aragua originated as a Venezuelan prison gang in the mid-2000s and has since expanded throughout the Western Hemisphere. U.S. officials say the organization is involved in drug trafficking, sex trafficking, kidnapping, robbery, fraud, extortion, and murder. The Justice Department says ATM jackpotting has become one of the gang’s key revenue streams, making financial cybercrime a central part of its operations.

 Feed

Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it's

 Feed

When security teams discuss credential-related risk, the focus typically falls on threats such as phishing, malware, or ransomware. These attack methods continue to evolve and rightly command attention. However, one of the most persistent and underestimated risks to organizational security remains far more ordinary. Near-identical password reuse continues to slip past security controls, often

 Feed

Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads. "Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated

 Feed

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT). The packages, named spellcheckerpy and spellcheckpy, are no longer available for download, but not before they were collectively downloaded a little over 1,000 times. "Hidden inside the

 Feed

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system. "In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch

 Feed

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution. The weaknesses, discovered by the JFrog Security Research team, are listed below - CVE-2026-1470 (CVSS score: 9.9) - An eval injection vulnerability that could allow an authenticated user to bypass the Expression

 Feed

If you work in security operations, the concept of the AI SOC agent is likely familiar. Early narratives promised total autonomy. Vendors seized on the idea of the "Autonomous SOC" and suggested a future where algorithms replaced analysts. That future has not arrived. We have not seen mass layoffs or empty security operations centers. We have instead seen the emergence of a practical reality.

 Feed

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located

 Feed

Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts. The extension, named "ClawdBot Agent - AI Coding Assistant" ("clawdbot.clawdbot-agent")

 Feed

The "coordinated" cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM. Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy

 Guest blog

How badly do you want to win an online argument? I certainly hope it's not enough to put the life of the other person at risk. Police in Hungary and Romania have arrested four young men suspected of making hoax bomb threats and terrorising internet users through SWATting and doxing attacks. Read more in my article on the Hot for Security blog.

2026-01
Aggregator history
Wednesday, January 28
THU
FRI
SAT
SUN
MON
TUE
WED
JanuaryFebruaryMarch