šŸ” IT News Analyzer

// AI-powered news analysis

Latest Top 10 Articles

1
144 Mastra npm Packages Compromised via Hijacked Contributor Account

144 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from JFrog , SafeDep , Socket , and StepSecurity . "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said. The infected packages themselves do not include malicious code. Instead, it's introduced by means of a third-party library named "easy-day-js" that has been added to each package's dependency list in what has been described as an automated publishing campaign spanning 88 minutes. In its analysis, SafeDep described "easy-day-js" as a clone of the "dayjs" date library that downloads and runs a cryptocurrency-stealing remote acces...

ī ‚Jun 17, 2026
3
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution. "Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA said . According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution. The issue impacts JCE versions from 1.0.0 through 2.9.99.4. It has been pa...

ī ‚Jun 17, 2026
4
Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty program, calls the technique " Pickle in the Middle " and said it saw no exploitation in the wild. Google has patched it; if you use the SDK, update to version 1.148.0 or later. The attacker needed only a Google Cloud project of their own and the victim's project ID, which is often public. No credentials, no phishing, no foothold in the target. The flaw was in how the SDK chose a temporary Cloud Storage bucket for model uploads. If a user did not set a bucket, the SDK generated a predictable name from the project ID and region, such asĀ  project-vertex-staging-region . It checked whether that bucket existed, but not whether the victim owned it. Because buc...

ī ‚Jun 16, 2026
5
ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader , Lorem Ipsum Loader , and Potemkin , per independent reports from Morphisec , BlueVoyant , and Huntress , respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. "Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages," Morphisec researcher Shmuel Uzan said. "This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility." The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader, which is then used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, i...

ī ‚Jun 16, 2026
6
New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Security researchers atĀ Zimperium's zLabsĀ have documented a new Android banking trojan, Rokarolla , that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect. Rokarolla , named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome. The first thing a victim installs is a dropper that pretends to be Google Play Protect. It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off. The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database. When the victim ope...

ī ‚Jun 16, 2026
8
Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive

Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive

Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and what action should follow . Case in point: a recent industry study of more than 200 security practitioners conducted by Spur Intelligence found that anonymizing infrastructure - including VPNs and residential proxy networks - now appears in nearly every security incident. At the same time, the study showed that many organizations admit they lack the visibility, context, and operational workflows needed to make effective decisions based on that IP data. The findings support a broader industry trend: a reactive approach to managing IP-based risks. The Rise of Anonymized Infrastructure...

ī ‚Jun 16, 2026
9
Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week

Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week

Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber. In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808 , and CVE-2026-25089 over the past 24 hours. CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. The second flaw, CVE-2026-39808 (CVSS score: 9.1), is a case of operating system command injection that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Both vulnerabilities were patched by Fortinet in April 2026. CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that co...

ī ‚Jun 16, 2026
10
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS . "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols." Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations. WIN_DRV has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys. In addition, the variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's act...

ī ‚Jun 16, 2026