Aggregator

领取你的补天端午礼盒啦~

FBI director site went offline after a hack used a fake Cloudflare page to trick users into running a ClickFix attack that installed malware. The merchandise website of FBI director Kash Patel (basedapparel[.]com) was taken offline on Friday after reports that it had been compromised by hackers using it to spread malware. The malware was […]

Threat intelligence для AppSec — от списков уязвимостей к полноценному контролю цепочки поставок ПО.

CISA has issued an urgent alert regarding a critical SQL injection vulnerability in Drupal Core, tracked as CVE-2026-9082, which is now being actively exploited in real-world attacks. The flaw, classified under CWE-89, affects Drupal’s database abstraction API and could allow attackers to execute malicious SQL queries through specially crafted requests. According to the Cybersecurity and […]

The post CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks appeared first on Cyber Security News.

GitHub has introduced a major security upgrade to the npm ecosystem with the general availability of staged publishing and new install-time controls, aimed at reducing automated supply chain attacks targeting open-source packages. The newly released staged publishing feature changes how npm packages are published and distributed. Instead of immediately making a package available after publishing, […]

The post GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks appeared first on Cyber Security News.

A newly identified scareware kit called CypherLoc is locking victims’ browsers and tricking them into calling fake Microsoft support lines. The kit has been linked to roughly 2.8 million attacks since the start of 2026, making it one of the more aggressive browser-based threats observed this year. Unlike traditional malware that requires a file to […]

The post Hackers Use Browser-Locking CypherLoc Kit to Push Fake Microsoft Support Calls appeared first on Cyber Security News.

刚刚发布的 Firefox 151 加入了对 Web Serial API 的支持。Web Serial API 允许网站使用 JavaScript 向串口设备如 USB 和蓝牙设备写入或读取数据。Mozilla 称大部分人不会使用到该 API，它的主要使用群体是开发者，他们将能利用浏览器与兼容硬件设备直接进行通信。Mozilla 同时宣布与知名开源硬件平台 Adafruit 展开合作。Adafruit 基于浏览器的硬件工作流程能在 Firefox 上直接运行。以 Adafruit ESP32-S 开发板为例，通过 Web Serial 可以将网页代码发送的消息直接显示在设备上，或者直接在手持设备上修改网页的 CSS 属性。

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of

Исследователи выяснили, как раскалённая смесь сохраняет следы происхождения и условий образования выпадений

Исследователи создали лазерный двигатель на основе керамики, который может стать частью будущих умных сетей.

This is my favourite time of the year, not just because spring is here and the promise of summer is on the way. But also, because one of my must reads each year gets published. There are a few must read reports that I have on my reading list for each year and the Verizon Data Breach Investigations Report is on top of that list. The latest Verizon 2026 Data Breach Investigations Report (DBIR) once … More →

The post Lessons for organizations from the Verizon 2026 Data Breach Investigations Report appeared first on Help Net Security.

四月全球风能太阳能发电量超过了天然气发电量。根据能源智库 Ember 的分析，四月风能和太阳能发电量占全球总发电量的 22%，天然气发电量占 20%。四月风能和太阳能总发电量达到创纪录的 531 TWh，比天然气总发电量 477 TWh 高出 54 TWh。而五年前的 2021 年 4 月，天然气总发电量 476 TWh，和今天几乎完全一致。但当时的风能和太阳能总发电总量仅为 245 TWh，不到今天的一半。北半球的四月是春季，通常风力强劲，因此风能发电量在四月一般呈增长趋势。Ember 的报告《Global Electricity Review》认为在 2025 年风能和太阳能足以满足全球电力的增长需求。

Socket研究团队发现一场代号为 "TrapDoor" 的大规模跨生态系统供应链攻击活动。该攻击同时针对 npm、PyPI 和 Crates.io 软件包仓库，发布超过 34 个恶意包 及 384+ 个关联版本，专门针对加密货币、DeFi、Solana 生态和 AI 开发社区的开发者群体进行精确打击。

Source-guided vulnerability research increasingly leans on coding harnesses such as Claude Code, Codex, and Cursor to drive agent-based reviews of application code. A new MIT-licensed project from the Dutch security firm Hadrian, called OpenHack, packages that approach into a file-based workspace that any of those harnesses can run. OpenHack is a set of agents and tools that mimics how Hadrian’s research team performs automated vulnerability research. The workflow runs inside a coding harness or a … More →

The post OpenHack: Open-source AI-powered vulnerability research appeared first on Help Net Security.

日本電気株式会社が提供するAtermシリーズには、OSコマンドインジェクションの脆弱性が存在します。

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Nurihan Kim (HanTul), Hyeon-gyu Lee (hy30nq)' was reported to the affected vendor on: 2026-05-25, 6 days ago. The vendor is given until 2026-09-22 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

日本電気株式会社が提供するAtermシリーズには、クロスサイトスクリプティングの脆弱性が存在します。

«Бесплатный сыр» теперь прячется в архиваторах и программах для документов.

In this Help Net Security video, Ziv Levi, SVP of Technology at CYE, explains why translating cyber risk into dollars is one of the most pressing tasks for security leaders. Boards and executives want cyber exposure described in business terms, not technical jargon. Levi walks through a three-step financial translation framework. First, identify business exposure by mapping attack paths to the assets that matter most, such as intellectual property and customer data. Second, focus on … More →

The post Boards want cyber risk in dollars, not CVE counts appeared first on Help Net Security.

CERT/CCから本件に関するアドバイザリが公表されました。