Aggregator

注：本文为手稿。手稿分为上下两个部分，分别是《论以攻促防的本质》与《论以防启攻的本质》。

Palo Alto, California, July 29th, 2025, CyberNewsWire Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as “Verified” and “Chrome Featured” provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of […]

The post SquareX Discloses Architectural Limitations Of Browser DevTools In Debugging Malicious Extensions appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Think passkeys make you phishing-proof? Think again. Attackers are using downgrade attacks, device-code phishing, and OAuth tricks to sneak past modern MFA. See how Push Security shuts them down. [...]

Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks.

两年前，中国的大学警告学生不要在作业中使用 AI。今天的大学逆转了立场，鼓励学生使用 AI，只要他们遵守最佳实践（best practices）。根据麦可思研究院(MyCOS Institute)的调查，生成式 AI 已基本普及，只有 1% 的师生表示从未在学习或工作中使用 AI，近六成被调查者表示每天或每周数次使用 AI。随着 DeepSeek 的流行，人们日益将生成式 AI 视为国家骄傲的来源。高校的讨论重心逐渐从担忧 AI 对学术诚信的影响转向鼓励学生提高素养、提高生产力和保持领先。斯坦福大学 Institute for Human-Centered Artificial Intelligence (HAI)的调查发现，中国对 AI 热情领先于世界其它国家，八成的人对 AI 感到兴奋，相比下美国和英国仅为 35% 和 38%。MIT Technology Review 对 46 所中国顶尖大学 AI 战略的调查发现，几乎所有学校过去一年引入了跨学科的 AI 通识教育课和 AI 相关学位。清华大学、人民大学、南京大学和复旦大学等推出了 AI 素养课程和学位，面向所有学生而不只是计算机科学专业的学生。教育部于 2025 年 4 月发布了国家“AI +教育”指南，呼吁进行全面改革。

为深化产教融合、推动教育创新，蚂蚁集团正式启动“2025年教育部产学合作协同育人项目”申报工作。

А контент с элементами порнографии попадёт под блокировку с 10 августа.

A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew, as the latter's dark web infrastructure has been the subject of a law enforcement seizure. Chaos, which sprang forth in February 2025, is the latest entrant in the ransomware landscape to conduct big-game hunting and double extortion attacks. "Chaos RaaS actors initiated

A vulnerability was found in CodeIgniter4 4.6.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument debugbar_time leads to cross site scripting. This vulnerability is handled as CVE-2025-45406. The attack may be launched remotely. There is no exploit available.

Singapore’s critical infrastructure faces an escalating cyber threat from UNC3886, a sophisticated Chinese state-linked Advanced Persistent Threat (APT) group that has been systematically targeting the nation’s energy, water, telecommunications, finance, and government sectors. The group, which first emerged circa 2021 and was formally identified by Mandiant in 2022, represents one of the most technically advanced […]

The post UNC3886 Actors Know for Exploiting 0-Days Attacking Singapore’s Critical Infrastructure appeared first on Cyber Security News.

Customers of French telecommunications provider Orange might see disruptions related to a cyberattack, the company said, without providing further details about the incident or threat actor.

Security researchers at Tracebit have discovered a critical vulnerability in Google’s Gemini CLI that enables attackers to silently execute malicious commands on developers’ systems through a sophisticated combination of prompt injection, improper validation, and misleading user interface design. The vulnerability, classified as a P1/S1 issue by Google’s security team, has been patched in the latest […]

The post Gemini CLI Vulnerability Allows Silent Execution of Malicious Commands on Developer Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability was found in Insyde InsydeH2O up to 05.70.49. It has been rated as problematic. Affected by this issue is some unknown functionality of the component VariableRuntimeDxe Driver. The manipulation leads to denial of service. This vulnerability is handled as CVE-2024-52880. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in StreamWeasels Kick Integration Plugin up to 1.1.4 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2025-7810. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in StreamWeasels Twitch Integration Plugin up to 1.9.3 on WordPress. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-7809. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in StreamWeasels YouTube Integration Plugin up to 1.4.0 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-7811. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Bricks Builder Plugin up to 1.12.4 on WordPress and classified as critical. This issue affects some unknown processing. The manipulation of the argument p leads to sql injection. The identification of this vulnerability is CVE-2025-6495. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Brizy Plugin up to 2.6.20 on WordPress. It has been classified as critical. Affected is the function store_file of the component TXT File Handler. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-4370. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Elementor Plugin up to 3.30.2 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Text Path Widget. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2025-4566. The attack may be launched remotely. There is no exploit available.