Drupal has announced a “core security release” scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure. Administrators are urged to reserve time for core updates on May 20 between 17:00 and 21:00 UTC. Website administrators running versions 8 or 9 are strongly recommended to upgrade to at […]
A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel’s RDS (Reliable […]
GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device. “Yesterday we detected and contained a compromise of an employee device involving a poisoned […]
Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. The security flaw was disclosed last week by an anonymous security researcher known as ‘Nightmare Eclipse,’ who described it as a backdoor and published a proof-of-concept (PoC) exploit. Nightmare Eclipse said that exploiting this zero-day involves placing specially […]
GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code. GitHub’s cloud-based development platform is used by more than 4 million organizations (including 90% of the Fortune 100) and over 180 million developers who contribute to more than 420 million code […]
A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. Microsoft tracks the actor as Storm-2949 and says that the purpose of the attacks is “to exfiltrate as much sensitive data from a target organizationâs high-value assets as possible.” Storm-2949 used social engineering […]
Microsoft plans to raise the quality bar of Windows 11 drivers, as drivers “sit at the heart of every Windows experience” and connect the OS to the “silicon, components, and peripherals.” Before Microsoft shipped Windows 11, it frequently hosted WinHEC (Windows Hardware Engineering Conference), where Microsoft’s developers and OEM partners met to work on quality. […]
Microsoft has confirmed user reports that the Teams team collaboration app is displaying non-dismissible location prompts on some macOS systems. According to affected Teams users, these non-dismissible prompts have been appearing on Mac devices running macOS versions 14 (Sonoma), 15 (Sequoia), and 26 (Tahoe) over the past week, asking for permission to use their location “for things […]
Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign. Most of the affected packages are in the @antv ecosystem, which includes libraries for charting, graph visualization, building flowcharts, and mapping. However, popular packages outside this namespace have also been […]
Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month. Founded in 1927, 7-Eleven now operates, franchises, and licenses over 86,000 stores globally, including 13,000 stores in the U.S. and Canada, while its 7Rewards and Speedy Rewards loyalty programs have more than 100 […]
