A fake VS Code extension made with AI just showed up on the Marketplace.

It ran ransomware on install — zipping, encrypting, and uploading files, all by itself.

Microsoft took it down quickly, but the developer accidentally left the control keys and decryption tools inside.

Here’s what happened and how it worked ↓ https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html

ChatGPT just helped researchers crack XLoader malware in hours — work that used to take days.

AI unpacked the code, found keys, and exposed C2 domains. Big shift for malware analysis.

Check this story ↓ https://thehackernews.com/2025/11/threatsday-bulletin-ai-tools-in-malware.html#ai-speeds-triage-but-human-skill-still-needed

Google just launched a new form to report extortion scams on Google Maps.

Scammers are posting fake 1⭐ reviews, then asking business owners to pay up to remove them.

This new tool is meant to stop the surge in “review bombing” hitting small businesses.

Read how it works ↓ https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html

Your company's logins could be on the dark web right now, and they could sell for as little as $15.

It only takes one click for hackers to walk right in.

Find out if your company’s credentials are exposed → https://thehackernews.com/2025/11/enterprise-credentials-at-risk-same-old.html

🚨 WARNING: Malicious NuGet packages were caught hiding delayed payloads—set to fire off years from now, in 2027–2028.

They look harmless. Some even helpful. But one, Sharp7Extend, quietly sabotages PLCs—crashing processes or corrupting writes after a short delay.

Nearly 10K downloads before anyone noticed.

Here’s what’s really going on ↓ https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

Chinese hackers used old bugs like Log4j and Struts to break into U.S. policy networks.

Then they hid using msbuild.exe and a fake system task to stay inside.

Old tricks. New targets.

Read the details ↓ https://thehackernews.com/2025/11/from-log4j-to-iis-chinas-hackers-turn.html

A single image file could hijack Galaxy phones.

Attackers hid a ZIP inside DNG photos sent over WhatsApp, exploiting a zero-day in Samsung’s image codec (CVE-2025-21042).

The implant — called LANDFALL — gave full spyware access.

Full report → https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

Attackers are now using your cloud tools against you.

Fortinet uncovered a new campaign where stolen AWS credentials were used to run quiet recon and launch fraud from inside trusted environments.

No malware. No noise. Just normal-looking API traffic doing damage.

Read this story → https://thehackernews.com/2025/11/threatsday-bulletin-ai-tools-in-malware.html#researchers-uncover-large-scale-aws-abuse-network

🔥 Wild find from Microsoft.

Even when your AI chats are encrypted, someone watching the network can still guess what you’re talking about.

They call it "Whisper Leak" side-channel attack.

And in tests, models like OpenAI and Mistral gave away topics with 98% accuracy.

Worth your attention ↓ https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html

🚨 Three VS Code extensions — downloaded over 10,000 times — turned out to be part of a revived GlassWorm attack.

And... it spreads on its own. One infected developer can quietly compromise an entire team.

They're stealing credentials for GitHub, VSX, and crypto wallets while hiding in plain sight with invisible Unicode characters.

Read the whole story ↓ https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html

⚠️ Hackers are posing as Booking[.]com to target hotels.

Fake “security” emails trick managers into running a PowerShell script that installs PureRAT — giving full access to hotel systems.

Stolen logins and card data are being sold online.

More information here → https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html

Everyone’s building with AI in the cloud.

Few are thinking about how to actually secure it.

#NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

Worth a watch →

Last week in cyber was wild.

🔒 Malware hiding in VMs
🤖 AI chats leaking through encrypted traffic
📱 Spyware on flagship Androids
💣 Logic bombs set to go off years later
🕵️‍♂️ Fake AI bots, deepfakes, and more...

You can’t afford to miss this recap: https://thehackernews.com/2025/11/weekly-recap-hyper-v-malware-malicious.html

77% of employees paste sensitive data into GenAI tools.
Most use personal accounts, so IT can’t see it.

It’s all happening in the browser — and old DLP tools miss it completely.

The browser just became the biggest data leak in the enterprise ↓ https://thehackernews.com/2025/11/new-browser-security-report-reveals.html

North Korea’s Konni group just pulled off something wild — they turned Google’s own Find Hub into a weapon.

By stealing Google logins, they could remotely wipe Android phones, erasing data and covering their tracks.

It all started with a fake “Stress Clear” app, signed with a real Chinese company’s certificate.

Full story ↓ https://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.html

🚨 UNC6485 is weaponizing CVE-2025-12480 (CVSS 9.1).

They bypassed Triofox auth, ran setup to create an admin, then pointed the antivirus path at centre_report.bat to run code as SYSTEM.

Read ↓ https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html

Hackers aren’t after people anymore — they’re after bots.

API keys and tokens now run much of your SaaS, often with full access.

One stolen token let attackers break into hundreds of Salesforce accounts.

See how it happened ↓ https://thehackernews.com/expert-insights/2025/11/whos-really-using-your-saas-rise-of-non.html

A fake npm package was caught pretending to be GitHub’s real one.

~acitons/artifact (with the typo) tried to steal build tokens from GitHub repos.

It ran a postinstall script that sent secrets to a fake GitHub site.

Full story ↓ https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html

🚨 🚨 New Android RAT — “Fantasy Hub” — is on sale on Russian Telegram: $200/week or $4,500/year.

It turns any app into spyware, pretends to be a Play update, hijacks SMS to steal 2FA, and streams camera/mic in real time via WebRTC.

Novices can buy and run it. If you use BYOD or mobile banking, read more ↓ https://thehackernews.com/2025/11/android-trojan-fantasy-hub-malware.html

AI-driven supply chain attacks jumped 156% last year.

This new malware rewrites itself, looks like real code, and waits weeks before hitting. Most security tools can’t spot it.

See what CISOs are doing to fight back ↓ https://thehackernews.com/2025/11/cisos-expert-guide-to-ai-supply-chain.html