Russia’s GRU tried a new way to spread RomCom malware.

For the first time, they used SocGholish — fake browser update malware — to target a U.S. engineering firm linked to Ukraine.

The attack went from click to malware in under 30 minutes.

Read the latest report ↓ https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html

🚨 A Chrome extension is stealing crypto.

“Crypto Copilot” looks like a trading tool for X — but it secretly adds a hidden Solana transfer and sends your money to a hacker’s wallet.

It’s still live on the Chrome Web Store.

Full story ↓ https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html

⚠️ Hackers love community update tools.
Why? Because anyone can upload a package.
One bad update = hacked systems.

🔒 Join our free live webinar with Action1 CTO Gene Moody — see how to patch safely without slowing down.

Save your spot ↓ https://thehackernews.com/2025/11/webinar-learn-to-spot-risks-and-patch.html

🤖 We talk a lot about securing AI.

Almost no one talks about where it’s actually hiding.

NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

🚀See Wiz in Action → https://thn.news/cloud-security-demo

🔥 Hackers hit South Korea’s banks through one IT vendor — spreading Qilin ransomware to 28 firms and stealing 2 TB of data.

Evidence suggests Russian and North Korean groups worked together.

Full story ↓ https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

⚠️ Eight “advanced” tools failed at once.

A phishing attack slipped past all of them and reached exec inboxes. Only one thing stopped it — a strong SOC.

🔗 Learn why your “first line” is useless without the last ↓ https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

⚠️ Hundreds of Maven packages just got caught running Shai-Hulud v2 — the same malware that hijacked npm.

It spread through automated rebuilds, infecting devs who never used npm.

Hiding in the Bun runtime, it steals GitHub + cloud creds and self-replicates like a worm — already leaking 11,000+ secrets across 4,600 repos.

Details here ↓ https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

🛑 Gainsight just revealed more customers were affected than originally disclosed.

Salesforce revoked all Gainsight access tokens after the breach tied to ShinyHunters — and the same user-agent from prior Salesloft attacks popped up again.

The full scope remains unknown.

Read here → https://thehackernews.com/2025/11/gainsight-expands-impacted-customer.html

🚨 New ThreatsDay Bulletin is live!

🤖 AI malware that learns your habits
📞 Voice bots turned into attack tools
💸 Crypto rings laundering billions
🔌 IoT gear under siege again
🌍 Smishing scams spreading worldwide

All that and 20+ more stories shaping the week in cybersecurity.

🔗 Read now: https://thehackernews.com/2025/11/threatsday-bulletin-ai-malware-voice.html

Microsoft will block all non-Microsoft scripts on Entra ID logins starting Oct 2026.

If your sign-in flow or browser extension injects any code, it may break — so test ASAP.

The new Content Security Policy only lets trusted Microsoft-hosted scripts.

Read more → https://thehackernews.com/2025/11/microsoft-to-block-unauthorized-scripts.html

Hackers posing as Kyrgyzstan’s Justice Ministry are spreading 2013-era NetSupport RAT across Kyrgyzstan and Uzbekistan using fake PDFs and old Java tricks—blocking outsiders to hide the attack.

Old tools. New victims. → https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html

VPNs weren’t built for today’s hybrid networks. Hackers now exploit them as entry points to steal admin creds.

Remote Privileged Access Management (RPAM) closes that gap — no VPNs, no shared passwords, full session tracking.

Why it’s replacing PAM → https://thehackernews.com/2025/11/why-organizations-are-turning-to-rpam.html

🚨 North Korean hackers uploaded 197 malicious npm packages (31K+ downloads).

They drop a new OtterCookie variant that steals passwords, crypto data, and screenshots — all from a fake job interview setup.

Details here ↓ https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

⚠️ Researchers found old Python code that could expose projects to a supply chain attack.

Some PyPI packages — including Tornado and slapos.core — still call an expired domain that anyone could buy and use to run malicious code.

Details ↓ https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html

🚨 CISA added a real-world exploited flaw in OpenPLC ScadaBR to its Known Exploited Vulnerabilities list.

Hackers used the bug (CVE-2021-26829) to deface a fake water plant system in under 26 hours — disabling logs and alarms.

Read → https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html

🚨 Tomiris is back — and harder to spot.

Kaspersky reports the group is using Telegram & Discord as C2 servers to hide attacks on government networks in Russia & Central Asia.

Its new malware — written in Python, Rust, Go, PowerShell & C#.

Full details ↓ https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html

🚨 New Android malware Albiriox is being sold as a service.

It can remotely control phones, stream screens from banking apps, and fake updates to steal logins.

It even bypasses Android’s screen protections.

Read about it here → https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html

Spread via fake Google Play links, it’s already targeting users in Austria.

🚨 Webinar Alert: Resilient Patching — Guardrails for Community Repos

You trust your patching tools. Attackers trust that too. A single unsafe package on Chocolatey or Winget can flip your defenses against you.

Learn how top teams patch fast, safe, and under control.

👉 Register & get the full playbook → https://thehacker.news/resilient-patching

🚨 The browser just became your riskiest employee.

New AI browsers like ChatGPT Atlas can act on your behalf — booking, buying, sending data. One hidden command can turn them against you.

Join this expert webinar to learn how to spot and stop these new AI browser threats ↓ https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

⚡ New Cyber Recap is live.

🐛 npm worm returns
📧 M365 email + token raids
📱 spyware on chat apps
🧱 Firefox RCE + hot CVEs
💸 Cryptomixer takedown

If you ship code, manage access, or touch cloud… this one’s worth 3 minutes.

Read: https://thehackernews.com/2025/12/weekly-recap-hot-cves-npm-worm-returns.html

🐼 ShadyPanda quietly turned trusted Chrome and Edge extensions into spyware.

Over 4.3 million installs in 7 years — some were even once verified by Google.

After silent updates in mid-2024, they began sending users’ browsing data and cookies to remote servers.

🔗 Read here → https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html