🤖 We talk a lot about securing AI.

Almost no one talks about where it’s actually hiding.

NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

🚀See Wiz in Action → https://thn.news/cloud-security-demo

🔥 Hackers hit South Korea’s banks through one IT vendor — spreading Qilin ransomware to 28 firms and stealing 2 TB of data.

Evidence suggests Russian and North Korean groups worked together.

Full story ↓ https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

⚠️ Eight “advanced” tools failed at once.

A phishing attack slipped past all of them and reached exec inboxes. Only one thing stopped it — a strong SOC.

🔗 Learn why your “first line” is useless without the last ↓ https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

⚠️ Hundreds of Maven packages just got caught running Shai-Hulud v2 — the same malware that hijacked npm.

It spread through automated rebuilds, infecting devs who never used npm.

Hiding in the Bun runtime, it steals GitHub + cloud creds and self-replicates like a worm — already leaking 11,000+ secrets across 4,600 repos.

Details here ↓ https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

🛑 Gainsight just revealed more customers were affected than originally disclosed.

Salesforce revoked all Gainsight access tokens after the breach tied to ShinyHunters — and the same user-agent from prior Salesloft attacks popped up again.

The full scope remains unknown.

Read here → https://thehackernews.com/2025/11/gainsight-expands-impacted-customer.html

🚨 New ThreatsDay Bulletin is live!

🤖 AI malware that learns your habits
📞 Voice bots turned into attack tools
💸 Crypto rings laundering billions
🔌 IoT gear under siege again
🌍 Smishing scams spreading worldwide

All that and 20+ more stories shaping the week in cybersecurity.

🔗 Read now: https://thehackernews.com/2025/11/threatsday-bulletin-ai-malware-voice.html

Microsoft will block all non-Microsoft scripts on Entra ID logins starting Oct 2026.

If your sign-in flow or browser extension injects any code, it may break — so test ASAP.

The new Content Security Policy only lets trusted Microsoft-hosted scripts.

Read more → https://thehackernews.com/2025/11/microsoft-to-block-unauthorized-scripts.html

Hackers posing as Kyrgyzstan’s Justice Ministry are spreading 2013-era NetSupport RAT across Kyrgyzstan and Uzbekistan using fake PDFs and old Java tricks—blocking outsiders to hide the attack.

Old tools. New victims. → https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html

VPNs weren’t built for today’s hybrid networks. Hackers now exploit them as entry points to steal admin creds.

Remote Privileged Access Management (RPAM) closes that gap — no VPNs, no shared passwords, full session tracking.

Why it’s replacing PAM → https://thehackernews.com/2025/11/why-organizations-are-turning-to-rpam.html

🚨 North Korean hackers uploaded 197 malicious npm packages (31K+ downloads).

They drop a new OtterCookie variant that steals passwords, crypto data, and screenshots — all from a fake job interview setup.

Details here ↓ https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

⚠️ Researchers found old Python code that could expose projects to a supply chain attack.

Some PyPI packages — including Tornado and slapos.core — still call an expired domain that anyone could buy and use to run malicious code.

Details ↓ https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html