Toy Giant Hasbro Hit by Cyberattack

The company is investigating the full scope of the incident, including whether any files have been compromised.

The post Toy Giant Hasbro Hit by Cyberattack appeared first on SecurityWeek.

SecurityWeek – ​Read More

CrystalX RAT: a Trojan for pranks, remote access, and cryptocurrency theft | Kaspersky official blog

While this post comes out on April 1, the threat described has little to do with April Fools’ Day — except for the fact that the CrystalX malicious RAT, discovered by Kaspersky experts, can do more than just gain remote access to a victim’s device, steal cryptocurrency and credentials from browsers and apps, or conduct actual surveillance. It can also flip the victim’s screen, swap mouse buttons, write nonsense directly onto the screen, and even block keyboard input. Furthermore, it’s advertised as malware-as-a-service (MaaS) — meaning it’s subscription-based — on Telegram and through instructional videos on YouTube.

In this post, we explain some basics as to how this new malware was built, what makes it difficult to detect, and what to do so you don’t end up among its victims.

A Swiss army knife for attackers

In March 2026, our experts discovered previously unknown malware circulating on private Telegram channels. Borrowing from classic marketing tactics, the Trojan was offered for purchase via three different subscription tiers. Its capabilities cover a fairly broad spectrum: judge for yourself what it can do to a victim’s computer:

  • Change desktop wallpaper to an image from a specified link
  • Rotate the screen by 90, 180, or 270 degrees
  • Simply shut down the computer
  • Swap mouse button assignments
  • Chat with the victim
  • Block both keyboard input and monitor output
  • Display any notification text chosen by the attacker
  • Disable specific components, such as Task Manager, the command prompt, and the Windows taskbar

Yet that’s only the harmless side of the malware — the prank functionality that harks back to the joke viruses of past decades. The real damage from CrystalX comes from its stealing login credentials for Steam, Discord, Telegram, and all Chromium-based browsers. It can also monitor and change the contents of the clipboard; typically, attackers watch for a crypto wallet address to be copied, and then swap it with their own. This is a popular scheme for stealing crypto: while intending to make a legitimate transfer, the victim copies the recipient’s wallet address, but ends up pasting the scammers’ address instead.

But there’s more: a keylogger feature and full device control with remote access to the screen, camera, and microphone — including video and sound recording capabilities.

The malware was first mentioned in January 2026 in a private Telegram chat for RAT developers. At that time, this Windows Trojan was called WebCrystal RAT and, based on technical details, was revealed to be a clone of another RAT known as WebRat. A short time later, the author of WebCrystal rebranded it as CrystalX RAT, and began touting the Trojan on a newly created Telegram channel.

The initial infection vector for this stealer is currently unknown, but according to telemetry the victims at the time of writing are predominantly located in Russia. And since we’re continuing to find new versions of the malware, we deem it a rapidly growing and evolving threat.

Anyone can become a hacker

Developing any complex cyberattack used to come with a steep learning curve. You needed to understand cryptography and network protocols, and know how to write code that could fool antivirus solutions. It was a high bar to clear, but the malware-as-a-service model has been changing the game.

These days, an attacker only needs basic computer literacy to rent a ready-made platform with a user-friendly user interface. The threat is becoming widespread specifically because malware creators aren’t carrying out the attacks themselves anymore — they’re selling shovels during a gold rush. They focus on supporting their customers, improving the user interface, and pouring money into aggressive marketing.

CrystalX malware control panel

CrystalX malware control panel

Hackers are even setting up YouTube channels where they use the pretext of “for educational and entertainment purposes” to explain how to manage the Trojan from the control panel. Instructional videos that were once buried in the dark web have gone mainstream, putting hacking techniques in front of a broad, general audience.

How CrystalX bypasses security

No matter how technically advanced a hacking app’s code is, it will die as a project without a constant stream of new clients. This makes marketing efforts vital to its survival — even if they significantly increase the risk of the developer ending up behind bars. However, the creators of CrystalX have figured out how to protect their creation.

The control panel allows clients to build their own unique versions of the Trojan with extensive configuration options. For example, they can enable location filtering to target users in specific countries, choose an icon for the executable file, and toggle anti-analysis features. The finished Trojan is compressed using zlib and then encrypted with a ChaCha20 stream cipher using a 256-bit key and a 96-bit nonce. This ensures that every customer receives a unique version of the malware.

CrystalX is also capable of detecting virtual machines and checking if it’s running in a test or debugging environment, which complicates discovery. You can read more about the structure and functionality of this new Trojan in our Securelist story.

The good news for Kaspersky users is that our security solutions both detect and neutralize CrystalX.

How to avoid becoming a victim

Here are a few simple tips to help you avoid infection by CrystalX and other similar malware:

  • Pay attention if your computer starts acting up. Spontaneous screen rotation, the keyboard or mouse behaving erratically or locking up, and random notifications or chat windows can all be signs of a CrystalX infection. If anything like that happens, kill the internet connection immediately by physically unplugging the Ethernet cable or toggling off the Wi-Fi. Then, use a flash drive to install our security suite to root out the virus.
  • Make sure you download software only from official websites and trusted marketplaces. Avoid pirated software, license key generators, and free versions of paid applications: these builds are the most common hiding spots for Trojans.
  • Don’t fall for “tutorial” videos that push questionable tools for “administration”, “optimization”, or “security testing”. If the blogger says you should disable your antivirus to complete installation, that’s a major red flag and a reason to stop watching.
  • Be careful with files you receive through messaging apps. Password-protected archives containing “important documents” or “cool private builds” are typical containers for malicious software.
  • Keep your accounts secure. Enable two-factor authentication and passkeys for your most critical services: email, messaging apps, gaming platforms, and crypto exchanges. Kaspersky Password Manager is an excellent tool for this.
  • Regularly update your operating system and apps. Fresh patches plug security holes that let malware slip onto your system silently and without any interaction from your side.
  • Use a reliable security suite, such as Kaspersky Premium. It detects and blocks Trojan installation or download attempts.

Read more about remote access Trojans, miners, crypto-stealers, and other digital nasties:

Kaspersky official blog – ​Read More

FBI Warns of Data Security Risks From China-Made Mobile Apps

The agency has not named the problematic foreign-made applications, but TikTok and Temu come to mind.

The post FBI Warns of Data Security Risks From China-Made Mobile Apps appeared first on SecurityWeek.

SecurityWeek – ​Read More

Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More 

March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. ANY.RUN analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient botnet infrastructure affecting organizations across industries.

From Microsoft 365 token abuse and registry-hidden RAT delivery to card theft, macOS backdoor activity, and multi-vector DDoS operations, the threat landscape in March showed how much harder early detection has become for security teams.

Key Business Risks That Stood Out in March Attacks 

  • Trusted services and normal-looking workflows were repeatedly used to hide malicious activity, increasing the risk of delayed detection across enterprise email, cloud, payment, and endpoint environments. 
  • Attacks observed in March affected industries including government, finance, healthcare, technology, education, manufacturing, and energy, with risks extending beyond initial access into token abuse, remote access, card theft, and broader malware deployment. 
  • Stealthy, multi-stage delivery methods made early signals weaker and investigations slower, raising the likelihood of escalation before security teams could confirm malicious behavior. 
  • For organizations, the business impact was not limited to infection alone, but included fraud, downtime, deeper compromise, and higher operational costs tied to delayed response

Reduce the risk of delayed detection

Help your team investigate faster and respond earlier
 



Power up your SOC


1. EvilTokens: OAuth Device Code Phishing Enables M365 Account Takeover Without Credential Theft 

Post on X  

Check detailed breakdown 

ANY.RUN analysts observed a sharp rise in EvilTokens, a phishing campaign abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week. Instead of stealing credentials on a fake login page, attackers trick victims into entering a verification code on microsoft[.]com/devicelogin, which causes Microsoft to issue OAuth tokens directly to the attacker. 

Execution chain of EvilTokens

This makes EvilTokens especially dangerous for organizations relying on traditional phishing detection. The user signs in through a legitimate Microsoft page, completes MFA, and never submits credentials to the phishing site. As a result, the compromise shifts from password theft to token abuse, giving attackers access to Microsoft 365 resources while blending into normal authentication activity. 

Because the workflow runs over encrypted HTTPS and uses legitimate Microsoft infrastructure, key attack signals are often hidden from security teams. That delays validation, extends investigations, and increases the chance of escalation before analysts can confirm what happened. 

See full attack flow exposed in ANY.RUN Sandbox 

Fake verification granting access to external client
Fake verification granting access to external client 

Inside ANY.RUN Sandbox, automatic SSL decryption revealed the hidden JavaScript and backend communication used to orchestrate the phishing flow. In this case, analysts uncovered high-confidence network indicators such as: 

  • /api/device/start 
  • /api/device/status/* 
  • X-Antibot-Token 

When seen in HTTP requests to non-legitimate hosts, these artifacts become strong hunting signals for identifying related phishing infrastructure and improving detection coverage. 

To investigate similar activity and validate detection logic, use this TI Lookup query: 

threatName:”oauth-ms-phish” 

Targeted industries and countries displayed in TI Lookup 

TI Lookup helps teams quickly assess the broader attack landscape around EvilTokens and related OAuth phishing activity. Recent submissions show notable targeting across Technology, Education, Manufacturing, and Government & Administration, especially in the United States and India, while other regions are also affected.

Get broader visibility into malware and phishing activity

Use TI Lookup to track related infrastructure and IOCs
 



Investigate in TI Lookup


This gives SOC teams access to related sandbox analyses, IOCs, and behavioral patterns they can use to strengthen detections and hunting. For CISOs, that means earlier visibility into relevant campaigns, better prioritization of response efforts, and a stronger ability to reduce the business impact of Microsoft 365 account takeover. 

IOCs related to this attack: 

  • singer-bodners-bau-at-s-account[.]workers[.]dev  
  • dibafef289[.]workers[.]dev  
  • ab-monvoisinproduction-com-s-account[.]workers[.]dev  
  • subzero908[.]workers[.]dev  
  • sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev  
  • tyler2miler-proton-me-s-account[.]workers[.]dev 

2. macOS ClickFix Campaign Targets Claude Code Users with AMOS Stealer and Backdoor Access 

Post on X  

ANY.RUN analysts identified a macOS-specific ClickFix campaign targeting users of AI tools such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. In the observed case, attackers used a redirect from Google Ads to a fake Claude Code documentation page, where a ClickFix flow pushed the victim to run a terminal command that ultimately delivered AMOS Stealer

Fake Claude Code documentation page used as a lure
Fake Claude Code documentation page used as a lure

Once executed, the infection chain moved beyond credential theft. The malware collected browser data, saved credentials, Keychain contents, and sensitive files, then deployed a backdoor that provided continued access to the infected Mac. This makes the attack more serious than a one-time stealer infection, especially in enterprise environments where macOS systems often hold developer access, internal documentation, and business-critical credentials. 

How the attack unfolds: 

  • Google Ads redirect sends the victim to a fake Claude Code documentation page 
  • ClickFix lures the user into running a terminal command 
  • The command downloads and executes an encoded script 
  • AMOS Stealer collects browser data, saved credentials, Keychain contents, and sensitive files 
  • A backdoor is deployed for continued access 
  • The updated ~/.mainhelper module enables an interactive reverse shell over WebSocket with PTY support 
AMOS Stealer detected by ANY.RUN 
AMOS Stealer detected by ANY.RUN 

A key finding in this case was the evolution of the backdoor module ~/.mainhelper. Previously described as a more limited implant, the updated variant now supports a fully interactive reverse shell, giving attackers persistent, hands-on access to the infected system in real time. 

For defenders, that changes the risk significantly. What starts as a phishing-style ClickFix infection can quickly turn into long-term remote access, data theft, and broader compromise. Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components also break visibility into weaker signals, which can slow validation and delay escalation. 

See the full macOS ClickFix campaign execution chain 

macOS ClickFix campaign details discovered by ANY.RUN
macOS ClickFix campaign details discovered by ANY.RUN

ANY.RUN Sandbox helps teams investigate macOS, Windows, Linux, and Android threats with visibility into execution flow, attacker behavior, persistence mechanisms, and dropped artifacts. In cases like this, this cross-platform threat analysis helps analysts confirm malicious activity faster, attribute the intrusion with greater confidence, and strengthen detection logic before the compromise expands further. 

Expand your SOC’s cross-platform threat visibility

Reduce breach risk with analysis across 4 major operating systems



Request for your team


3. RUTSSTAGER: Registry-Stored DLL Leads to OrcusRAT Deployment 

Post on X  

ANY.RUN analysts detected RUTSSTAGER, a stealthy malware stager that hides a DLL inside the Windows registry in hexadecimal form, making the payload harder to spot during early triage. In the observed chain, the stager led to the deployment of OrcusRAT, followed by an additional binary that helped maintain persistence, ran PowerShell-based system checks, and relaunched the RAT when needed. 

What makes this threat notable is the way it avoids a straightforward on-disk delivery path. By storing the DLL in the registry instead of dropping it as a conventional file, the malware reduces its visibility and gives defenders fewer obvious artifacts to catch at first glance. The follow-on activity then helps stabilize the infection and keep remote access available on the compromised system. 

Review the full execution chain 

RUTSSTAGER attack details revealed inside ANY.RUN sandbox
RUTSSTAGER attack details revealed inside ANY.RUN sandbox 

Inside ANY.RUN Sandbox, behavioral analysis exposed how the infection unfolded across stages, while file system and process monitoring helped reveal the relationship between the stager, the deployed RAT, and the persistence component. Process synchronization events were especially useful here, showing that the payload components were not acting independently but as part of a coordinated, multi-stage execution chain. 

Catch multi-stage malware before it goes further

Expose hidden execution chains and speed up validation



Sign up now


To explore related activity, review relevant sandbox analyses and assess the broader threat landscape, use the following TI Lookup query: registryName:”^rutsdll32$” 

Gathered IOCs: 

  • 57ce6187be65c1c692a309c08457290ae74a0047304de6805dbb4feb89c0d7e5 
  • 6a581c3b6fe7847bb327f5d76e05653a1504e51023454c41835e5dc48bc13ba4 
  • 7d157366d74312965912a35cbba4187532cfeb3b803119a3a04c9ba0ba7d4ab0 
  • 07f56ac8b5bd7cdb4c33ea5e9cd42bc7f9d3cd5504aabbb476ef010a142d7e29 
  • a6f72590792b3f26271736e5a7ba80102292546bb118cf84ff29df99341abfbe 

4. Fake PDF Attachments Hide HTML Phishing Pages That Steal Credentials 

Post on X 

ANY.RUN analysts identified phishing emails carrying HTM/HTML attachments disguised as PDF files. In the observed case, a file named pdf.htm opened a fake login page and sent submitted credentials in JSON format through an HTTP POST request to the Telegram Bot API

Attack details discovered by ANY.RUN
Attack details discovered by ANY.RUN 

The attack relies on a simple but effective disguise: the attachment looks like a document but actually launches a phishing page designed to collect login data. Some samples also include obfuscated scripts, which makes the credential theft logic less obvious during manual inspection and slows down triage.

Once a victim enters their credentials, attackers can use them to access business email, internal services, and other corporate systems tied to the compromised account. For security teams, this turns what may look like a routine attachment into a fast-moving account takeover risk. 

See the analysis session 

Less than 1 minute required to reveal the phishing behavior inside ANY.RUN sandbox
Less than 1 minute required to reveal the phishing behavior inside ANY.RUN sandbox

Inside ANY.RUN Sandbox, the phishing behavior became visible in under 60 seconds, exposing the outbound communication, loaded scripts, and file contents involved in the theft flow. This helps teams quickly confirm whether an attachment is just suspicious or part of an active credential-harvesting attack, reducing review time and helping analysts act before the stolen access is used. 

5. SVG Smuggling Campaign Targets Colombian Organizations 

Post on X 

ANY.RUN analysts observed a phishing campaign targeting organizations in Colombia, particularly in government, finance, oil and gas, and healthcare. The attackers use Spanish-language phishing emails with an attached SVG file that acts as more than an image: it contains embedded JavaScript that rebuilds the next attack stage locally through SVG smuggling

SVG smuggling campaign details revealed by ANY.RUN
SVG smuggling campaign details revealed by ANY.RUN

Instead of downloading a payload from an external source right away, the SVG uses a blob URL to generate an intermediate HTML lure inside the browser. That lure imitates a document-related workflow and creates a password-protected ZIP archive for the victim to open, pushing the attack forward while reducing obvious early network signals. 

This staged delivery makes the campaign harder to catch during initial triage. SVG smuggling, blob-generated content, and the later use of legitimate Windows components break the compromise into smaller artifacts that may look weak or unrelated on their own, slowing detection and investigation. 

Inside ANY.RUN Sandbox, analysts were able to reconstruct the full flow: 

SVG smuggling → Blob-based HTML lure → Password-protected ZIP → Notificacion Fiscal.js → radicado.hta → J0Ogv7Hf.ps1 → C2 communication 

That visibility helps security teams connect scattered artifacts faster, uncover hidden delivery stages, and confirm malicious activity before the intrusion progresses further. 

Catch hidden delivery chains before they lead to compromise

Give your team earlier visibility into multi-stage attacks



Power up your SOC


You can use the following Vjw0rm C2 response commands as detection signals to detect active compromise in your environment:  

  • Cl — execution termination 
  • AW — active window data collection and exfiltration 
  • Ex — PowerShell code execution 
  • SF / RF — base64 payload delivery, storage, and execution 
  • DL — file download from URL with optional execution 
  • DLF — file delivery via C2 with storage and execution 
  • Un — removal of persistence mechanisms and related artifacts 

6. Active Magecart Campaign Hijacks eStores and Steals Card Data 

Check detailed breakdown 

ANY.RUN analysts uncovered an active Magecart campaign targeting e-commerce websites, with a notable concentration in Spain. In the observed cases, attackers hijacked checkout flows, replaced legitimate payment steps with fake interfaces, and stole card data through WebSocket-based exfiltration

WebSocket exfiltration code
WebSocket exfiltration code

What makes this campaign especially dangerous is its durability. The operation remained active for more than 24 months and relied on a large infrastructure of 100+ domains, using staged payload delivery, fallback domains, and payment-page mimicry to stay operational and avoid disruption. In Spain-focused cases, the attackers notably abused Redsys-themed payment context to make the fraudulent flow appear legitimate. 

The campaign also stood out for how it blended card theft into trusted payment experiences. Instead of relying on a simple fake form, the malware dynamically adapted the checkout page, injected malicious elements, and transmitted stolen payment data outside normal HTTP flows, making detection harder for defenders and increasing fraud risk for banks and payment ecosystems. 

See the full payment-skimming chain  

PayPlug SAS payment window imitation displayed inside ANY.RUN sandbox 
PayPlug SAS payment window imitation displayed inside ANY.RUN sandbox 

Inside ANY.RUN Sandbox, analysts exposed the multi-stage delivery logic, malicious script injection, fake payment overlays, and WebSocket-based card data exfiltration. This helps security teams understand how the skimmer operates, identify related infrastructure faster, and strengthen detections against long-running payment theft campaigns. 

7. Kamasers: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide 

Check detailed analysis 

ANY.RUN published a detailed technical analysis of Kamasers, a multi-vector DDoS botnet designed to carry out both application-layer and transport-layer attacks while also supporting follow-on payload delivery. The research shows how the malware operates, how it receives commands, and why it creates risk beyond disruption alone. 

See Kamasers behavior exposed 

Communication between the infected host and the C2 server observed inside ANY.RUN
Communication between the infected host and the C2 server observed inside ANY.RUN

Inside the sandbox, analysts observed the botnet retrieving command-and-control data, communicating with active infrastructure, executing DDoS-related commands, and in some cases downloading additional files for execution. This helps security teams confirm malicious behavior faster and understand whether an infected host is being used only for flooding activity or as part of a broader compromise. 

Kamasers supports multiple attack methods, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. In addition, it can act as a loader, which increases the risk of further malware delivery, data theft, or ransomware. 

Reduce the chance of data theft and financial loss

Help your team contain threats before the damage grows



Power up your SOC


Another notable finding was the botnet’s resilient Dead Drop Resolver design. Instead of depending on a single static C2 location, Kamasers uses legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and Etherscan to retrieve active command-and-control addresses, making disruption and early detection more difficult. 

DDR links in the Kamasers codebase
DDR links in the Kamasers codebase

For organizations, that means a single infected system can become both a source of external attacks and a foothold for deeper intrusion, increasing operational, financial, and reputational risk. 

To review related sandbox analyses and broader activity, use the following TI Lookup query: 

threatName:”kamasers” 

Kamasers attacks displayed inside TI Lookup
ANY.RUN’s sandbox sessions related to the Kamasers attacks displayed inside TI Lookup

8. MicroStealer: A Fast-Spreading Infostealer with Limited Detection 

Check technical analysis 

ANY.RUN analysts found MicroStealer, a fast-spreading infostealer that gained traction despite limited public detection. In observed activity, the malware appeared in 40+ sandbox sessions in less than a month, using a multi-stage chain to steal credentials, session data, screenshots, and wallet files. 

See the full execution chain 

First observed analysis session with MicroStealer
First observed analysis session with MicroStealer

Inside the sandbox, analysts were able to quickly confirm how the threat unfolds and what data it targets. This kind of visibility helps security teams move from an unclear file to a confident verdict faster, reducing review time and lowering the chance of missed credential theft. 

How the attack unfolds: 

  • NSIS installer delivers the initial payload 
  • Electron loader requests elevated privileges and launches the next stage 
  • Java module executes the main stealer logic 
  • Browser credentials, session data, screenshots, and wallet files are collected 
  • Stolen data is sent to attacker-controlled infrastructure 

What makes MicroStealer notable is not only what it steals, but how it delays confident detection. The layered NSIS → Electron → Java execution chain, combined with obfuscation and anti-analysis checks, makes the malware harder to understand during early triage. 

To review related sandbox analyses and broader activity, use the following; TI Lookup query: 

threatName:”microstealer” 

Relevant sandbox sessions with MicroStealer
ANY.RUN TI Lookup demonstrates relevant sandbox sessions with MicroStealer

For organizations, this risk goes beyond a single infected endpoint. Stolen browser credentials and active sessions can give attackers access to SaaS apps, internal systems, and cloud services, increasing the chance of account compromise and broader intrusion. 

64% of Fortune 500 companies rely on ANY.RUN

to strengthen their SOC operations



Integrate in your SOC


About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect threats earlier, investigate incidents faster, and build stronger response workflows. With Interactive SandboxThreat Intelligence Lookup, and Threat Intelligence Feeds, the company gives SOC and MSSP teams the visibility and context they need to move from alert to confident decision more quickly.  

Today, more than 15,000 organizations and 600,000 security professionals worldwide rely on ANY.RUN. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection.

The post Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

I tested ChatGPT vs. Claude to see which is better – and if it’s worth switching

Considering ditching ChatGPT for Claude? I tested both on the same 10 tasks. Here’s which came out on top.

Latest news – ​Read More

3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)

For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next.
Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most

The Hacker News – ​Read More

Cybersecurity Firm TAC Security Hits 10,000 Clients, Enters Top 5 in Global VM & AppSec

New York, New York, April 1st, 2026, CyberNewswire

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

ImageMagick Zero-Day Enables RCE on Linux and WordPress Servers

New research from Octagon Networks reveals a critical zero-day ImageMagick vulnerability that allows Remote Code Execution (RCE) via simple image uploads affecting Ubuntu, Amazon Linux, and WordPress. This magic byte shift bypasses even the most secure policies.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.
“No sensitive customer data or credentials were involved or exposed,” an Anthropic spokesperson said in a statement shared with CNBC News. “This was a release packaging issue caused by human error, not a security

The Hacker News – ​Read More

Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents

Palo Alto Networks has disclosed the details of its analysis of Google Cloud Platform’s Vertex AI.

The post Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents appeared first on SecurityWeek.

SecurityWeek – ​Read More