Critical vulnerabilities found in React and Next.js
Security researchers on Wednesday warned about a critical vulnerability in React Server Components (RCS) and Next.js. The vulnerability, tracked as CVE-2025-55182, enables unauthenticated remote-code execution, stemming from unsafe deserialization of payloads that are sent to React Server Function endpoints. While the flaw originated in the React open source software's RCS protocol, it also has a downstream impact on Next.js applications. READ MORE...
Inotiv Says Personal Information Stolen in Ransomware Attack
Pharmaceutical company Inotiv is notifying over 9,500 individuals that their personal information was stolen in a data breach resulting from a ransomware attack. The incident occurred on August 8 and was blamed for causing disruptions to certain business operations and for preventing access to certain networks and systems, including internal data storage. In a December 3 filing with the SEC, the company revealed that it has restored access to its network and systems. READ MORE...
Marquis data breach impacts over 74 US banks, credit unions
Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US. Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders. In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025. READ MORE...
FBI Warns of Surge in Account Takeover (ATO) Fraud Schemes - What You Need To Know
What is account takeover fraud? Account takeover fraud (also known as ATO fraud) occurs when a malicious hacker or fraudster compromises and gains control of an account without legitimate authorisation. Typically the online account might be a bank account, email account, or social media profile that has been accessed after stealing login credentials through phishing, malware, a data breach, or social engineering. READ MORE...
Reporters Without Borders Targeted by Russian Hackers
The Russia-linked Star Blizzard APT earlier this year targeted French press freedom organization Reporters Without Borders (RSF), Sekoia reports. The attack occurred in March and was carried out via a phishing email targeting one of RSF's core members. Star Blizzard used a ProtonMail address and spoofed a recipient's trusted contact, asking them to review an attached document. The Russian hackers did not attach the document, and instead waited for the recipient to respond and ask for it. READ MORE...
Microsoft quietly shuts down Windows shortcut flaw after years of espionage abuse
Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks. The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful command-line arguments from users, enabling hidden code execution when a victim opens the shortcut. Researchers at Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of campaigns worldwide. READ MORE...
'ShadyPanda' Hackers Weaponize Millions of Browsers
A sophisticated malware operation has infected 4.3 million Chrome and Edge browser users via malicious browser extensions that masqueraded as legitimate tools for years before being weaponized. The operators of the campaign have collected detailed browsing histories, search queries, and user credentials, while also establishing remote code execution (RCE) capabilities that allowed them to control hundreds of thousands of browsers. READ MORE...
How attackers use real IT tools to take over your computer
A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims' systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses. Once installed, the tool gives attackers full remote access to the victim's machine, evading many conventional security detections because the software itself is legitimate. READ MORE...
Admins and defenders gird themselves against maximum-severity server vuln
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process. The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts. READ MORE...
- ...in 1956, the Million Dollar Quartet (Elvis Presley, Jerry Lee Lewis, Carl Perkins, and Johnny Cash) have their first (and last) recording session at Sun Studio.
- ...in 1966, comedic actor and musician Fred Armisen ("Saturday Night Live", "Portlandia") is born in Hattiesburg, MS.
- ...in 1980, Led Zeppelin formally announces its breakup.
- ...in 1991, US airline Pan American World Airways ends its operations after 64 years.
