Node.js has released critical security updates addressing three vulnerabilities—CVE-2025-23166, CVE-2025-23167, and CVE-2025-23165—that could allow attackers to crash server processes and disrupt services.

Katz Stealer is a newly identified infostealer malware targeting over 78 Chromium and Gecko-based browser variants. It is capable of extracting sensitive data including credentials, cookies, CVV2 codes, OAuth tokens, and cryptocurrency wallets.

Microsoft has disclosed two critical vulnerabilities in its Windows Remote Desktop services that could allow attackers to execute arbitrary code on vulnerable systems over a network.

A critical command injection vulnerability (CVE-2025-31644) has been identified in F5 BIG-IP systems operating in Appliance mode. The flaw allows authenticated administrators to execute arbitrary system commands, bypassing security boundaries.

A newly identified .NET-based infostealer named PupkinStealer has emerged as a significant threat targeting Windows systems. First observed in April 2025, this malware is designed to harvest sensitive data.

A newly uncovered scam campaign exploits X/Twitter’s ad URL preview feature to deceive users into visiting fraudulent cryptocurrency sites. By manipulating how metadata is fetched for preview cards, attackers display trusted domains.

A new ransomware delivery technique has emerged, embedding malicious code within JPEG images to execute fully undetectable (FUD) ransomware. This method bypasses traditional antivirus systems and exploits user trust in common file types.

The latest wave of attacks leverages PhaaS toolkits that automate the creation of dynamic phishing pages, eliminating the need for manual cloning of websites. These toolkits allow attackers to generate real-time replicas of legitimate websites.

A new wave of cyberattacks is exploiting WinRM to conduct stealthy lateral movement within AD environments. By leveraging this legitimate administrative tool, attackers evade detection and blend into normal network activity.

A critical input validation vulnerability has been discovered in Microsoft Bookings, a scheduling tool integrated with Microsoft 365. The flaw allows attackers to inject arbitrary HTML into appointment fields.