Threat actors continue to exploit widely used software ecosystems to distribute malware and advance their campaigns. North Korean threat actors linked to the Contagious Interview campaign have published 35 malicious npm packages—six of which remain active—leveraging the HexEval loader to deploy the BeaverTail and InvisibleFerret malware. Meanwhile, researchers have observed a wave of cyberattacks against financial institutions in Africa, attributed to cluster CL-CRI-1014, where attackers are using open-source tools like PoshC2 and Chisel, and selling compromised access on dark web marketplaces. In a separate campaign, threat actors are weaponizing Black Hat SEO techniques to boost AI-related keyword rankings and distribute malware such as Vidar Stealer, Lumma Stealer, and Legion Loader.
01
North Korean threat actors behind the Contagious Interview campaign published 35 malicious npm packages, with six still active, using a HexEval loader to deploy BeaverTail and InvisibleFerret malware.
02
Researchers have reported a series of cyberattacks targeting financial institutions in Africa, identified as cluster CL-CRI-1014. Attackers use open-source tools like PoshC2 and Chisel, with compromised access sold on the dark web.
03
Threat actors have modified SonicWall's SSL VPN NetExtender application to distribute a trojanized version that closely resembles the legitimate software. This malicious installer, digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED,” is being used to steal VPN credentials.
04
Researchers discovered a malware prototype containing an embedded prompt injection designed to manipulate AI models, but the attack failed against tested LLMs, including OpenAI’s o3 and GPT-4.1.
05
A malware campaign has been using Black Hat SEO to manipulate search engine rankings for AI-related keywords to distribute malware like Vidar Stealer, Lumma Stealer, and Legion Loader.
06
The Androxgh0st botnet, known for exploiting vulnerabilities for remote code execution and cryptomining, recently compromised a University of California, San Diego subdomain to host its C2 logger.
07
NVIDIA discovered two critical vulnerabilities (CVE-2025-23264 and CVE-2025-23265) in its Megatron-LM framework, enabling malicious code injection and privilege escalation.
08
A critical vulnerability (CVE-2025-48703) in CentOS Web Panel allows unauthenticated remote code execution, affecting versions 0.9.8.1188 and 0.9.8.1204.
09
A flaw (CVE-2025-2135) arising from a Chromium Type Confusion vulnerability in Kibana’s reporting engine has been discovered that can lead to heap corruption and remote code execution.
10
XBOW, an AI-driven offensive security platform, has secured $75 million in a Series B funding round led by Altimeter’s Apoorv Agrawal, with participation from existing investors Sequoia Capital and Nat Friedman.
