A critical security vulnerability has been disclosed in Meshtastic, the open-source LoRa mesh networking platform known for enabling long-range, low-power communication without cellular or internet connectivity.

A critical stack-based buffer overflow vulnerability, tracked as CVE-2025-42599, has been identified in Active! mail. The flaw carries a CVSS score of 9.8 and is actively being exploited in the wild.

A new fraud campaign tracked by Cleafy in Italy leverages Android malware, social engineering, and NFC technology to steal payment card data. The malware, dubbed SuperCard X, is part of a malware-as-a-service (MaaS) operation .

ASUS has disclosed a critical authentication bypass vulnerability (CVE-2025-2492) affecting multiple router models with AiCloud enabled. The flaw allows remote attackers to execute unauthorized functions without authentication.

A spear-phishing campaign attributed to Russian-speaking threat actors targeted the UK Ministry of Defence (MOD) in late 2024. The attackers deployed a RomCom malware variant known as Damascened Peacock.

Cybersecurity researchers uncovered a RedGolf/APT41 server inadvertently exposed for less than 24 hours, offering a rare glimpse into an active staging ground used by the threat actor.

A threat actor known as ELUSIVE COMET is exploiting Zoom’s remote control feature to deploy malware during fake podcast interviews. The attacker is targeting individuals in the cryptocurrency and DeFi sectors.

The FBI has issued a warning about a persistent fraud scheme in which scammers impersonate employees of the Internet Crime Complaint Center (IC3) to deceive and revictimize individuals, particularly those who have already suffered financial fraud.

A widespread and ongoing SMS phishing (smishing) campaign has been targeting toll road users across eight U.S. states since mid-October 2024. The campaign impersonates electronic toll systems.

A new supply chain attack has been uncovered targeting Telegram bot developers via typosquatted npm packages. These malicious packages mimic the legitimate `node-telegram-bot-api` library.