A sophisticated adversary-in-the-middle (AiTM) phishing campaign has been identified, targeting Microsoft 365 and Okta users. The campaign bypasses multi-factor authentication (MFA) by hijacking legitimate single sign-on (SSO) authentication flows.

A critical out of bounds memory access vulnerability has been identified in Google Chromium, tracked as CVE-2025-14174. This vulnerability could allow remote attackers to perform unauthorized memory access via a crafted HTML page.

Fieldtex, a New York-based manufacturer, has notified 247,363 individuals of a data breach that occurred in August 2025. The breach, claimed by the ransomware group Akira, involved the theft of personal information.

PyStoreRAT is a newly identified malware targeting OSINT researchers and IT professionals through GitHub. It is distributed via fake OSINT tools and other software, leveraging AI to build trust and evade detection.

A cyberattack on the Pierce County Library System in Washington has exposed the personal information of over 340,000 individuals. The breach, attributed to the INC ransomware gang, forced the library system to shut down all its systems.

Apple has released emergency updates to address two zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174, which were exploited in sophisticated attacks targeting specific individuals.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability, CVE-2018-4063, affecting Sierra Wireless AirLink ALEOS routers, to its Known Exploited Vulnerabilities catalog.

An unsecured 16TB MongoDB database containing 4.3 billion professional records was discovered, posing a significant risk for large-scale AI-driven social engineering attacks. The database included LinkedIn-style data.

Notepad++ has addressed a critical bug in its WinGUp update tool that allowed attackers to push malicious update files. It was exploited to execute unauthorized commands and exfiltrate sensitive data, posing a significant security risk to users.

Hackers are exploiting vulnerabilities in the emergency data request (EDR) process by impersonating law enforcement officers to obtain private user data from major tech companies.