Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the

The Hacker News
Open in Source
#vulnerability#web#mac#google#microsoft#git#java#backdoor#zero_day#chrome#The Hacker News
Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Codasip Donates Tools to Develop Memory-Safe Chips

The software development kit will simplify building and testing of CHERI-enabled RISC-V applications.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Microsoft SharePoint Vuln Is Under Active Exploit

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the

GHSA-hf59-7rwq-785m: In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability.

### Impact _What kind of vulnerability is it? Who is impacted?_ In certain *very specific* situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger. You must have an update action that: - Is on a resource with no attributes containing an "update default" (updated_at timestamp, for example) - can be performed atomically. - Does *not* have `require_atomic? false` - Has at least one authorizer (typically `Ash.Policy.Authorizer`) - Has at least one `change` (on the resource's `changes` block or in the action itself) This is where the side-effects would be performed when they should not have been. --- - Is there ever a place where you call t...

After concerns of handing Facebook taxpayer info, four companies found to have improperly shared data

Tax preparation firms shared user information with Google and Meta without proper consent by using tracking pixels

LinkedIn bots and spear phishers target job seekers

The #opentowork hashtag may attract the wrong crowd as criminals target LinkedIn users to steal personal information, or scam them.