🤖 We talk a lot about securing AI.

Almost no one talks about where it’s actually hiding.

NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

🚀See Wiz in Action → https://thn.news/cloud-security-demo

🔥 Hackers hit South Korea’s banks through one IT vendor — spreading Qilin ransomware to 28 firms and stealing 2 TB of data.

Evidence suggests Russian and North Korean groups worked together.

Full story ↓ https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

⚠️ Eight “advanced” tools failed at once.

A phishing attack slipped past all of them and reached exec inboxes. Only one thing stopped it — a strong SOC.

🔗 Learn why your “first line” is useless without the last ↓ https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

⚠️ Hundreds of Maven packages just got caught running Shai-Hulud v2 — the same malware that hijacked npm.

It spread through automated rebuilds, infecting devs who never used npm.

Hiding in the Bun runtime, it steals GitHub + cloud creds and self-replicates like a worm — already leaking 11,000+ secrets across 4,600 repos.

Details here ↓ https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

🛑 Gainsight just revealed more customers were affected than originally disclosed.

Salesforce revoked all Gainsight access tokens after the breach tied to ShinyHunters — and the same user-agent from prior Salesloft attacks popped up again.

The full scope remains unknown.

Read here → https://thehackernews.com/2025/11/gainsight-expands-impacted-customer.html

🚨 New ThreatsDay Bulletin is live!

🤖 AI malware that learns your habits
📞 Voice bots turned into attack tools
💸 Crypto rings laundering billions
🔌 IoT gear under siege again
🌍 Smishing scams spreading worldwide

All that and 20+ more stories shaping the week in cybersecurity.

🔗 Read now: https://thehackernews.com/2025/11/threatsday-bulletin-ai-malware-voice.html

Microsoft will block all non-Microsoft scripts on Entra ID logins starting Oct 2026.

If your sign-in flow or browser extension injects any code, it may break — so test ASAP.

The new Content Security Policy only lets trusted Microsoft-hosted scripts.

Read more → https://thehackernews.com/2025/11/microsoft-to-block-unauthorized-scripts.html

Hackers posing as Kyrgyzstan’s Justice Ministry are spreading 2013-era NetSupport RAT across Kyrgyzstan and Uzbekistan using fake PDFs and old Java tricks—blocking outsiders to hide the attack.

Old tools. New victims. → https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html

VPNs weren’t built for today’s hybrid networks. Hackers now exploit them as entry points to steal admin creds.

Remote Privileged Access Management (RPAM) closes that gap — no VPNs, no shared passwords, full session tracking.

Why it’s replacing PAM → https://thehackernews.com/2025/11/why-organizations-are-turning-to-rpam.html

🚨 North Korean hackers uploaded 197 malicious npm packages (31K+ downloads).

They drop a new OtterCookie variant that steals passwords, crypto data, and screenshots — all from a fake job interview setup.

Details here ↓ https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

⚠️ Researchers found old Python code that could expose projects to a supply chain attack.

Some PyPI packages — including Tornado and slapos.core — still call an expired domain that anyone could buy and use to run malicious code.

Details ↓ https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html

🚨 CISA added a real-world exploited flaw in OpenPLC ScadaBR to its Known Exploited Vulnerabilities list.

Hackers used the bug (CVE-2021-26829) to deface a fake water plant system in under 26 hours — disabling logs and alarms.

Read → https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html

🚨 Tomiris is back — and harder to spot.

Kaspersky reports the group is using Telegram & Discord as C2 servers to hide attacks on government networks in Russia & Central Asia.

Its new malware — written in Python, Rust, Go, PowerShell & C#.

Full details ↓ https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html

🚨 New Android malware Albiriox is being sold as a service.

It can remotely control phones, stream screens from banking apps, and fake updates to steal logins.

It even bypasses Android’s screen protections.

Read about it here → https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html

Spread via fake Google Play links, it’s already targeting users in Austria.

🚨 Webinar Alert: Resilient Patching — Guardrails for Community Repos

You trust your patching tools. Attackers trust that too. A single unsafe package on Chocolatey or Winget can flip your defenses against you.

Learn how top teams patch fast, safe, and under control.

👉 Register & get the full playbook → https://thehacker.news/resilient-patching

🚨 The browser just became your riskiest employee.

New AI browsers like ChatGPT Atlas can act on your behalf — booking, buying, sending data. One hidden command can turn them against you.

Join this expert webinar to learn how to spot and stop these new AI browser threats ↓ https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

⚡ New Cyber Recap is live.

🐛 npm worm returns
📧 M365 email + token raids
📱 spyware on chat apps
🧱 Firefox RCE + hot CVEs
💸 Cryptomixer takedown

If you ship code, manage access, or touch cloud… this one’s worth 3 minutes.

Read: https://thehackernews.com/2025/12/weekly-recap-hot-cves-npm-worm-returns.html

🐼 ShadyPanda quietly turned trusted Chrome and Edge extensions into spyware.

Over 4.3 million installs in 7 years — some were even once verified by Google.

After silent updates in mid-2024, they began sending users’ browsing data and cookies to remote servers.

🔗 Read here → https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html

📢 URGENT: India just made a cybersecurity app mandatory on all new phones.

The app — Sanchar Saathi — can’t be deleted or disabled.

It helps report fraud, trace lost devices, and block illegal calls.

Full story ↓ https://thehackernews.com/2025/12/india-orders-phone-makers-to-pre.html

Phone makers have 90 days to preload it, and must also update phones already in the supply chain.

⚠️ Google just fixed 107 security flaws in Android — including two that hackers already used in real attacks.

The exploited bugs (CVE-2025-48633 & CVE-2025-48572) affect the Android Framework and could expose data or give attackers higher access.

Read: https://thehackernews.com/2025/12/google-patches-107-android-flaws.html

📱 Update your device as soon as the December patch is available.

🚨 Iranian hackers are attacking Israeli networks with a new tool called MuddyViper.

The group MuddyWater used fake emails and VPN bugs to break into systems in tech, transport, and utilities.

MuddyViper can steal passwords, browser data, and control infected computers — while pretending to be the Snake game.

Read more → https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli.html