A single image file could hijack Galaxy phones.

Attackers hid a ZIP inside DNG photos sent over WhatsApp, exploiting a zero-day in Samsung’s image codec (CVE-2025-21042).

The implant — called LANDFALL — gave full spyware access.

Full report → https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html

Attackers are now using your cloud tools against you.

Fortinet uncovered a new campaign where stolen AWS credentials were used to run quiet recon and launch fraud from inside trusted environments.

No malware. No noise. Just normal-looking API traffic doing damage.

Read this story → https://thehackernews.com/2025/11/threatsday-bulletin-ai-tools-in-malware.html#researchers-uncover-large-scale-aws-abuse-network

🔥 Wild find from Microsoft.

Even when your AI chats are encrypted, someone watching the network can still guess what you’re talking about.

They call it "Whisper Leak" side-channel attack.

And in tests, models like OpenAI and Mistral gave away topics with 98% accuracy.

Worth your attention ↓ https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html

🚨 Three VS Code extensions — downloaded over 10,000 times — turned out to be part of a revived GlassWorm attack.

And... it spreads on its own. One infected developer can quietly compromise an entire team.

They're stealing credentials for GitHub, VSX, and crypto wallets while hiding in plain sight with invisible Unicode characters.

Read the whole story ↓ https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html

⚠️ Hackers are posing as Booking[.]com to target hotels.

Fake “security” emails trick managers into running a PowerShell script that installs PureRAT — giving full access to hotel systems.

Stolen logins and card data are being sold online.

More information here → https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html

Everyone’s building with AI in the cloud.

Few are thinking about how to actually secure it.

#NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next.

Worth a watch →

Last week in cyber was wild.

🔒 Malware hiding in VMs
🤖 AI chats leaking through encrypted traffic
📱 Spyware on flagship Androids
💣 Logic bombs set to go off years later
🕵️‍♂️ Fake AI bots, deepfakes, and more...

You can’t afford to miss this recap: https://thehackernews.com/2025/11/weekly-recap-hyper-v-malware-malicious.html

77% of employees paste sensitive data into GenAI tools.
Most use personal accounts, so IT can’t see it.

It’s all happening in the browser — and old DLP tools miss it completely.

The browser just became the biggest data leak in the enterprise ↓ https://thehackernews.com/2025/11/new-browser-security-report-reveals.html

North Korea’s Konni group just pulled off something wild — they turned Google’s own Find Hub into a weapon.

By stealing Google logins, they could remotely wipe Android phones, erasing data and covering their tracks.

It all started with a fake “Stress Clear” app, signed with a real Chinese company’s certificate.

Full story ↓ https://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.html

🚨 UNC6485 is weaponizing CVE-2025-12480 (CVSS 9.1).

They bypassed Triofox auth, ran setup to create an admin, then pointed the antivirus path at centre_report.bat to run code as SYSTEM.

Read ↓ https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html

Hackers aren’t after people anymore — they’re after bots.

API keys and tokens now run much of your SaaS, often with full access.

One stolen token let attackers break into hundreds of Salesforce accounts.

See how it happened ↓ https://thehackernews.com/expert-insights/2025/11/whos-really-using-your-saas-rise-of-non.html

A fake npm package was caught pretending to be GitHub’s real one.

~acitons/artifact (with the typo) tried to steal build tokens from GitHub repos.

It ran a postinstall script that sent secrets to a fake GitHub site.

Full story ↓ https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html

🚨 🚨 New Android RAT — “Fantasy Hub” — is on sale on Russian Telegram: $200/week or $4,500/year.

It turns any app into spyware, pretends to be a Play update, hijacks SMS to steal 2FA, and streams camera/mic in real time via WebRTC.

Novices can buy and run it. If you use BYOD or mobile banking, read more ↓ https://thehackernews.com/2025/11/android-trojan-fantasy-hub-malware.html

AI-driven supply chain attacks jumped 156% last year.

This new malware rewrites itself, looks like real code, and waits weeks before hitting. Most security tools can’t spot it.

See what CISOs are doing to fight back ↓ https://thehackernews.com/2025/11/cisos-expert-guide-to-ai-supply-chain.html

🚨 GootLoader is back — and smarter.

Huntress found 3 new cases since Oct 27. In 2 of them, attackers took full control in under 17 hours.

Now it hides fake PDFs using special web fonts so the files look safe. ZIPs fool scanners but open real malware on Windows.

Details ↓ https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html

A new malware called Maverick is spreading through WhatsApp Web.

It can copy your Chrome data to skip QR logins, turn off Defender, and message your contacts from your account.

Full story ↓ https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html