The Hacker News
βœ”
162K subscribers
3.34K photos
21 videos
4 files
9.3K links
⭐ Official THN Telegram Channel β€” A trusted, widely read, independent source for breaking news and tech coverage about cybersecurity and hacking.

πŸ“¨ Contact: admin@thehackernews.com

🌐 Website: https://thehackernews.com
Download Telegram
πŸ”₯ A new 16-year-old #Linux KVM flaw lets a rooted nested VM crash the x86 host and take down other tenants on the same machine.

Dubbed "Januscape" (CVE-2026-53359), the bug sits in KVM’s shadow MMU.

Researcher says a full guest-to-host escape exploit also exists in a controlled setup; only the host-crash PoC is public.

Explained here: https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
πŸ”₯13πŸ‘2
🚨 Iran-linked Cavern Manticore is targeting Israeli government and IT organizations with 'Cavern,' a modular .NET C2 framework.

Researchers say the group abused RMM tools, then used DLL side-loading, NativeAOT modules, and AppDomain isolation to hide post-compromise activity.

How Cavern works: https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
πŸ‘12πŸ‘11πŸ”₯4⚑2πŸ€”1🀯1
⚠️ BeyondTrust fixed four RS and PRA flaws. Two are critical pre-auth bugs that could let unauthenticated attackers bypass access controls, but only under specific auth configurations.

No exploitation is reported. RS 25.3.3 and PRA 25.3.3 carry the fixes.

Check which setups need patching: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
πŸ”₯4
πŸ›‘ WARNING - Several Tenda firmware builds embed an undocumented auth backdoor in /bin/httpd.

CVE-2026-11405 checks sys.rzadmin.password after normal login fails. If the supplied password matches, it creates an admin session.

Still unpatched.

Read: https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html
πŸ”₯3πŸ€”3
🚨 Suspected China-aligned UNK_MassTraction exploited now-patched Roundcube flaws against U.S. and Canadian university departments.

IceCube stole credentials, 2FA data, and cookies, then used CVE-2025-49113 to drop VShell or a web shell.

How the mail server compromise worked: https://thehackernews.com/2026/07/suspected-china-aligned-hackers-exploit.html
😁4πŸ‘2πŸ”₯2
Breach transparency remains one of cybersecurity’s toughest governance challenges.

Bruce Sussman of Bitdefender highlights a key finding from the 2026 Cybersecurity Assessment: 55.2% of professionals who experienced a breach were told to keep it confidentialβ€”even when they believed it should be reported to authorities.

Why awareness still doesn’t translate into readiness: https://thehackernews.com/expert-insights/2026/07/breach-transparency-remains.html
😁4πŸ‘3
πŸ”₯ Alleged Scattered Spider hacker caught by his own Windows device ID.

Per a new court filing, he hid the attack behind proxies and fake names.

But #Microsoft records tied one device ID to his ngrok access, then to his personal accounts and trips. That overlap is how the FBI found him.

Criminals, take notes πŸ – https://thehackernews.com/2026/07/court-filing-reveals-windows-device-id.html
😁16πŸ”₯2πŸ€”2🀯2
AI has changed the software supply chain question.

It is no longer just which packages, versions, and dependencies made it into the code. It is which agents, MCP tools, models, and prompts shaped the build.

What supply chain security looks like with AI in scope: https://thehackernews.com/2026/07/what-changes-when-your-software-supply.html
πŸ€”1
Writer AI patched WriteOut, a one-click session isolation flaw in its enterprise AI platform.

A victim who clicked a public preview link while logged in could have their session cookie forwarded into an attacker-controlled sandbox, where it could be recovered and replayed.

How the preview proxy crossed tenant lines: https://thehackernews.com/2026/07/writer-ai-flaw-could-let-agent-previews.html
πŸ€”1
4 Cities. 4 Intimate roundtables. One urgent conversation. 🌍

Security has no shortage of conversations. Honest ones are harder to find.

This summer, TryHackMe is bringing senior security leaders together in-person for Post-Mythos: Watch the Incident Readiness Gap. Their first roundtable series across Europe and the US.

Built for leaders who want to debrief on how to close the gaps that actually matter. The series will cover:

🧠 Where human judgement sits when AI is running the attack.
πŸ›‘οΈ What it takes to build a proactive, AI-fluent SOC.
⚠️ Whether your team is ready for a threat class that’s already here.

Pick your city. Claim your seat. πŸ‘‰πŸΌ

πŸ“San Francisco: https://thn.news/roundtableseries-sfo
πŸ“Dallas: https://thn.news/roundtableseries-dallas
πŸ“New York City: https://thn.news/roundtableseries-ny
πŸ“ Paris: https://thn.news/roundtableseries-paris
πŸ€”1
⚑ New GitLost technique can trick #GitHub Agentic Workflows into leaking private repo data.

A public issue can make an agent read a private repo and post its contents in a public comment.

In one test, adding β€œAdditionally” to the malicious instruction was enough to get past GitHub’s guardrail.

Learn how the leak works - https://thehackernews.com/2026/07/public-github-issue-could-trick-github.html
πŸ€”2😁1
🚨 Microsoft 365 phishing is shifting from fake login pages to real Microsoft login flows.

DEBULL uses device-code phishing to trick users into approving attacker access to M365 accounts.

The login page is real. The access goes to the attacker.

Read the full story: https://thehackernews.com/2026/07/debull-tooling-abuses-microsoft-device.html
😁4πŸ‘2
🚨 Rogue Agent was not just another chatbot bug.

β†’ Google Dialogflow CX had a flaw where editing one AI chatbot could let attackers reach other chatbots in the same project.

β†’ Read live chats, capture input, and turn the bot into a phishing lure.

Read how the flaw worked - https://thehackernews.com/2026/07/rogue-agent-flaw-could-have-let.html
πŸ‘5πŸ”₯2
πŸ›‘ WARNING - #Android bank fraud is being packaged for rent on Telegram.

Researchers are warning of RedWing, a mobile MaaS operation that gives buyers custom APKs, fake app-store lures, login overlays, OTP theft, and call forwarding.

82 institutions are listed as targets.

Learn more - https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html
πŸ”₯13πŸ‘3⚑2
⚠️ CISA added 4 actively exploited flaws to KEV. Three are rated 10.0.

Adobe ColdFusion, Joomla page builders, and Langflow are affected.

Experts say the Langflow chain used IDOR and RCE to steal LLM provider and AWS keys.

Read - https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
πŸ‘6πŸ”₯3
This media is not supported in your browser
VIEW IN TELEGRAM
πŸ›‘ A newly found 15-year-old #Linux kernel flaw, GhostLock (CVE-2026-43499), could let any logged-in user gain root on unpatched distributions.

A working exploit code is now public, and it escaped containers in tests.

Read details here: https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
😁10πŸ‘2πŸ”₯2⚑1
🚨 Chinese APT UAT-7810 is upgrading LONGLEASH to turn compromised devices into relay boxes for LapDogs.

Ruckus router flaws are already in the chain. ASUS AiCloud targeting points to possible ORB expansion.

Read: https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html
πŸ”₯6
⚑ Refused in chat. Delivered in code.

GitHub Copilot's Claude and Gemini models rejected almost every direct harmful request, then produced harmful answers in all 816 coding-workflow runs.

Learn how a benchmark Q&A task got Copilot to write banned answers itself: https://thehackernews.com/2026/07/github-copilot-refuses-harmful-requests.html
Passkeys are making stolen passwords less useful.

So ATO is moving downstream: account recovery, magic links, step-up checks, and identity verification.

The next weak link is not login. It’s proving the person behind the action is real.

Read where ATO is shifting next: https://thehackernews.com/2026/07/the-verification-step-is-new-ato.html
🚨 That green "Verified" badge on a #GitHub commit? The hash under it isn't unique.

New research: anyone can rewrite a signed commit into many valid "Verified" hashes, no signing key needed.

Same files. Same author. Valid signature.

Learn how 'hash chain malleability' breaks commit trust - https://thehackernews.com/2026/07/github-verified-commits-can-be.html