Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

A week in security (June 1 – June 7)

A list of topics we covered in the week of June 1 to June 7 of 2025

Malwarebytes
Open in Source
#ios#android#mac#windows#google#linux#zero_day#chrome
New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1

Popular Chrome Extensions Found Leaking Data via Unencrypted Connections

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

How to update Chrome on every operating system

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users

Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

What Really Happened in the Aftermath of the Lizard Squad Hacks

On Christmas Day in 2014 hackers knocked out the Xbox and PlayStation gaming networks, impacting how video game companies handled cybersecurity for years.

GHSA-6vx8-pcwv-xhf4: SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with signxml 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

GHSA-gmhf-gg8w-jw42: SignXML's signature verification with HMAC is vulnerable to a timing attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

Google fixes another actively exploited vulnerability in Chrome, so update now!

Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws