r/pwnhub

Anthropic accidentally exposed Claude Code's full source through a packaging error in its npm release, giving researchers an unfiltered look at how the popular AI coding tool operates on user machines.

The roughly 500,000 lines of leaked TypeScript revealed background processes, clipboard access, screenshot capabilities, and an unreleased headless mode that runs while the user is away from the terminal. Researchers also found that the tool monitors user frustration patterns through regex analysis of conversation inputs, raising questions about behavioral data collection that users may not realize is happening.

The leak was the second major accidental exposure from Anthropic in days, drawing scrutiny toward whether a company that markets itself on safety and transparency can adequately secure its own systems.

How much access to your local machine should an AI coding tool have before you start treating it like a security risk?

Iran's IRGC claimed it struck an Oracle facility in Dubai this week as part of a broader campaign against American technology companies operating in the Gulf.

Dubai authorities denied the attack, but the incident still marks a new chapter in infrastructure security. The IRGC had previously warned 18 US tech companies that their regional facilities would be considered military targets, telling employees to evacuate immediately.

Oracle, Amazon, Microsoft, and Google all host significant cloud and AI infrastructure in the Middle East, and this conflict is testing assumptions about geographic risk that many organizations have not fully accounted for.

Whether or not the Oracle data center was actually hit, the targeting of cloud infrastructure by a state military force introduces a threat model that most enterprise disaster recovery plans were not built for.

Should cloud providers be required to disclose to customers when their data is stored in regions facing active military conflict?

North Korean threat actors have pulled off a meticulously planned $285 million cyber heist from the decentralized finance platform Drift in under ten seconds.

Key Points:

• The attackers executed the heist with extreme precision, leveraging pre-signed transactions and admin control.
• Drift is currently working with multiple security firms and law enforcement to recover the stolen assets.
• This incident highlights a growing trend of cyberattacks by North Korean hackers, who have stolen over $6.5 billion in cryptocurrency over recent years.

The recent cyber heist involving Drift, a decentralized finance platform, is being attributed to a North Korean threat actor as part of an intricately devised attack strategy. This incident marks a significant escalation in cybercrimes associated with nation-state actors, showcasing how sophisticated and fast-moving such operations can be. The hackers executed the heist in moments by preparing a fake collateral market and modifying system safeguards just before executing their plan, effectively bypassing security mechanisms designed to prevent rapid fund withdrawal.

In the hours leading up to the attack, the intruders gained control of a crucial admin key through a multisig compromise, which allowed them to manipulate Drift’s settings. They exploited pre-signed transactions and created a fabricated market for a worthless token, CVT, ensuring that their withdrawals would generate maximum financial gain. By the time the authorities could respond, hundreds of millions had already been transferred and laundered through an expansive web of wallets and exchanges, making recovery efforts even more challenging for Drift and the broader cryptocurrency ecosystem.

What measures can decentralized finance platforms take to enhance security against such sophisticated cyberattacks?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Australia's world-first ban on social media for users under 16 is struggling to deliver results, with reports that many teens have already bypassed the restrictions using VPNs and false age declarations.

The more significant concern for privacy professionals is what the ban demands from everyone else. To comply, platforms are collecting biometric selfies, identity documents, and behavioral signals from all Australian users, not just minors.

Critics warn that these verification systems create data honeypots for hackers, meaning a policy designed to protect children may be putting every user's personal information at greater risk.

As countries including the US, UK, and France consider similar legislation, the Australian experiment is becoming a cautionary tale about what happens when age verification infrastructure outpaces data protection safeguards.

Is there a way to verify a user's age online without creating new privacy vulnerabilities for everyone?

A large-scale campaign exploiting a critical React vulnerability has resulted in the compromise of over 766 systems and the theft of sensitive credentials.

Key Points:

• Threat actor exploits critical React vulnerability (CVE-2025-55182) in Next.js applications.
• Automated scripts are used to collect sensitive information such as SSH keys and cloud tokens.
• Over 766 systems have been compromised and more than 10,000 files exfiltrated within 24 hours.
• The attacked applications are public-facing and vulnerable, making them easy targets for exploitation.
• Exposed data could lead to serious security threats, including supply chain attacks and compliance issues.

Cisco's Talos security researchers have raised the alarm on a significant threat campaign involving a vulnerability tracked as CVE-2025-55182, which has a critical CVSS score of 10. The exploit specifically targets Next.js applications, allowing unauthorized attackers to execute arbitrary code remotely. The threat actor, designated as UAT-10608, has been using automated scanning techniques to identify applications with this vulnerability. After gaining initial access, they employ automated scripts and the Nexus Listener framework to gather sensitive information such as SSH keys, cloud tokens, and other credentials from affected systems.

This assault has been widespread, with at least 766 systems compromised and a staggering number of over 10,000 files collected. The attackers exploit public-facing Next.js web applications, sending crafted payloads via HTTP requests to execute code on Node.js processes. The exfiltrated data is then transmitted to a command-and-control server and accessed through an exposed instance of the Nexus Listener. Such exposure not only demonstrates the severity of the breach but also highlights how vulnerable systems can be to automated scanning technologies, putting critical infrastructure and sensitive information at risk. As the stolen data contains keys for various platforms and environments, compromised credentials can lead to further breaches and significant compliance challenges.

What steps do you think organizations should take to mitigate the risks associated with such vulnerabilities?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

The Federal Trade Commission settled with OkCupid and Match Group after the dating platform allegedly provided personal user data to an unauthorized third party in violation of its own privacy policy.

According to the complaint, OkCupid shared user data with Clarifai, a facial recognition company, giving the firm access to nearly three million user photos along with location and demographic information. No contractual restrictions governed how the data could be used. The connection between the companies was personal rather than commercial: OkCupid's founders were financial investors in Clarifai.

The FTC also alleged that OkCupid and Match spent years actively concealing the data sharing and obstructing the investigation.

The settlement prohibits future misrepresentations about data practices but includes no monetary penalty, raising the question of whether enforcement without financial consequences is enough to change corporate behavior.

Do dating apps owe users a higher standard of data protection given the sensitivity of the information people share on them?

AI firm Mercor faces a severe security incident due to a supply chain attack linked to a compromised open-source tool, impacting sensitive candidate and internal data.

Key Points:

• Mercor confirmed a data breach related to the compromised LiteLLM tool, affecting thousands of organizations.
• Attackers exploited a 40-minute window to publish malicious LiteLLM versions, impacting millions of daily downloads.
• Lapsus$ claimed to possess 4TB of stolen data, including personal and technical information related to Mercor.
• The breach highlights the risk of supply chain attacks and their rapid impact across numerous cloud environments.
• Mercor is under investigation while taking steps to contain the breach and assess the data leak.

AI recruitment firm Mercor has confirmed its involvement in a significant cybersecurity incident triggered by a supply chain attack, specifically through the compromise of the LiteLLM open-source tool. This incident, attributed to hacking groups TeamPCP and Lapsus$, illustrates how adversaries can exploit trusted software to access sensitive information across various organizations quickly. The malicious versions of LiteLLM were available for a brief period, yet their prevalence in numerous cloud environments exacerbated the repercussions of the breach, emphasizing how swiftly an attack can cascade through the software ecosystem.

The extent of the breach was further compounded by claims from the Lapsus$ extortion group, who alleged possession of 4TB of stolen data, including sensitive candidate profiles and technical assets from Mercor. While the authenticity and scope of this data theft have yet to be confirmed, the incident underscores a dire warning regarding the implications of supply chain vulnerabilities. Security researchers are now investigating any potential connections between the groups involved in the attack, revealing a complex landscape of cybersecurity risks that threaten organizations relying on widely-used software dependencies.

What steps should organizations take to protect themselves against supply chain attacks like the one faced by Mercor?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

T-Mobile clarifies that a recent data breach was due to an insider incident, impacting very limited customer information.

Key Points:

• The breach involved unauthorized access to data from a single T-Mobile account.
• Compromised information included personal details but did not involve financial data.
• Only one individual was confirmed as impacted, despite the use of '1' as a placeholder in reports.

T-Mobile USA has recently informed the Maine Attorney General’s Office about a data breach that stemmed from an insider accessing a customer's information. The company highlighted that the exposure was limited to personal details including the customer's full name, email address, physical address, account number, associated phone number, T-Mobile account PIN, date of birth, driver's license number, and Social Security number. Importantly, T-Mobile confirmed that personal financial information and call records were not compromised during this incident.

The company emphasized that the situation involved only one T-Mobile account and specified that there was no compromise of credentials. A T-Mobile spokesperson stated that the incident was linked to a vendor employee who improperly accessed the customer's information. In response, the company's measures included resetting the affected account's PIN and notifying relevant authorities and law enforcement about the incident, as per regulatory requirements.

What steps do you think companies should take to prevent insider-related data breaches?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Die Linke has confirmed that the Qilin ransomware group has stolen sensitive data and is threatening to leak it.

Key Points:

• Qilin ransomware group reportedly stole data from Die Linke, a prominent German political party.
• The attackers are demanding ransom while threatening to publish sensitive internal and personal data.
• Die Linke's membership database remains secure amid the breach.
• The party believes the attack is linked to hybrid warfare tactics targeting critical infrastructure.
• Authorities have been notified, and Die Linke is working with IT experts to mitigate the damage.

On March 27, the German political party Die Linke announced it had experienced a cybersecurity incident, confirming a data breach involving the Qilin ransomware group. This group, believed to be comprised of Russian-speaking cybercriminals, has threatened to release sensitive information about the party, including internal communications and personal details of employees. Die Linke stated that the attackers aimed to expose sensitive materials but reassured that their membership database remained uncompromised, which is critical for maintaining trust with their constituents.

The implications of such cyberattacks are severe, as they not only violate the privacy of individuals but also disrupt the operations of political organizations. Die Linke has characterized this incident as more than just a cybercriminal operation; they view it as an act of hybrid warfare, indicative of broader threats against critical infrastructure in democratic societies. Historically, there have been precedents where politically motivated cyber offenses have targeted political parties in Germany, raising concerns about the influence of foreign adversaries in domestic political contexts. Following the breach, Die Linke has notified German authorities and filed a criminal complaint, taking steps to engage independent IT experts for assistance in restoring their systems and enhancing security measures.

What impact do you think ransomware attacks like this have on the public's trust in political institutions?

Learn More: Bleeping Computer

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A cyberattack has disrupted the emergency communications system used by several towns in northern Massachusetts, affecting non-emergency phone lines while 9-1-1 remains operational.

Key Points:

• Several towns in northern Massachusetts impacted by a cyberattack on their emergency communications system.
• Non-emergency phone lines are out of service, but 9-1-1 remains functional.
• Investigations are underway to assess the damage and potential data breaches.
• This incident follows a similar attack on the CodeRED emergency notification service.
• Local authorities are urging officials to change passwords related to the system to enhance security.

An emergency communications system known as the Patriot Regional Emergency Communications Center, serving towns like Pepperell, Ashby, and Groton in northern Massachusetts, has been compromised by a cyberattack that initiated on Tuesday. While the critical 9-1-1 dispatching service continues to operate, other non-emergency phone lines have been rendered inoperable, raising concerns about the overall public safety infrastructure during this breach. Officials from the center have engaged IT vendors and cybersecurity agencies in response to the intrusion to assess what information might have been accessed or stolen during the attack.

This incident mirrors previous cyber threats faced by emergency systems, notably the recent attack on the CodeRED notification service which impacted numerous municipalities across the U.S. The overlapping timeline of these incidents underscores an ongoing vulnerability in emergency communication platforms, prompting local officials to urgently reassess their cybersecurity protocols. Federal law enforcement has also been notified, emphasizing the seriousness of the situation as the community relies on effective communication systems for emergencies. As investigations continue, the Pepperell authorities stress the importance of changing passwords for local government officials to prevent further breaches.

What measures do you think local governments should implement to protect their emergency communication systems from cyberattacks?

Learn More: The Record

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

The FCC has proposed a substantial fine against Voxbeam Telecommunications for improperly handling foreign call traffic linked to scam robocalls.

Key Points:

• Voxbeam faces a $4.5 million fine for accepting calls from unlisted foreign provider Axfone.
• The FCC identified these actions as leading to fraudulent calls impersonating major financial institutions.
• Voxbeam is required to prevent call traffic from providers not listed in the Robocall Mitigation Database.

The Federal Communications Commission (FCC) has taken significant action against Voxbeam Telecommunications, proposing a hefty $4.5 million fine for allegedly allowing suspicious foreign call traffic from a provider that is not authorized to transmit calls over U.S. networks. Axfone, the Czechia-based provider in question, was reportedly using obsolete Voxbeam accounts that had not transacted any calls for years, enabling the transmission of 'financial impersonation robocalls' to American consumers. The agency’s investigation was triggered by a complaint from a bank whose customers were targeted by these fraudulent calls.

The FCC's ruling highlights the critical role of voice service providers in ensuring the safety of communication networks. Under current regulations, providers like Voxbeam are obligated to block traffic from unlisted entities, particularly those that are identified under the Robocall Mitigation Database, which aims to shield consumers from the growing threat of scam robocalls. With Voxbeam apparently failing to uphold that responsibility, the organization now faces scrutiny that underscores the importance of compliance in telecommunications practices.

How should voice service providers enhance their safeguards against fraudulent calls?

Learn More: The Record

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A fraudulent Chrome extension pretended to block ads but instead harvested users' private ChatGPT conversations for malicious purposes.

Key Points:

• Malicious Chrome extension, ChatGPT Ad Blocker, identified by DomainTools.
• Extension clones the webpage and intercepts user prompts and AI responses.
• Data sent to Discord by a bot named Captain Hook.
• Developer linked to popular AI platforms raises concerns.
• Users advised to avoid third-party apps to protect privacy.

DomainTools has uncovered a fraudulent Chrome extension named ChatGPT Ad Blocker, available on the Google Chrome Web Store until February 10, 2026. What users believed was a tool to block ads was in fact spying on their interactions with the ChatGPT AI. The extension operates by creating a duplicate of the webpage, stripping it down to text, and sending any text longer than 150 characters directly to a private Discord channel. This insidious method of data gathering captures not only user prompts but also the responses from the AI chatbot, putting users’ private conversations at risk.

The developer of this extension, operating under the pseudonym krittinkalra, is also associated with reputable AI platforms like Writecream and AI4ChatCo. Although there is no evidence that these platforms are malicious, the sudden shift to creating a data-stealing extension raises alarms about the potential risks of using applications from the same developer. Additionally, further investigation has linked the scam to several suspicious websites, reinforcing the need for caution. Users are being encouraged to rely on official avenues for ad-blocking to avoid exposing their private interactions to spyware disguised as tools.

What precautions do you take to ensure your online privacy while using AI platforms?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A sophisticated hacking campaign has emerged where North Korean attackers use GitHub repositories to covertly spy on South Korean companies.

Key Points:

• North Korean hackers utilize LNK files and PowerShell scripts to steal data from Windows users.
• The campaign is characterized by multiple phishing tactics aimed at a broad range of employees.
• GitHub is being exploited as a trusted platform for data communication, bypassing traditional security measures.
• Attackers use built-in Windows tools to avoid detection, making the campaign highly evasive.

Researchers from FortiGuard Labs have discovered a high-severity spying campaign that targets South Korean companies through the use of clever social engineering and advanced evasion tactics. The attackers, believed to be linked to North Korean state-sponsored groups such as Kimsuky or APT37, employ LNK shortcut files that masquerade as legitimate office documents. When a user opens one of these files, a decoy PDF distracts them while a hidden script runs in the background, enabling the extraction of sensitive information about the targeted system. This method allows the hackers to remain undetected by traditional security systems or antivirus software by exploiting the native capabilities of Microsoft Windows instead of deploying visible malware.

Furthermore, the campaign ingeniously utilizes GitHub to store and transfer stolen data. By using accounts set up for this purpose, the attackers can leverage the inherent trust in GitHub, allowing their communications to go unnoticed by corporate defenses. They have implemented a Scheduled Task designed to wake the malware periodically, ensuring persistent access to the compromised systems. This blend of conventional tools and cloud services poses a significant challenge for cybersecurity defenders, highlighting the need for organizations to remain vigilant not just against malware but also against more nuanced, remotely-operated threats.

What steps can organizations take to protect themselves from such sophisticated cyber espionage tactics?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub