The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.

The attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The FROST SSD Timing Attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The findings highlight growing concerns around browser APIs and performance features that may unintentionally expose sensitive system behavior.

How the FROST Attack Works

The technique relies on the Origin Private File System (OPFS), a browser storage feature designed to improve web application performance.

Researchers found that a malicious website can create a large file inside the browser’s storage sandbox and continuously perform random disk reads. These operations force the SSD to handle real disk activity instead of using cached memory.

When other applications or browser tabs access the same SSD, small delays and latency spikes occur due to resource contention. The malicious page measures these timing differences using high-resolution browser timers.

To improve accuracy, attackers can enable cross-origin isolation settings that unlock more precise timing measurements through APIs such as performance.now().

The collected timing data is then analyzed using machine learning models to identify patterns linked to specific websites or applications.

Researchers Demonstrated Cross-Browser Tracking

During testing, researchers showed that the attack could monitor user activity across multiple browser instances on macOS systems.

In one experiment:

• A malicious Chrome tab monitored SSD timing activity
• A victim opened websites in Safari
• The timing patterns were analyzed using a neural network model
• The system successfully identified visited websites with high accuracy

The researchers reported strong detection results while testing against popular websites.

They also demonstrated a covert communication channel on Linux and macOS systems where SSD contention signals were used to transfer information between applications.

Privacy and Security Concerns

The research shows how modern browser performance features may weaken traditional browser isolation protections.

Unlike traditional malware, the attack does not require installing software on the victim’s device. Instead, a single visit to a malicious webpage may be enough to begin collecting timing information silently in the background.

Researchers warned that the technique could potentially be used for:

• Cross-browser activity tracking
• User behavior monitoring
• Website fingerprinting
• Covert communication channels
• Privacy-invasive surveillance techniques

The findings also raise concerns about how high-resolution timers and advanced browser storage APIs can unintentionally create new side-channel attack surfaces.

While the attack currently requires specific conditions and technical expertise, the research demonstrates how low-level hardware behavior can increasingly be abused for remote tracking and surveillance purposes.

The post New FROST Technique Lets Websites Monitor SSD Activity appeared first on First Hackers News.

Also tracked as UAC-0010 or Shuckworm, Gamaredon continues to exploit CVE-2025-8088, a directory traversal vulnerability in WinRAR that allows malicious files to be written outside the intended extraction directory. Although the flaw has been widely abused since 2025, researchers noted that Gamaredon’s campaigns stand out due to their persistence, rapid infrastructure rotation, and repeated targeting of Ukrainian government entities.

Phishing Campaign Delivers GammaDrop Malware

The attacks begin with carefully crafted spearphishing emails sent either from compromised Ukrainian government accounts or spoofed domains designed to appear legitimate. Many of these emails mimic official court summons, legal notices, or government-related communications to increase the likelihood of user interaction.

The phishing attachments typically contain malicious RAR or ARJ archives disguised as regular documents. Inside the archive, researchers identified:

• A decoy PDF document used to distract the victim
• A hidden VBScript payload stored using NTFS Alternate Data Streams (ADS)

When the archive is extracted, the WinRAR vulnerability is abused to silently place the malicious VBScript into the Windows Startup folder. This ensures persistence on the infected machine without requiring additional user interaction.

The first-stage payload, known as GammaDrop, functions as a downloader responsible for retrieving additional malware from attacker-controlled infrastructure. Researchers observed that the script is heavily obfuscated using randomized variables, junk code, and automated generation techniques commonly associated with Gamaredon operations.

GammaLoad Expands Persistence and Reconnaissance

After execution, GammaDrop downloads a second-stage malware component called GammaLoad from infrastructure hosted through Cloudflare Workers. The payload is delivered as an HTA file and launched using mshta.exe in a hidden window to avoid drawing attention.

GammaLoad acts as both a persistence mechanism and a reconnaissance tool. It creates RunOnce registry entries and continuously communicates with command-and-control servers to receive instructions and additional payloads.

The malware collects system-level information including:

• Computer name
• System drive details
• Volume serial numbers
• Victim identification data

This information is embedded into beaconing traffic, allowing attackers to uniquely track infected systems and selectively deliver follow-up malware.

Researchers also observed that Gamaredon frequently rotates its infrastructure using fast-flux DNS, dynamic DNS services, and short-lived domains to evade detection. Communication traffic is disguised using legitimate browser user-agent strings, while some newer variants imitate automated services such as Bingbot to blend malicious traffic with normal network activity.

The Security Service of Ukraine (SSU), along with regional government and law enforcement organizations, remains one of the primary targets of these campaigns. Researchers believe the operation’s success is also supported by weak email authentication practices across some targeted domains, where missing or poorly configured SPF, DKIM, and DMARC policies allow attackers to spoof trusted senders more effectively.

Although the malware itself is not considered highly advanced, Gamaredon continues to maintain a strong operational presence through continuous adaptation, large-scale phishing activity, and aggressive infrastructure management.

Security teams are advised to patch vulnerable WinRAR installations immediately, strengthen email authentication controls, monitor suspicious archive-based phishing activity, and block known malicious infrastructure associated with the campaign.

The post Gamaredon Phishing Attacks Use GammaDrop Malware appeared first on First Hackers News.

Initially linked to a limited number of attacks targeting organizations in South Korea, Gunra previously relied on ransomware code associated with the leaked Conti source. However, the group has since developed its own custom ransomware payload and infrastructure, signaling a shift toward long-term operational independence.

Transition to a Ransomware-as-a-Service Model

The move to a RaaS model has significantly expanded Gunra’s reach. Instead of operating alone, the group now allows affiliates to deploy its ransomware tools in exchange for a share of ransom payments.

This affiliate-based structure enables the operation to scale more efficiently while maintaining centralized control over key parts of the attack lifecycle. Researchers observed Gunra actively operating within underground cybercrime forums, where the group promotes its services, recruits affiliates, and advertises stolen data obtained from compromised organizations.

Evidence also suggests coordination between operators and affiliates, with multiple threat actors sharing victim-related data within the same ecosystem. Unlike many established ransomware groups, Gunra permits affiliates to customize branding, increasing the likelihood of attacks appearing under different ransomware names while still relying on the same backend infrastructure.

Technical Capabilities and Operational Risks

Gunra’s ransomware platform supports both Windows and Linux environments, allowing attackers to target a broader range of enterprise infrastructure. The operation includes a feature-rich affiliate management panel designed to streamline ransomware deployment and victim negotiations.

The platform reportedly provides:

• Payload deployment and lock management
• File handling and communication tools
• Negotiation support for ransom operations
• Custom branding options for affiliates

Researchers also identified modifications within the Linux variant, including changes to execution behavior, encryption processes, and logging functions. Some cryptographic weaknesses were observed during analysis, which may assist future defensive research efforts.

One of the more concerning aspects of Gunra’s operation is its lack of strict targeting restrictions. Unlike certain ransomware groups that avoid critical sectors such as healthcare, Gunra appears willing to target organizations across multiple industries without significant limitations.

As the group continues expanding its RaaS ecosystem, security teams are advised to strengthen endpoint monitoring, maintain reliable offline backups, enforce strict access controls, and prioritize timely patch management to reduce the risk of ransomware intrusion and lateral movement within enterprise networks.

The post Gunra Ransomware Expands Through RaaS Operations appeared first on First Hackers News.

Source code environments are considered high-value targets because they reveal the inner workings of security products. Even limited access can give attackers insights into detection logic, configurations, or potential weaknesses that could be studied for future exploitation or used in supply chain-style attacks.

Investigation Findings and Potential Risks

Trellix has stated that the breach appears contained and, at this stage, there is no evidence of direct impact on customers or product integrity.

Key findings so far include:

• No compromise of the build, release, or update pipeline
• No signs of malicious code being inserted into products
• No evidence of active exploitation using the accessed data

However, the nature of source code exposure still raises concerns. Attackers could analyze the code offline to identify vulnerabilities, reverse-engineer protections, or develop evasion techniques against Trellix security tools.

The company is continuing a detailed forensic review to understand how the access occurred, what data was viewed or copied, and whether any long-term risks remain. Strengthening internal controls, access monitoring, and repository protections is likely part of the ongoing response.

This incident reflects a broader trend where attackers target software vendors instead of end users, aiming to gain leverage through trusted platforms. Similar breaches involving Microsoft, Okta, and LastPass show how valuable internal systems have become as entry points.

Trellix has committed to transparency and plans to release more technical details once the investigation is complete, helping the wider security community understand and defend against similar threats.

The post Trellix Confirms Source Code Repository Breach appeared first on First Hackers News.

The operation focused on the W3LL phishing kit, a tool widely used by cybercriminals to steal credentials and bypass multi-factor authentication. Attackers used this kit to carry out large-scale fraud attempts, with losses estimated to exceed $20 million.

How the W3LL Phishing Kit Worked

The W3LL toolkit was designed to make cybercrime easier, even for low-skilled attackers. It was sold as a service, allowing buyers to quickly launch phishing campaigns using ready-made fake login pages that closely mimicked legitimate websites.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What made this tool especially dangerous was its ability to go beyond simple credential theft. Instead of just capturing usernames and passwords, it also collected session data and authentication tokens. This allowed attackers to bypass MFA protections and gain ongoing access to accounts without raising immediate alerts.

The ecosystem also included an underground marketplace called W3LLSTORE. This platform enabled criminals to buy and sell stolen credentials, corporate access, and remote connections, creating a full cybercrime supply chain.

• Over 25,000 compromised accounts were sold between 2019 and 2023
• More than 17,000 victims were targeted globally in recent campaigns
• Fraud attempts exceeded $20 million
• Stolen access was often resold multiple times for profit

Law Enforcement Action and Impact

Even after the original marketplace shut down, the operation continued through private channels. Investigators tracked its evolution and identified the key individuals behind it.

With support from U.S. authorities, the FBI seized critical infrastructure used to run the phishing service. At the same time, Indonesian police arrested the suspected developer and took control of domains linked to the operation.

Officials described the platform as more than just a phishing kit—it functioned as a complete cybercrime service. By shutting it down, authorities have disrupted a major tool that attackers relied on to breach organizations.

This takedown highlights how modern phishing has evolved into organized, scalable operations—and why international cooperation is essential to combat today’s cyber threats.

The post W3LL Phishing Kit Takedown Disrupts MFA Bypass Campaign appeared first on First Hackers News.

On April 13, 2026, the vulnerability identified as CVE-2026-21643 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This inclusion is not routine—it signals confirmed attacker activity and indicates that exploitation is no longer theoretical. Threat actors are already leveraging this weakness to target organizations, making immediate remediation critical.

Understanding the Vulnerability

The flaw exists in FortiClient Enterprise Management Server (EMS), a centralized platform used by organizations to manage endpoint security, enforce policies, and monitor device compliance. Because EMS sits at the core of endpoint control, any compromise can have far-reaching consequences across the entire network.

Technically, this issue is classified as a SQL injection vulnerability (CWE-89). It arises when user-supplied input is not properly validated before being processed by the backend database. Attackers can exploit this weakness by sending specially crafted HTTP requests that manipulate database queries and execute unintended commands.

What elevates the severity of this vulnerability is its unauthenticated nature. An attacker does not need valid credentials or prior access to the environment. If the EMS instance is exposed to the internet, it becomes a direct target. By simply interacting with the vulnerable interface, an attacker can execute arbitrary commands on the system.

Real-World Risk and Exploitation Impact

The ability to execute code remotely without authentication places this vulnerability in the highest risk category. Once exploited, attackers can gain control over the EMS server, which often acts as a central authority for endpoint devices within an organization.

This level of access can enable attackers to move laterally across the network, deploy malicious payloads, manipulate endpoint configurations, or establish persistent backdoors. In many environments, EMS servers are trusted systems, which makes them an ideal pivot point for deeper compromise.

Although there is no confirmed evidence yet linking this vulnerability to ransomware campaigns, the attack pattern aligns closely with how ransomware operators typically gain initial access. Vulnerabilities that allow remote execution without authentication are frequently weaponized early in attack chains.

Why Immediate Action Is Critical

CISA’s KEV listing is a clear indicator that organizations cannot afford delays. The window between public disclosure and widespread exploitation is often extremely short, and in this case, that window has already closed.

Organizations should treat this as an active incident risk rather than a routine patching task. Security teams are strongly advised to prioritize this vulnerability above regular update cycles and respond with urgency.

• Apply the latest Fortinet security patches immediately
• Review system and application logs for unusual or malformed HTTP requests
• Monitor for signs of unauthorized access or unexpected command execution
• Follow all mitigation guidance provided by Fortinet
• Disable or isolate affected systems if patching cannot be completed right away

Under Binding Operational Directive 22-01, U.S. federal agencies are required to remediate this vulnerability by April 16, 2026. This aggressive timeline reflects the severity of the threat and should serve as a benchmark for private organizations as well.

Final Thoughts

This vulnerability highlights a recurring issue in modern enterprise security—critical systems exposed to the internet without sufficient protection layers. When combined with an unauthenticated exploit, even a single overlooked patch can lead to full-scale compromise.

Organizations that rely on Fortinet EMS must act immediately, not only to patch the vulnerability but also to validate that their systems have not already been targeted. Proactive monitoring, rapid patching, and strict access controls remain essential in defending against threats of this nature.

In the current threat landscape, speed is not just an advantage—it is a necessity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post CISA Alerts on Active Fortinet SQL Injection Exploit appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

How the Malicious Package Operates

The fake package was uploaded under a seemingly legitimate name and presented as a utility for checking AI tokens. However, several warning signs were overlooked. The documentation was copied from an unrelated project, indicating a lack of authenticity, and the package structure was crafted to appear credible at first glance.

Once installed, the package connects to a remote server hosted on Vercel to fetch additional hidden code. Instead of storing malicious files on disk, it executes payloads directly in memory, making detection significantly harder.

Key behaviors observed:

• Contacts a remote endpoint to download and execute hidden scripts
• Uses obfuscation to hide command-and-control (C2) details
• Executes payloads in memory to bypass traditional security tools
• Disguises itself with legitimate-looking files and dependencies

Even after the main package was removed, related packages from the same source remain active and continue to be downloaded.

Multi-Stage Malware Capabilities

Further analysis revealed that the payload is not a simple script but a modular backdoor with multiple capabilities running in parallel. Each module performs a specific malicious function, allowing attackers to maintain control and extract valuable data.

Core functionalities include:

• Remote access module enabling attackers to control the infected system
• Credential theft targeting browsers and cryptocurrency wallets
• File exfiltration scanning for sensitive documents and configuration files
• Clipboard monitoring to capture copied data such as keys or passwords

The malware uses advanced obfuscation techniques, making it difficult to analyze. Its structure and behavior closely resemble known backdoors, particularly those linked to sophisticated threat campaigns.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Focus on AI Development Environments

The malicious code actively searches for folders linked to widely used AI tools such as Cursor, Claude, Gemini CLI, Windsurf, PearAI, and Eigent. These directories often store API keys, authentication tokens, and even conversation histories.

By extracting this data, attackers can misuse paid AI services, access proprietary code, and potentially pivot deeper into enterprise systems using additional credentials like SSH keys or cloud access tokens.

Key risks include:

• Theft of API keys and AI service tokens
• Exposure of sensitive prompts and development data
• Unauthorized use of paid AI platforms
• Increased risk of broader infrastructure compromise

Detection and Defensive Measures

From a defensive standpoint, visibility into unusual outbound traffic is critical. Monitoring connections to external infrastructure, especially uncommon endpoints, can help identify suspicious package behavior early.

Security teams can also leverage threat hunting techniques to detect patterns associated with multi-process Node.js malware and unusual communication channels such as Socket.IO-based command-and-control traffic.

Recommended actions:

• Monitor and restrict unnecessary outbound network connections
• Watch for abnormal Node.js process activity
• Identify unusual file access in developer environments
• Use threat hunting queries to detect similar attack patterns

Securing Developer Workflows

This campaign reflects a broader trend of supply chain attacks targeting developer ecosystems, particularly those involving AI tools. As these tools become deeply integrated into workflows, they also become high-value targets.

Developers should treat AI-related directories with the same level of sensitivity as critical folders like .ssh or cloud configuration paths. Before installing any package, it is essential to verify its authenticity, review its dependencies, and examine any unusual installation behavior.

Early reporting of suspicious packages and increased awareness within the developer community can significantly reduce the impact of such threats.

IOCs

The post Malicious npm Package Impersonates Gemini to Steal AI Tokens appeared first on First Hackers News.