The issue was initially noticed by a Motorola Razr 60 Ultra user who observed unusual behavior when opening the Amazon app. Instead of launching normally, the device briefly opened a web browser before redirecting back to Amazon with a tracking identifier attached.

Further investigation revealed that a preinstalled background application named Smart Feed was responsible for the redirects.

Hidden App Injects Affiliate Tracking Codes

Researchers found that the hidden app communicates with an external server identified as devicenative[.]com. The server appears to provide affiliate-related settings and redirect instructions used by the application.

When users tap shopping apps from the launcher, the hidden service intercepts the request and inserts affiliate tracking data before sending users to the final destination.

The observed behavior includes:

• Intercepting Amazon app launches
• Opening browser-based redirect links
• Injecting affiliate tracking parameters
• Connecting to remote servers for configuration updates
• Running silently in the background

Because Android automatically handles supported links inside apps, most users are unlikely to notice the redirection process.

Researchers Warn About Potential Risks

Security experts noted that the technique shares similarities with behaviors commonly seen in adware and mobile malware.

The concerns go beyond affiliate monetization because the same infrastructure could theoretically be modified to redirect users toward malicious websites, phishing pages, or credential theft portals.

Researchers also highlighted several worrying characteristics:

• Hidden system-level persistence
• External server-controlled behavior
• Intent interception techniques
• Limited user visibility or control
• Difficulty removing the application

Since the application relies on remote configuration from external servers, its behavior could potentially change without any operating system update.

The issue has currently been confirmed on the Motorola Razr 60 Ultra, although it is still unclear whether other Motorola devices are affected.

While reports suggest a third-party monetization partner may be involved, researchers argue that smartphone manufacturers remain responsible for software bundled with their devices.

Motorola has not publicly commented on the findings at the time of reporting.

The post Hidden Motorola App Redirects Amazon Traffic appeared first on First Hackers News.

The issues affect the Angular.ng-template extension and stem from unsafe handling of user-controlled input and insecure loading of configuration files. Researchers warned that simply opening a malicious project in VS Code could be enough to trigger an attack.

The vulnerabilities mainly target developers working with Angular projects and could lead to full system compromise if exploited successfully.

Malicious JSDoc Comments Can Trigger Command Execution

One of the vulnerabilities involves the way the extension processes JSDoc comments inside TypeScript and JavaScript files.

Researchers found that the extension enables trusted Markdown rendering, allowing embedded command links to run inside hover previews. Because the Angular language server does not properly sanitize JSDoc content, attackers can insert malicious command URIs into project files.

In a possible attack scenario:

• An attacker adds a malicious JSDoc comment to a project
• The developer opens the file in VS Code
• Hovering over the affected symbol displays the malicious link
• Clicking the link executes commands on the host system

This creates a practical path for remote code execution through normal development workflows.

Workspace Configuration Flaw Allows Silent Code Execution

A second vulnerability affects how the extension handles the TypeScript SDK (tsdk) configuration.

The extension reads settings directly from the project’s .vscode/settings.json file and loads the specified tsserverlibrary.js file without properly checking workspace trust or requesting user approval.

Attackers can abuse this behavior by:

• Placing a malicious tsserverlibrary.js file inside the repository
• Modifying workspace settings to reference the file
• Triggering automatic execution when the project is opened

Unlike the JSDoc attack, this method requires no user interaction and can run silently during extension initialization.

Researchers noted that this behavior effectively bypasses VS Code’s Workspace Trust protections, which are intended to prevent untrusted projects from executing code automatically.

High Risk for Developers

Successful exploitation could allow attackers to:

• Execute arbitrary system commands
• Access sensitive development data
• Install persistent malware
• Compromise developer environments

A developer cloning and opening a malicious repository could unknowingly trigger the attack immediately after loading the project in VS Code.

The vulnerabilities were disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq and impact all extension versions before 21.2.4.

The issues have now been fixed in the latest release, and developers are strongly advised to upgrade immediately.

Security Recommendations

To reduce risk, developers should:

• Update Angular Language Service to version 21.2.4 or later
• Avoid opening untrusted repositories
• Carefully review .vscode/settings.json files
• Use VS Code Workspace Trust features
• Monitor suspicious extension behavior
• Follow secure coding and repository validation practices

The findings highlight growing security risks targeting software development environments and trusted developer tools.

The post Angular Language Service Vulnerabilities Enable RCE Attacks appeared first on First Hackers News.

EU regulators accuse Google of favoring its own services in search results, including Google Shopping, Google Maps, and Google Flights. Officials believe this practice reduces visibility for competing platforms and limits user choice.

The investigation began in March 2025 and could lead to one of the largest penalties issued under the DMA so far.

Google Faces Scrutiny Over Search Practices

The Digital Markets Act was introduced to prevent dominant technology platforms from abusing their market power. Under the regulation, companies classified as “gatekeepers” must maintain fair competition and avoid giving unfair advantages to their own services.

According to reports, regulators are concerned that Google’s search engine may be prioritizing internal products over rival platforms.

The DMA requires major platforms to:

• Maintain fair search rankings
• Avoid self-preferencing practices
• Improve platform transparency
• Support interoperability
• Prevent unfair use of competitor data

Violations under the DMA can result in fines reaching up to 10% of a company’s global annual revenue.

Possible Record DMA Penalty

Reports suggest the upcoming penalty could reach several hundred million euros, making it the biggest DMA-related fine issued to date. The final decision is expected before the EU summer recess.

This is not the first time Google has faced regulatory action in Europe. The company has previously received multi-billion-euro fines related to Google Shopping, Android dominance, and online advertising practices.

Recent investigations also focused on adtech self-preferencing and concerns around digital market competition.

Beyond competition issues, the case highlights broader concerns about algorithm transparency and platform control. Regulators increasingly view fair ranking systems as important for maintaining trust, information visibility, and a balanced digital ecosystem.

The enforcement action may also create political tension between the EU and the United States, especially as debates around Big Tech regulation continue globally.

If confirmed, the case will become a major milestone in enforcing the Digital Markets Act and signal stronger EU action against powerful technology companies.

The post EU Moves Closer to Major Fine Against Google appeared first on First Hackers News.

Researchers from Mysk reported that WhatsApp uses a shared container linked to Meta applications, identified as group.com.facebook.family. On Apple devices, app group containers allow applications from the same developer to share data and resources.

Because Facebook, Instagram, and WhatsApp belong to the same ecosystem, the shared architecture could introduce privacy and security concerns if exploited alongside operating system vulnerabilities.

Shared Containers Raise Privacy Concerns

The researchers found that WhatsApp chat databases stored inside these containers are not encrypted at rest. This means the data may remain readable if attackers gain access to the device or exploit weaknesses in the operating system.

According to the report, the following risks were identified:

• Chat histories may be stored in plaintext
• Other Meta-owned apps could theoretically access shared data
• Users receive no alerts when such access occurs
• The issue affects both macOS and iOS environments

Researchers also demonstrated that WhatsApp chat histories could be extracted from iPhone backups, where the same unencrypted storage structure was observed.

The findings highlight an important distinction in security design. While WhatsApp uses end-to-end encryption to protect messages during transmission, that protection does not automatically secure data stored locally on the device.

macOS Vulnerability Increases Exposure Risk

The risk becomes more serious when combined with a recently disclosed macOS vulnerability tracked as CVE-2026-28910. The flaw affected Apple’s Archive Utility tool and reportedly allowed attackers to bypass App Sandbox protections.

By abusing this vulnerability, attackers could potentially:

• Access protected application containers
• Extract sensitive information from apps
• Bypass Apple’s Transparency, Consent, and Control protections
• Access chat histories from applications like WhatsApp

Researchers presented a proof-of-concept demonstration showing how the vulnerability could be combined with WhatsApp’s storage behavior to retrieve chat data.

Security Debate Around the Findings

Not all experts agree on the severity of the issue. WABetaInfo stated that although the databases may not be encrypted locally, Apple’s sandboxing system still provides strong isolation between applications.

From this perspective, attackers would still require elevated system privileges or a separate operating system exploit to access the stored data.

However, researchers at Mysk argue that shared app group permissions between Meta applications reduce isolation boundaries and increase the potential attack surface.

The discussion highlights broader concerns about local data protection in modern mobile ecosystems, especially when multiple applications share common storage environments.

Recommendations for Users

Security experts recommend several steps to reduce potential exposure risks:

• Enable encrypted Finder or iTunes backups
• Keep macOS and iOS updated with the latest security patches
• Use strong device passcodes and device encryption
• Limit unnecessary applications from the same developer ecosystem
• Regularly review application permissions and backup settings

At the time of reporting, there were no confirmed cases of widespread exploitation linked to the findings. However, the research highlights the importance of protecting sensitive data not only during transmission but also while stored on devices.

The post WhatsApp Chat Data Found Stored Without Encryption appeared first on First Hackers News.

Security researchers warn that the vulnerabilities could allow attackers to escalate privileges, disrupt systems, and strengthen post-exploitation attacks inside compromised environments.

Privilege Escalation Flaw in Microsoft Defender

The most critical vulnerability, CVE-2026-41091, is an elevation of privilege flaw with a CVSS score of 7.8. The issue is caused by improper link resolution before file access, a weakness categorized under CWE-59.

According to Microsoft, attackers with limited access to a system can exploit the flaw locally to gain higher privileges without requiring user interaction. Because the vulnerability has low attack complexity, it becomes especially dangerous once threat actors gain initial access through phishing, malware infections, or another compromised application.

Successful exploitation could allow attackers to:

• Gain elevated system privileges
• Access sensitive information
• Modify security settings or disable protections

Microsoft confirmed that exploitation activity has already been detected in the wild, making rapid patching critical for affected environments.

Denial-of-Service Vulnerability and Security Risks

The second flaw, CVE-2026-45498, is a denial-of-service vulnerability with a lower CVSS score of 4.0. Despite its lower severity rating, Microsoft also confirmed active exploitation attempts targeting this issue.

The vulnerability can cause systems running Microsoft Defender to become unstable or unresponsive. Although it does not directly impact confidentiality or integrity, disrupting endpoint security services can weaken defensive visibility and create opportunities for additional attacks.

Researchers noted that both vulnerabilities share several high-risk characteristics:

• No user interaction required
• Low attack complexity
• Active exploitation already observed

Security experts believe the privilege escalation flaw could be used as part of larger attack chains in ransomware operations or advanced persistent threat (APT) campaigns. Attackers commonly use these techniques after gaining initial access to move deeper into enterprise environments and maintain persistence.

Microsoft has released security updates addressing both vulnerabilities, and organizations are strongly advised to deploy patches immediately. Security teams should also monitor endpoint logs, investigate suspicious privilege escalation activity, and strengthen endpoint detection and response capabilities.

The disclosure highlights an ongoing cybersecurity challenge where even widely trusted security products can themselves become targets for advanced attackers.

The post Microsoft Defender Zero-Day Discovered appeared first on First Hackers News.

Apache OFBiz is a widely used open-source ERP platform used to manage enterprise business operations and workflows. Researchers from Aretiq AI discovered that attackers could abuse the platform’s password-change mechanism to gain unauthorized access and execute malicious code on vulnerable servers.

Authentication Bypass Through Password Reset Logic

The issue originates from the way Apache OFBiz handles forced password-change workflows. Normally, accounts marked with requirePasswordChange=Y should remain restricted until the password reset process is completed.

However, researchers found that the LoginWorker.checkLogin() method incorrectly treats the requirePasswordChange response as a successful login instead of an authentication failure.

The vulnerability becomes more dangerous because the requirePasswordChange value is read directly from user-controlled HTTP request parameters rather than securely validated against database records.

By abusing this behavior, attackers can:

• Inject password-change parameters into a crafted HTTP request
• Create an authenticated session without completing a proper login process

Researchers also warned that many OFBiz deployments still contain default demo accounts such as admin, flexadmin, and demoadmin, often configured with default credentials like ofbiz.

Remote Code Execution and Security Fixes

The authentication bypass can be chained with another vulnerability affecting ProgramExport.groovy. In vulnerable versions, the component allows execution of user-supplied Groovy code without proper sandboxing or permission checks.

This allows attackers to execute arbitrary system commands directly on the server. Researchers successfully demonstrated remote code execution on OFBiz 24.09.05 using a single crafted POST request targeting /webtools/control/ProgramExport.

Successful exploitation could allow attackers to:

• Execute malicious commands on the server
• Deploy malware or backdoors

Apache fixed the issue in version 24.09.06 by removing unsafe password-change handling, adding stricter permission checks, and introducing a secure Groovy sandbox to block dangerous command execution patterns.

Organizations are strongly advised to upgrade immediately, remove default demo accounts, change weak credentials, and restrict access to sensitive OFBiz administrative endpoints.

The post Apache OFBiz Vulnerability Enables Authentication Bypass appeared first on First Hackers News.

Researchers found that VoidStealer can extract encryption keys directly from browser memory, allowing attackers to steal active sessions and access accounts even on fully updated systems.

How VoidStealer Bypasses Chrome Protections

Google introduced App-Bound Encryption in Chrome 127 to strengthen protection around sensitive browser data such as cookies, passwords, and session tokens. The feature was designed to prevent malware running with normal user privileges from accessing Chrome’s encryption keys.

Unlike older protection methods based on DPAPI, ABE binds encryption keys directly to the Chrome application. A dedicated system process validates that only Chrome can request access to those keys.

However, VoidStealer avoids interacting with Chrome through official APIs. Instead, it targets the moment when Chrome decrypts sensitive data in memory.

Researchers observed that the malware:

• Attaches itself to the Chrome process as a debugger
• Monitors the browser’s decryption workflow
• Pauses execution when encryption keys are loaded into memory
• Extracts the decrypted keys directly from RAM

Because the attack focuses on runtime behavior rather than stored files, it bypasses many of the protections implemented by App-Bound Encryption.

Impact on Chromium Browsers and Security Risks

Once attackers obtain the decrypted session data, they can hijack active sessions without needing usernames or passwords. This allows threat actors to access accounts as if they were the legitimate user.

The malware affects multiple Chromium-based browsers, including:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi

Researchers also noted that VoidStealer is being distributed through a malware-as-a-service model, allowing cybercriminals to rent the malware and scale attacks more easily.

The discovery highlights an ongoing challenge in browser security. Even with stronger encryption mechanisms, attackers continue to focus on runtime memory access, where sensitive data must temporarily exist in decrypted form during legitimate browser operations.

To reduce exposure, security experts recommend avoiding untrusted software downloads, keeping browsers fully updated, using strong endpoint protection, and storing credentials in dedicated password managers instead of directly in browsers.

The post VoidStealer Steals Chrome Browser Data appeared first on First Hackers News.

Security researchers observed exploitation attempts within days of the vulnerability becoming public, highlighting how quickly attackers move to abuse flaws in widely used infrastructure software.

How the NGINX Vulnerability Works

The issue is caused by a heap buffer overflow in the NGINX worker process. Attackers can trigger the flaw by sending specially crafted HTTP requests to vulnerable servers.

Because the vulnerability does not require authentication, exposed systems are at higher risk. In many cases, attackers can crash the NGINX worker process, leading to service disruption. Under specific conditions, the flaw could also be leveraged for remote code execution.

Researchers noted that full remote code execution is more likely on systems where protections such as Address Space Layout Randomization (ASLR) are disabled.

The vulnerability mainly affects servers using specific rewrite configurations, meaning not every NGINX deployment is directly exploitable. However, identifying vulnerable systems at internet scale remains difficult.

Large Exposure and Security Recommendations

Security researchers estimate that millions of internet-facing NGINX servers could potentially be affected. Even if only a fraction of those systems meet the exact exploitation conditions, the overall attack surface remains significant.

Attackers are already scanning for vulnerable or misconfigured servers, increasing the urgency for organizations to respond quickly.

To reduce risk, security teams should:

• Apply the latest NGINX patches and updates
• Review rewrite configurations carefully
• Enable protections such as ASLR
• Monitor for suspicious or unusual HTTP requests

The incident highlights how vulnerabilities in widely deployed technologies can quickly become major security threats, even when exploitation depends on specific configurations.

With active exploitation already underway, rapid patching and continuous monitoring are critical to preventing compromise.

The post NGINX Vulnerability Enables Remote Code Execution appeared first on First Hackers News.

Initially linked to a limited number of attacks targeting organizations in South Korea, Gunra previously relied on ransomware code associated with the leaked Conti source. However, the group has since developed its own custom ransomware payload and infrastructure, signaling a shift toward long-term operational independence.

Transition to a Ransomware-as-a-Service Model

The move to a RaaS model has significantly expanded Gunra’s reach. Instead of operating alone, the group now allows affiliates to deploy its ransomware tools in exchange for a share of ransom payments.

This affiliate-based structure enables the operation to scale more efficiently while maintaining centralized control over key parts of the attack lifecycle. Researchers observed Gunra actively operating within underground cybercrime forums, where the group promotes its services, recruits affiliates, and advertises stolen data obtained from compromised organizations.

Evidence also suggests coordination between operators and affiliates, with multiple threat actors sharing victim-related data within the same ecosystem. Unlike many established ransomware groups, Gunra permits affiliates to customize branding, increasing the likelihood of attacks appearing under different ransomware names while still relying on the same backend infrastructure.

Technical Capabilities and Operational Risks

Gunra’s ransomware platform supports both Windows and Linux environments, allowing attackers to target a broader range of enterprise infrastructure. The operation includes a feature-rich affiliate management panel designed to streamline ransomware deployment and victim negotiations.

The platform reportedly provides:

• Payload deployment and lock management
• File handling and communication tools
• Negotiation support for ransom operations
• Custom branding options for affiliates

Researchers also identified modifications within the Linux variant, including changes to execution behavior, encryption processes, and logging functions. Some cryptographic weaknesses were observed during analysis, which may assist future defensive research efforts.

One of the more concerning aspects of Gunra’s operation is its lack of strict targeting restrictions. Unlike certain ransomware groups that avoid critical sectors such as healthcare, Gunra appears willing to target organizations across multiple industries without significant limitations.

As the group continues expanding its RaaS ecosystem, security teams are advised to strengthen endpoint monitoring, maintain reliable offline backups, enforce strict access controls, and prioritize timely patch management to reduce the risk of ransomware intrusion and lateral movement within enterprise networks.

The post Gunra Ransomware Expands Through RaaS Operations appeared first on First Hackers News.

Security researchers from Wordfence identified the flaw and warned that attackers could gain administrator-level access without needing valid login credentials.

Authentication Bypass Creates Major Risk

The vulnerability, tracked as CVE-2026-8181, affects Burst Statistics versions 3.4.0 through 3.4.1.1. It carries a critical CVSS score of 9.8 due to the ease of exploitation and the level of access it provides.

The issue is linked to improper authentication handling within the plugin’s MainWP integration. In certain cases, the plugin incorrectly accepts invalid authentication responses as successful, allowing attackers to bypass security checks.

By sending specially crafted requests to WordPress REST API endpoints, attackers can impersonate an administrator if they know a valid admin username. No password cracking or credential theft is required.

This significantly lowers the barrier for exploitation and increases the risk of automated internet-wide attacks targeting vulnerable websites.

Potential Website Takeover and Security Response

Once exploited, attackers could create new administrator accounts and gain persistent access to the website. From there, they may modify content, inject malicious code, redirect visitors, or deploy additional malware.

Because the attack only requires knowledge of an administrator username, exposed websites could become easy targets for mass scanning campaigns.

Researchers acted quickly after discovering the issue, and firewall protections were rapidly deployed for users of Wordfence security products. The plugin developer also responded quickly by releasing version 3.4.2, which properly validates authenticated WordPress user sessions before granting access.

Website owners using the Burst Statistics plugin are strongly advised to update immediately to the latest patched version to prevent unauthorized access and possible site compromise.

The post WordPress Plugin Bug Exposes Websites appeared first on First Hackers News.