Since the print scheduler operates with elevated privileges, it becomes an attractive target for exploitation, especially in environments where print services are exposed over a network.

Remote Code Execution Risk

One of the identified issues enables attackers to execute code remotely on systems that expose shared print queues without authentication. The flaw originates from improper handling of print job inputs, where specially crafted data can bypass validation checks.

By injecting malicious input into print job parameters, an attacker can manipulate how the system processes configurations. This can result in the execution of unauthorized programs through the print service, effectively giving attackers control over the affected machine under the print service context.

This risk is particularly concerning for systems that allow anonymous access to shared printers, as it removes a key barrier to exploitation.

Privilege Escalation to Root

A second vulnerability allows local users with minimal privileges to escalate their access to full system control. This attack leverages weaknesses in how temporary printers are created and validated within the system.

An attacker can trick the system into granting elevated privileges during the printer setup process, then exploit a timing gap to redirect operations toward sensitive system files. By doing so, they can overwrite critical files and gain root-level access.

This type of attack is especially dangerous because it works even in default configurations, meaning no special setup is required beyond initial access to the system.

Security Recommendations

While fixes are in progress, organizations should take immediate precautions. Disabling external access to print services can significantly reduce exposure. Where shared printing is necessary, enforcing authentication is essential.

Additionally, running the print service within security frameworks such as AppArmor or SELinux can help contain potential damage by limiting what the service is allowed to access or modify.

The post CUPS Vulnerabilities: Remote Code Execution and Root Access Risk appeared first on First Hackers News.

Overview of the Findings

The investigation indicates that this activity is directly tied to identifiable user profiles. Given that LinkedIn accounts are built on real-world identities, including professional roles and organizational affiliations, the collected data is inherently non-anonymous and can be mapped to individuals and enterprises.

The report further suggests that the platform can detect a wide range of browser extensions, some of which may indirectly reveal sensitive attributes such as personal interests, behavioral patterns, or professional intent. In particular, the tracking of job-search-related tools introduces a risk of exposing users who are actively exploring new employment opportunities.

Key observations include:

• Alleged system-level scanning without explicit consent mechanisms
• Absence of clear disclosure within publicly available privacy documentation
• Ability to infer sensitive personal and professional information through extension detection
• Monitoring of a large number of job-related tools used by professionals

Such practices, if confirmed, could raise compliance concerns under the General Data Protection Regulation, which imposes strict requirements on the collection and processing of sensitive personal data.

Competitive Intelligence and Market Implications

Beyond individual privacy risks, the report outlines potential implications in the context of competitive intelligence. It alleges that LinkedIn can detect the use of third-party sales and prospecting tools, including platforms such as Apollo, Lusha, and ZoomInfo.

By correlating tool usage with user identities, the platform could theoretically derive insights into competitor adoption, customer segmentation, and enterprise tool preferences. The report also claims that such intelligence has been leveraged in enforcement actions targeting users of external tools.

Notable findings include:

• Detection and monitoring of a broad range of competing commercial tools
• Significant expansion in the number of tracked third-party applications over time
• Use of internal infrastructure, including the “Voyager” API, with limited visibility in regulatory disclosures
• Allegations of targeted actions against users leveraging non-native tools

These concerns intersect with obligations under the Digital Markets Act, under which LinkedIn has been designated as a gatekeeper. While limited APIs were introduced as part of compliance efforts, the report suggests these interfaces are not representative of the platform’s full operational scope.

Use of Tracking Technologies

The investigation also highlights the integration of external tracking mechanisms within LinkedIn’s web environment. It alleges that invisible elements sourced from HUMAN Security are used to deploy cookies without user visibility. Additionally, encrypted scripts associated with Google, along with proprietary fingerprinting techniques, are reported to execute during routine page interactions.

These components are said to operate passively in the background, contributing to continuous data collection without direct user awareness.

Closing Perspective

If substantiated, the findings outlined in the BrowserGate report point to a potentially sophisticated and opaque data collection framework operating within a widely trusted professional platform. The implications extend beyond individual privacy, touching on regulatory compliance, competitive fairness, and transparency in large-scale digital ecosystems.

The post LinkedIn Data Scanning: Hidden Tracking of User Devices Exposed appeared first on First Hackers News.

The extension takes advantage of user curiosity around ads in AI platforms, using a familiar name to appear trustworthy. Once installed, it monitors activity without interrupting the user experience, making it difficult to notice anything unusual.

It captures prompts, responses, and related metadata while continuing to behave like a normal extension on the surface.

Behind the Operation

After installation, the extension runs silently in the background and maintains persistence through scheduled activity. It regularly connects to a remote configuration hosted on GitHub, allowing attackers to change how it behaves without requiring any update from the user side.

When a user visits ChatGPT, the extension injects hidden scripts into the webpage. Instead of performing any ad-blocking function, it extracts the content of the page by removing styling and media elements while preserving the actual text of conversations.

This data is then compiled into a file and transmitted externally through a Discord webhook controlled by the attacker. The process is automated, meaning stolen conversations are continuously delivered without user awareness.

Investigators also observed suspicious activity linked to the developer account behind the extension. After years of inactivity, the account suddenly became active again, shifting focus toward JavaScript-based behavior. The same developer is connected to other AI-related services, raising broader concerns around data exposure.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What This Means for Users

• Conversations on ChatGPT can be silently captured
• Prompts, responses, and session data are exposed
• Data is sent to external servers without visibility
• Remote control allows attackers to modify behavior anytime
• Associated services may carry similar risks

This incident shows how easily malicious tools can blend into everyday usage. Even simple extensions can operate quietly in the background while collecting valuable data.

Being cautious with browser extensions, especially those linked to popular platforms, is essential. Trust should not be based on names or claims alone, but on verified sources and transparency.

The post Malicious “ChatGPT Ad Blocker” Extension Steals User Data appeared first on First Hackers News.

Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

Tracked as CVE-2025-53521, the flaw impacts the Access Policy Manager (APM) component and could allow remote code execution. While detailed technical information has not yet been fully disclosed, the nature of the vulnerability makes it particularly dangerous. BIG-IP devices often sit at the edge of networks, handling authentication, traffic management, and secure application delivery — making them a prime target for attackers seeking initial access.

CISA’s decision to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog is a clear indicator that organizations cannot afford to delay response. This is not a theoretical risk — threat actors are already leveraging it. Historically, similar vulnerabilities in BIG-IP systems have been quickly adopted by both financially motivated attackers and advanced threat groups because compromising these devices can provide deep visibility and control over network traffic.

Why This Vulnerability Matters

What makes this issue more concerning is the potential ease of exploitation. Even without full public disclosure, vulnerabilities that enable remote code execution are often rapidly weaponized. Once exploited, attackers can move laterally across the network, escalate privileges, and potentially access sensitive data.

Edge infrastructure like BIG-IP plays a critical role in enterprise environments. When such systems are compromised, they can act as a gateway for broader attacks. This aligns with a growing trend where attackers focus on perimeter devices rather than traditional endpoints, as these systems offer higher impact with less resistance.

Immediate Actions for Security Teams

Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority security event and respond without delay.

• Apply vendor-provided patches or mitigation steps immediately
• If fixes are unavailable, restrict or temporarily disable affected services
• Continuously monitor logs for unusual administrative actions or configuration changes
• Enforce strict access controls and reduce unnecessary exposure
• Implement network segmentation to limit potential spread after compromise

In addition to these steps, security teams should remain vigilant for evolving attack techniques, as exploitation methods may become more sophisticated over time.

Final Thoughts

The rapid inclusion of CVE-2025-53521 in the KEV catalog highlights an ongoing shift in attacker strategy — targeting critical infrastructure components that sit at the heart of enterprise networks. Organizations must move beyond reactive security and adopt a proactive approach that prioritizes visibility, rapid patching, and strong access controls.

Delaying action in cases like this significantly increases the risk of widespread compromise. For organizations relying on BIG-IP systems, the message is clear: act fast, monitor closely, and assume attackers are already attempting to exploit this weakness.

The post Active Exploitation of F5 BIG-IP Vulnerability Raises Urgency appeared first on First Hackers News.

Announced on March 25, 2026, the vulnerabilities impact both authoritative servers and DNS resolvers, making them a serious concern for organizations relying on BIND 9 for critical network operations. Administrators are strongly advised to apply patches immediately to avoid service disruption or unauthorized access.

CVE Breakdown and Security Impact

The most severe issue, CVE-2026-1519 (CVSS 7.5 – High), can lead to a Denial of Service. It is triggered when a resolver performs DNSSEC validation on a specially crafted zone, causing excessive NSEC3 processing. This results in high CPU usage and significantly reduces the server’s ability to handle queries. While disabling DNSSEC validation can reduce the impact, it is not recommended as it weakens security.

The second issue, CVE-2026-3119 (CVSS 6.5 – Medium), can cause the BIND “named” process to crash. This happens when handling a valid query containing a TKEY record. However, exploitation requires access to a trusted TSIG key already configured on the server. As a temporary measure, administrators should review and remove any unnecessary or potentially compromised TSIG keys.

The third vulnerability, CVE-2026-3591 (CVSS 5.4 – Medium), is related to improper memory handling in SIG(0) processing. A crafted DNS request can lead to incorrect ACL checks, potentially allowing unauthorized access in environments where permissive access rules are used. There are no effective workarounds for this issue, making patching essential.

Affected Versions and Fixes

These vulnerabilities impact multiple BIND 9 versions, including:

• 9.11.0 to 9.16.50
• 9.18.0 to 9.18.46
• 9.20.0 to 9.20.20
• 9.21.0 to 9.21.19

To address these issues, ISC has released patched versions:

• 9.18.47
• 9.20.21
• 9.21.20

Users of the BIND Supported Preview Edition should also apply the relevant S1 patches immediately.

At the time of disclosure, there are no confirmed reports of active exploitation. However, due to the potential impact on DNS infrastructure, organizations should prioritize updates, verify their deployed versions, and ensure proper monitoring to reduce risk.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Critical BIND 9 Vulnerabilities Require Immediate Attention appeared first on First Hackers News.

A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.

The flaws are tracked as CVE-2026-3055 and CVE-2026-4368. One can allow attackers to read sensitive data from memory, while the other may lead to session handling issues and unauthorized access. Both are examples of significant NetScaler vulnerabilities.

Administrators are advised to update affected systems as soon as possible.

Addressing these NetScaler vulnerabilities is crucial for maintaining the security of your network.

What Is CVE-2026-3055?

CVE-2026-3055 is the more serious of the two vulnerabilities. It has a CVSS v4.0 score of 9.3, which makes it critical.

This flaw is caused by improper input validation, which can lead to an out-of-bounds memory read. In simple terms, an attacker may be able to read sensitive information stored in the memory of the appliance.

This issue affects systems only when the NetScaler ADC or Gateway is configured as a SAML Identity Provider (IdP). If SAML IdP is not enabled, the system is not exposed to this specific flaw.

What Is CVE-2026-4368?

The second issue, CVE-2026-4368, is rated high severity with a CVSS v4.0 score of 7.7.

This vulnerability is caused by a race condition. It can result in a session mixup, where one user’s session may be wrongly assigned or exposed to another user. In some situations, this could affect administrative or normal user sessions.

A system is at risk only if it is configured as:

• AAA virtual server
• NetScaler Gateway

Gateway deployments that may be affected include:

• SSL VPN
• ICA Proxy
• Clientless VPN (CVPN)
• RDP Proxy

Affected NetScaler Versions

According to the advisory, the vulnerabilities affect only customer-managed NetScaler environments. Citrix-managed cloud services and Adaptive Authentication are not affected because they are updated automatically.

The impacted versions include:

• NetScaler ADC and Gateway 14.1 before 14.1-66.59 for CVE-2026-3055
• NetScaler ADC and Gateway 14.1-66.54 for CVE-2026-4368
• NetScaler ADC and Gateway 13.1 before 13.1-62.23 for CVE-2026-3055
• NetScaler ADC FIPS and NDcPP before 13.1-37.262 for CVE-2026-3055

Patched Versions

Cloud Software Group recommends upgrading affected systems immediately to the latest secure builds.

The patched versions are:

• 14.1-66.59
• 13.1-62.23
• 13.1-37.262 for FIPS and NDcPP editions

Updating to these versions is the best way to reduce the risk.

How to Check If Your System Is Exposed

Administrators can review their NetScaler configuration files to see whether the vulnerable features are enabled.

To check for exposure to CVE-2026-3055, search for:

• add authentication samlIdPProfile

This helps confirm whether the appliance is configured as a SAML IdP.

To check for exposure to CVE-2026-4368, search for:

• add authentication vserver for AAA virtual servers
• add vpn vserver for Gateway configurations

If these entries are present, the appliance may be exposed depending on how it is configured.

These vulnerabilities are important because they affect systems that often handle authentication, remote access, and sensitive network traffic. A successful attack could expose confidential data or allow session-related abuse.

Organizations using customer-managed NetScaler ADC or Gateway appliances should review their configurations and apply updates without delay.

Final Thoughts

The newly disclosed NetScaler vulnerabilities show why timely patching and configuration review remain critical for network security. Since these flaws can impact sensitive sessions and memory handling, administrators should act quickly to secure affected appliances.

For organizations running exposed NetScaler services, delaying updates could increase the risk of compromise.

The post Critical NetScaler Flaws Put ADC and Gateway Systems at Risk appeared first on First Hackers News.

DarkSword iOS chain exposes serious Apple security risk

What makes this campaign especially dangerous is the way the vulnerabilities can be chained together to move from initial access to deep system control. Instead of relying on a typical malware download, the attack can begin when a victim simply opens malicious web content through Safari or an in-app browser. That first stage gives attackers a foothold, which can then be expanded through additional flaws that target kernel memory and shared system processes.

This multi-step technique is what gives the DarkSword iOS chain its strength. One flaw is used to trigger memory corruption through crafted web content, another allows direct interaction with kernel memory, and a third helps attackers manipulate memory shared between active processes. When combined, these weaknesses can give threat actors a powerful path to compromise the device at a much deeper level than a standard application-level attack.

The vulnerabilities linked to this activity include:

• CVE-2025-31277 — a memory corruption vulnerability triggered through malicious web content
• CVE-2025-43520 — a classic buffer overflow flaw that may allow writes to kernel memory
• CVE-2025-43510 — an improper locking issue that can affect shared memory between processes

The reach of this threat is broad because it affects multiple Apple platforms, including iPhone, iPad, Mac, Apple Watch, Apple TV, and Vision Pro devices. That wide impact makes the issue important not only for individual users but also for enterprises managing mixed Apple environments. A single unpatched device could become an entry point for a more serious compromise, especially in organizations that depend heavily on mobile access and Apple endpoints.

Another reason this warning stands out is the stealth of the attack path. Since the initial trigger can come from normal-looking web content, users may not realize anything suspicious has happened. There may be no obvious file download, no fake installer, and no immediate sign that the device has been targeted. That lowers the barrier for exploitation and increases the importance of rapid patching.

At this stage, there is no public confirmation that the DarkSword chain is being used in ransomware attacks. Still, the level of access these flaws can provide makes them highly attractive for advanced threat actors seeking persistence, surveillance, credential access, or follow-on compromise. In practical terms, this is the kind of exploit chain that can support much more than a one-off intrusion.

CISA has set an April 3, 2026 remediation deadline for federal agencies under Binding Operational Directive 22-01. While that formal requirement applies to government networks, the broader message is clear: organizations and individual users should not delay updates. Security teams should make sure Apple devices are running the latest available software, verify patch coverage across managed assets, and remove or isolate systems that cannot be updated quickly.

For defenders, the bigger lesson is that exploit chains like DarkSword show how modern attacks are no longer built around a single bug. They are built around combinations of weaknesses that, together, can bypass normal security assumptions. That is exactly why timely patching, asset visibility, and strong device management remain essential.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Chain: CISA Warns of Exploited Apple Vulnerabilities appeared first on First Hackers News.

The malware operation, known as GhostLoader, is designed to steal sensitive data such as SSH keys, cloud credentials, browser sessions, and other developer secrets.

How the Attack Works

The package appears harmless during a quick inspection. It includes a clean configuration file and simple source code, making it look like a normal installer.

However, the attack starts during installation through a hidden script that automatically installs the tool globally. When the developer runs the openclaw command, a fake CLI installer appears with progress bars, while the malware quietly connects to attacker-controlled servers.

During this process, the script may display a fake system prompt asking for the user’s password, claiming it is required to store credentials securely.

GhostLoader Malware

Once the password is entered, the malware downloads an encrypted second stage called GhostLoader.

This malware installs itself as a hidden service named npm telemetry and creates persistence on the system using methods such as:

• modifying shell configuration files
• creating cron jobs or background tasks
• launching hidden monitoring processes

This allows the malware to remain active even after system reboots.

Data Theft Capabilities

The malware focuses heavily on developer environments and attempts to steal valuable data including:

• SSH keys and Git credentials
• cloud credentials for AWS, Azure, and GCP
• Docker and Kubernetes configuration files
• browser cookies and saved passwords
• cryptocurrency wallet data

It can also collect AI-related configuration files and developer project information.

Protection and Mitigation

Security teams recommend installing packages only from trusted sources and carefully reviewing npm packages before use.

Developers who installed the malicious package should immediately remove it, delete persistence files, and consider rebuilding the affected system due to the depth of the compromise.

This campaign highlights how attackers are increasingly targeting developers by abusing trust in open-source package ecosystems.

Indicators of Compromise

The post Malicious npm Package Targets Developers With GhostClaw Malware appeared first on First Hackers News.