A mirror proxy Google runs on behalf of developers of the Go programming language pushed a backdoored package for more than three years until Monday, after researchers who spotted the malicious code petitioned for it to be taken down twice. The service, known as the Go Module Mirror, caches …

Federal prosecutors have indicted a man on charges he stole $65 million in cryptocurrency by exploiting vulnerabilities in two decentralized finance platforms and then laundering proceeds and attempting to extort swindled investors. The scheme, alleged in an indictment unsealed on Monday, occurred in 2021 and 2023 against the DeFI …

Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail. The vulnerabilities, affecting the CPUs in later generations …

When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can’t be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives …

Parents, students, teachers, and administrators throughout North America are smarting from what could be the biggest data breach of 2025: an intrusion into the network of a cloud-based service storing detailed data of millions of pupils and school personnel. The hack, which came to light earlier this month, hit …

Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million …

We’re only three weeks into 2025, and it’s already shaping up to be the year of Internet of Things-driven DDoSes. Reports are rolling in of threat actors infecting thousands of home and office routers, web cameras, and other Internet-connected devices. Here is a sampling of research released …

For the past seven months—and likely longer—an industry-wide standard that protects Windows devices from firmware infections could be bypassed using a simple technique. On Tuesday, Microsoft finally patched the vulnerability. The status of Linux systems is still unclear. Tracked as CVE-2024-7344, the vulnerability made it possible for …

Microsoft is accusing three individuals of running a "hacking-as-a-service" scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content. The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsoft has erected to prevent the creation of …

Networks protected by Ivanti VPNs are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over the network-connected devices. Hardware maker Ivanti disclosed the vulnerability, tracked as CVE-2025-0283, on Wednesday and warned that it was under active exploitation against some customers …

The people overseeing the security of Google’s Chrome browser explicitly forbid third-party extension developers from trying to manipulate how the browser extensions they submit are presented in the Chrome Web Store. The policy specifically calls out search-manipulating techniques such as listing multiple extensions that provide the same experience …

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect Windows devices against the threat of malware that could infect the BIOS and, later, its successor, the UEFI, the firmware that loaded the operating system each time a computer booted up. Firmware-dwelling malware raises …

As many of us celebrated the year-end holidays, a small group of researchers worked overtime tracking a startling discovery: At least 33 browser extensions hosted in Google’s Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices …