Browser-in-the-browser phishing scams are stealing Facebook passwords
Researchers warn that fake browser pop-ups are being used to trick Facebook users into handing over passwords and authentication codes.
Patch now: Oracle Fusion Middleware bug exposes internet-facing servers to unauthenticated RCE
Oracle urged customers to patch a critical Fusion Middleware flaw that can allow unauthenticated remote code execution on exposed servers.
Apple backports WebKit fix to older iPhones, iPads, and Macs after active exploitation
Apple patched older iPhones, iPads, and Macs for an actively exploited WebKit flaw, CVE-2023-43010, tied in reports to Coruna.
New password-stealing phishing campaign targets corporate Dropbox credentials
A new phishing campaign uses business-themed PDFs with hidden links to steal corporate Dropbox credentials and expose sensitive cloud data.
RondoDox botnet drives surge in attacks on HPE OneView flaw
Check Point says the RondoDox botnet is exploiting an HPE OneView flaw, raising risks for enterprise management systems exposed online.
Russian threat actor Sednit resurfaces with sophisticated toolkit
Sednit, also known as APT28, appears to be shifting back to custom malware, raising the stakes for governments, defense firms, and diplomats.
Trump administration rolls out new US cyber strategy after 15-year gap
The White House unveiled a new national cyber strategy focused on stronger defenses, threat disruption, critical infrastructure, and innovation.
FIRST says 2026 could bring more than 50,000 new CVEs
FIRST forecasts that newly disclosed CVEs could exceed 50,000 in 2026, raising the pressure on already stretched vulnerability teams.
AI may help spot smartphone phishing, but it won’t stop the surge alone
Dark Reading reports Omdia found smartphone phishing is bypassing on-device protections, while AI helps both defenders and attackers.
Gru-linked BlueDelta sharpens credential-harvesting operations across Europe and Eurasia
Recorded Future says GRU-linked BlueDelta is refining phishing and session-theft campaigns targeting government, energy, and research groups.
Tentacles of ‘0ktapus’ threat group victimize 130 firms
The 0ktapus campaign hit 130+ firms by spoofing Okta MFA flows, showing how phishable authentication can enable wide account takeover.
VoidStealer uses debugger trick to steal Chrome’s encryption key
VoidStealer reportedly bypasses Chrome ABE with a debugger trick, exposing cookies, passwords, and session tokens to account hijacking.