#dom-based-clickjacking

[ follow ]
#cybersecurity #vulnerability #vulnerabilities #malware #remote-code-execution #supply-chain-attack #ai #firefox
#malware
fromInfoWorld
4 hours ago
Information security

Malicious pgserve, automagik developer tools found in npm registry

Malicious npm packages aim to steal sensitive data and credentials, potentially leading to complete organizational takeovers.
Information security
fromTechRepublic
5 days ago

New Phishing Attack Turns n8n Into On-Demand Malware Machine

Attackers are exploiting n8n workflows to deliver malware while evading detection and blending into normal business activities.
Information security
fromInfoWorld
4 hours ago

Malicious pgserve, automagik developer tools found in npm registry

Malicious npm packages aim to steal sensitive data and credentials, potentially leading to complete organizational takeovers.
Information security
fromTechRepublic
5 days ago

New Phishing Attack Turns n8n Into On-Demand Malware Machine

Attackers are exploiting n8n workflows to deliver malware while evading detection and blending into normal business activities.
more#malware
#ai
Software development
fromTheregister
1 day ago

Mythos found 271 Firefox flaws - none a human couldn't spot

Mythos AI model significantly improves bug detection, identifying 271 vulnerabilities in Firefox 150, marking a pivotal moment for software security.
Artificial intelligence
fromEngadget
1 day ago

Mozilla says it patched 271 Firefox vulnerabilities thanks to Anthropic's Claude Mythos

Mozilla's use of Anthropic's Claude Mythos model successfully identified and patched 271 vulnerabilities in Firefox, showcasing AI's potential in cybersecurity.
Information security
fromInfoWorld
3 hours ago

Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox

AI has exposed hundreds of vulnerabilities in Mozilla's Firefox browser, highlighting both cybersecurity advancements and dual-use risks.
Information security
fromComputerworld
3 hours ago

Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox

AI has exposed hundreds of vulnerabilities in Mozilla's Firefox browser, highlighting both cybersecurity advancements and dual-use risks.
Software development
fromTheregister
1 day ago

Mythos found 271 Firefox flaws - none a human couldn't spot

Mythos AI model significantly improves bug detection, identifying 271 vulnerabilities in Firefox 150, marking a pivotal moment for software security.
Artificial intelligence
fromEngadget
1 day ago

Mozilla says it patched 271 Firefox vulnerabilities thanks to Anthropic's Claude Mythos

Mozilla's use of Anthropic's Claude Mythos model successfully identified and patched 271 vulnerabilities in Firefox, showcasing AI's potential in cybersecurity.
Information security
fromInfoWorld
3 hours ago

Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox

AI has exposed hundreds of vulnerabilities in Mozilla's Firefox browser, highlighting both cybersecurity advancements and dual-use risks.
Information security
fromComputerworld
3 hours ago

Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox

AI has exposed hundreds of vulnerabilities in Mozilla's Firefox browser, highlighting both cybersecurity advancements and dual-use risks.
more#ai
#firefox
Web frameworks
fromZDNET
11 hours ago

New Firefox update patches a whopping 271 bugs, thanks to Claude Mythos

Firefox 150 introduces enhanced features and fixes 271 security flaws.
Information security
fromTechzine Global
21 hours ago

As Mythos fixes Mozilla flaws, unauthorized access spells disaster

Firefox's Claude Mythos Preview addresses 271 vulnerabilities, but unauthorized access raises concerns about potential misuse by threat actors.
Web frameworks
fromZDNET
11 hours ago

New Firefox update patches a whopping 271 bugs, thanks to Claude Mythos

Firefox 150 introduces enhanced features and fixes 271 security flaws.
Information security
fromTechzine Global
21 hours ago

As Mythos fixes Mozilla flaws, unauthorized access spells disaster

Firefox's Claude Mythos Preview addresses 271 vulnerabilities, but unauthorized access raises concerns about potential misuse by threat actors.
more#firefox
React
fromThisweekinreact
1 day ago

This Week In React #278: React Email, TSRX, ESLint plugin, Rspack RSC, TanStack, Hook Form | Vision Camera, Expo, Nano Icons, ExecuTorch, Argent, Audio API, CSS, RNSec | TypeScript Go, Node.js, Bun, Hono | This Week In React

React Email 6.0 consolidates the ecosystem, offering an embeddable editor and improved HTML rendering for better email management.
#markdown
Typography
fromCSS-Tricks
15 hours ago

Enhancing Astro With a Markdown Component | CSS-Tricks

Using a Markdown Component simplifies markup and enhances typographic symbols in an Astro project.
Vue
fromRaymondcamden
3 days ago

Building a Simple Markdown PWA App

A Markdown viewer app was built using Electron, focusing on simplicity and functionality for viewing Markdown files.
Typography
fromCSS-Tricks
15 hours ago

Enhancing Astro With a Markdown Component | CSS-Tricks

Using a Markdown Component simplifies markup and enhances typographic symbols in an Astro project.
Vue
fromRaymondcamden
3 days ago

Building a Simple Markdown PWA App

A Markdown viewer app was built using Electron, focusing on simplicity and functionality for viewing Markdown files.
more#markdown
Mental health
fromSmashing Magazine
3 days ago

Session Timeouts: The Overlooked Accessibility Barrier In Authentication Design - Smashing Magazine

Poor session timeouts create significant accessibility barriers for users with disabilities, impacting their online experiences and tasks.
#css
Web development
fromMedium
1 day ago

CSS you didn't know you could style

CSS can style native browser elements like user selection highlights and scrollbars, enhancing the overall design of a website.
fromCSS-Tricks
5 days ago
Web development

What's !important #9: clip-path Jigsaws, View Transitions Toolkit, Name-only Containers, and More | CSS-Tricks

Web development
fromMedium
1 day ago

CSS you didn't know you could style

CSS can style native browser elements like user selection highlights and scrollbars, enhancing the overall design of a website.
Web development
fromCSS-Tricks
5 days ago

What's !important #9: clip-path Jigsaws, View Transitions Toolkit, Name-only Containers, and More | CSS-Tricks

Clip-path jigsaws and view transitions toolkit enhance web design capabilities with new CSS features and utilities.
more#css
Python
fromTalkpython
6 days ago

OWASP Top 10 (2025 List) for Python Devs

The OWASP Top 10 has been updated with significant changes including supply chain attacks and exceptional condition handling.
fromMouse Vs Python
5 days ago

Textual - An Intro to DOM Queries (Part I) - Mouse Vs Python

The query_one() method throughout the Textual documentation allows users to retrieve a single widget that matches a CSS selector or a widget type. You can pass in up to two parameters to query_one(), which are the CSS selector and the widget type, or both at the same time.
jQuery
#security
Information security
fromInfoWorld
9 hours ago

Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core

Long-lived tokens in applications can be exploited by attackers to gain unauthorized access and issue legitimate tokens.
Information security
fromThe Hacker News
20 hours ago

Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape

A critical vulnerability in the Terrarium Python sandbox allows arbitrary code execution with root privileges, rated 9.3 on the CVSS scale.
Information security
fromInfoWorld
9 hours ago

Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core

Long-lived tokens in applications can be exploited by attackers to gain unauthorized access and issue legitimate tokens.
Information security
fromThe Hacker News
20 hours ago

Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape

A critical vulnerability in the Terrarium Python sandbox allows arbitrary code execution with root privileges, rated 9.3 on the CVSS scale.
more#security
Web frameworks
fromInfoQ
3 days ago

Pretext.js Bypasses DOM Layout Reflow, Enabling Advanced UX Patterns at 120 FPS

Pretext is a TypeScript library that enhances UI performance by measuring text without causing DOM reflows.
#ai-security
fromSecurityWeek
6 days ago
Information security

Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

Artificial intelligence
fromTechRepublic
2 days ago

The MCP Disclosure Is the AI Era's 'Open Redirect' Moment

The Model Context Protocol has a design flaw that enables AI supply chain attacks, posing a significant security risk to enterprise AI systems.
Information security
fromTheregister
3 days ago

Prompt injection proves AI models are gullible like humans

Prompt injection attacks exploit AI systems, similar to phishing, by embedding malicious instructions that the AI executes instead of treating as content.
Information security
fromTechzine Global
6 days ago

AI agents on GitHub leak API keys via prompt injection

Three popular AI agents on GitHub Actions are vulnerable to Comment and Control attacks, allowing attackers to steal API keys and access tokens.
Information security
fromSecurityWeek
6 days ago

Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

A prompt injection attack method named 'Comment and Control' targets AI code security tools, allowing attackers to hijack AI agents using crafted GitHub comments.
more#ai-security
#axios
Node JS
fromNist
1 week ago

NVD

Axios library versions prior to 1.15.0 are vulnerable to Prototype Pollution, leading to Remote Code Execution and Full Cloud Compromise.
Information security
fromSiliconANGLE
3 weeks ago

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios HTTP client library was hacked to distribute malware via a compromised npm account, affecting multiple operating systems.
more#axios
#npm
Information security
fromTheregister
6 hours ago

Another npm supply chain worm hits dev environments

A new npm supply-chain attack targets developer workflows, compromising multiple packages and stealing sensitive data, with similarities to previous CanisterWorm infections.
Node JS
fromBleepingComputer
3 weeks ago

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.
Node JS
fromTheregister
3 weeks ago

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.
Information security
fromTheregister
6 hours ago

Another npm supply chain worm hits dev environments

A new npm supply-chain attack targets developer workflows, compromising multiple packages and stealing sensitive data, with similarities to previous CanisterWorm infections.
Node JS
fromBleepingComputer
3 weeks ago

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.
Node JS
fromTheregister
3 weeks ago

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.
more#npm
UX design
fromDavid Mello
1 week ago

Playwright Accessibility Testing: What axe and Lighthouse Miss

Automated accessibility tools only detect 30-40% of WCAG violations, necessitating manual testing for comprehensive accessibility assurance.
fromTNW | Anthropic
10 hours ago
Information security

Mozilla fixes 271 Firefox vulnerabilities found by Anthropic's Claude Mythos in a single evaluation pass

Mozilla's Firefox 150 fixes 271 security vulnerabilities identified by Anthropic's AI model, Mythos, showcasing the model's effectiveness in vulnerability detection.
#cybersecurity
Information security
fromTechRepublic
11 hours ago

Hackers Impersonate IT Help Desk on Microsoft Teams to Gain Access, Steal Data

Hackers are increasingly using social engineering on Microsoft Teams to gain unauthorized access by impersonating IT support.
Information security
fromThe Hacker News
2 days ago

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

A critical vulnerability in the Model Context Protocol allows remote code execution, affecting over 7,000 servers and compromising sensitive data.
Software development
fromTheregister
5 days ago

Claude Opus wrote a Chrome exploit for $2,283

Anthropic withheld its Mythos model due to security concerns, while Opus 4.6 was used to create a functional exploit for Chrome's V8 engine.
Information security
fromTechRepublic
11 hours ago

Hackers Impersonate IT Help Desk on Microsoft Teams to Gain Access, Steal Data

Hackers are increasingly using social engineering on Microsoft Teams to gain unauthorized access by impersonating IT support.
Information security
fromThe Hacker News
1 day ago

Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution

A vulnerability in Google's Antigravity IDE allowed code execution through insufficient input sanitization in the find_by_name tool.
Information security
fromThe Hacker News
1 day ago

22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters

22 new vulnerabilities in serial-to-IP converters could allow attackers to hijack devices and tamper with data.
Information security
fromThe Hacker News
2 days ago

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

A critical vulnerability in the Model Context Protocol allows remote code execution, affecting over 7,000 servers and compromising sensitive data.
more#cybersecurity
Node JS
fromZero Day Initiative
2 weeks ago

Zero Day Initiative - Node.js Trust Falls: Dangerous Module Resolution on Windows

Node.js module resolution can lead to security vulnerabilities if malicious packages are placed in the root node_modules directory.
#microsoft
Information security
fromArs Technica
9 hours ago

Microsoft issues emergency update for macOS and Linux ASP.NET threat

Microsoft released an emergency patch for ASP.NET Core to fix a high-severity vulnerability allowing unauthenticated attackers to gain SYSTEM privileges.
Information security
fromThe Hacker News
18 hours ago

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Microsoft released updates to fix a critical security vulnerability in ASP.NET Core that allows privilege escalation for unauthorized attackers.
more#microsoft
Node JS
fromNist
2 weeks ago

NVD

Tinyproxy versions up to 1.11.3 are vulnerable to HTTP request parsing desynchronization due to case-sensitive Transfer-Encoding header comparison.
Information security
fromTechRepublic
7 hours ago

Microsoft Patch Still Leaves 1,300 SharePoint Servers Exposed

Over 1,300 internet-exposed Microsoft SharePoint servers remain unpatched against a spoofing flaw, CVE-2026-32201, posing significant security risks.
Information security
fromTNW | Next-Featured
1 day ago

Lovable security crisis: 48 days of exposed projects, closed bug reports, & the structural failure of vibe coding security

Lovable's security incidents expose vulnerabilities in AI-generated code and highlight a market focus on growth over security.
#openclaw
more#openclaw
#ai-in-cybersecurity
Information security
fromArs Technica
1 day ago

Mozilla: Anthropic's Mythos found 271 zero-day vulnerabilities in Firefox 150

AI tools like Mythos enhance cybersecurity by making vulnerability discovery cheaper and more efficient for defenders.
Information security
fromWIRED
1 day ago

Mozilla Used Anthropic's Mythos to Find and Fix 151 Bugs in Firefox

Mozilla's Firefox 150 includes protections for 271 vulnerabilities identified using AI tools, highlighting the significant impact of AI on cybersecurity.
Information security
fromWIRED
1 day ago

Mozilla Used Anthropic's Mythos to Find and Fix 151 Bugs in Firefox

Mozilla's Firefox 150 includes protections for 271 vulnerabilities identified using AI tools, highlighting the significant impact of AI on cybersecurity.
Information security
fromArs Technica
1 day ago

Mozilla: Anthropic's Mythos found 271 zero-day vulnerabilities in Firefox 150

AI tools like Mythos enhance cybersecurity by making vulnerability discovery cheaper and more efficient for defenders.
Information security
fromWIRED
1 day ago

Mozilla Used Anthropic's Mythos to Find and Fix 151 Bugs in Firefox

Mozilla's Firefox 150 includes protections for 271 vulnerabilities identified using AI tools, highlighting the significant impact of AI on cybersecurity.
Information security
fromWIRED
1 day ago

Mozilla Used Anthropic's Mythos to Find and Fix 151 Bugs in Firefox

Mozilla's Firefox 150 includes protections for 271 vulnerabilities identified using AI tools, highlighting the significant impact of AI on cybersecurity.
more#ai-in-cybersecurity
Information security
fromSecurityWeek
18 hours ago

North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

North Korean hackers are targeting macOS users in financial organizations using social engineering techniques to install information-stealing malware.
#ai-coding-assistants
more#ai-coding-assistants
Web development
fromMozilla Hacks - the Web developer blog
1 month ago

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 - Mozilla Hacks - the Web developer blog

Firefox 148 introduces the standardized Sanitizer API, enabling developers to safely remove malicious HTML and JavaScript from user-generated content before inserting it into the DOM.
Information security
fromSecurityWeek
1 day ago

Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities

CISA expanded its Known Exploited Vulnerabilities catalog with eight new flaws, including high-severity bugs in Cisco and Kentico products.
#vercel
Information security
fromSiliconANGLE
2 days ago

Developer tooling provider Vercel discloses breach that exposed some users' data - SiliconANGLE

Vercel experienced a security breach through Context.ai, compromising limited customer data and employee information.
Information security
fromSiliconANGLE
2 days ago

Developer tooling provider Vercel discloses breach that exposed some users' data - SiliconANGLE

Vercel experienced a security breach through Context.ai, compromising limited customer data and employee information.
more#vercel
#vulnerabilities
Information security
fromSecurityWeek
1 day ago

Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

Progress Software released patches for multiple vulnerabilities in MOVEit WAF and LoadMaster that could lead to remote code execution and command injection.
Information security
fromSecurityWeek
1 day ago

Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

Progress Software released patches for multiple vulnerabilities in MOVEit WAF and LoadMaster that could lead to remote code execution and command injection.
more#vulnerabilities
Information security
fromInfoWorld
1 day ago

The cookbook for safe, powerful agents

Capability without control in AI agents creates vulnerabilities, necessitating a structured control architecture for safe deployment.
Information security
fromTheregister
1 day ago

macOS ClickFix attacks deliver AppleScript stealers

A ClickFix campaign targets macOS users with an AppleScript infostealer that collects sensitive data from various browsers and cryptocurrency wallets.
Information security
fromSecurityWeek
1 day ago

Unsecured Perforce Servers Expose Sensitive Data From Major Orgs

Many internet-facing Perforce P4 servers are misconfigured, exposing sensitive information and allowing unauthorized access.
Information security
fromSecuritymagazine
3 days ago

58% of Organizations Spend Over 10 Hours a Month Securing AI-generated Code

31% of organizations using AI-generated code spend 10 hours or less per month on validation and auditing, raising security concerns.
Information security
fromTechzine Global
2 days ago

Aikido Endpoint offers developers additional protection against supply chain attacks

Aikido Endpoint protects developers' endpoints from supply chain attacks by blocking high-risk installations before they reach the system.
Information security
fromDevOps.com
5 days ago

The Open Source Trap: Why Trust Isn't a Security Strategy - DevOps.com

The software supply chain is vulnerable due to reliance on under-resourced open source maintainers, requiring active organizational support for security.
Information security
fromThe Hacker News
4 days ago

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

Threat actors exploit vulnerabilities in TBK DVR and TP-Link routers to deploy Mirai-botnet variants, targeting IoT devices for large-scale attacks.
#wordpress
Information security
fromTechRepublic
6 days ago

Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

Malicious WordPress plugins with backdoors compromised thousands of websites, demonstrating a supply-chain attack and leading to their permanent removal.
Information security
fromTechCrunch
1 week ago

Someone planted backdoors in dozens of WordPress plugins used in thousands of websites | TechCrunch

Dozens of WordPress plugins were compromised by a backdoor, distributing malicious code after a change in ownership of the plugin maker.
Information security
fromThe Hacker News
1 week ago

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

Unknown threat actors hijacked the Smart Slider 3 Pro plugin update system to distribute a backdoored version affecting WordPress and Joomla users.
Information security
fromSecurityWeek
2 weeks ago

Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover

A critical vulnerability in Ninja Forms allows file uploads that could lead to remote code execution on affected websites.
Information security
fromTechRepublic
6 days ago

Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

Malicious WordPress plugins with backdoors compromised thousands of websites, demonstrating a supply-chain attack and leading to their permanent removal.
Information security
fromTechCrunch
1 week ago

Someone planted backdoors in dozens of WordPress plugins used in thousands of websites | TechCrunch

Dozens of WordPress plugins were compromised by a backdoor, distributing malicious code after a change in ownership of the plugin maker.
Information security
fromThe Hacker News
1 week ago

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

Unknown threat actors hijacked the Smart Slider 3 Pro plugin update system to distribute a backdoored version affecting WordPress and Joomla users.
Information security
fromSecurityWeek
2 weeks ago

Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover

A critical vulnerability in Ninja Forms allows file uploads that could lead to remote code execution on affected websites.
more#wordpress
#apache-activemq
Information security
fromSecurityWeek
5 days ago

Recent Apache ActiveMQ Vulnerability Exploited in the Wild

A vulnerability in Apache ActiveMQ Classic, CVE-2026-34197, is being actively exploited, requiring immediate patching by organizations.
Information security
fromThe Hacker News
6 days ago

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A high-severity security flaw in Apache ActiveMQ Classic, CVE-2026-34197, is actively exploited, requiring urgent fixes by April 30, 2026.
Information security
fromSecurityWeek
5 days ago

Recent Apache ActiveMQ Vulnerability Exploited in the Wild

A vulnerability in Apache ActiveMQ Classic, CVE-2026-34197, is being actively exploited, requiring immediate patching by organizations.
Information security
fromThe Hacker News
6 days ago

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A high-severity security flaw in Apache ActiveMQ Classic, CVE-2026-34197, is actively exploited, requiring urgent fixes by April 30, 2026.
more#apache-activemq
Information security
fromTheregister
6 days ago

MCP 'design flaw' puts 200k servers at risk: Researcher

A design flaw in Anthropic's Model Context Protocol puts 200,000 servers at risk, despite repeated requests for a patch from security researchers.
Information security
fromThe Hacker News
6 days ago

Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has released patches for four critical security vulnerabilities in Identity Services and Webex Services that could allow unauthorized access and code execution.
Information security
fromSecurityWeek
1 week ago

Exploited Vulnerability Exposes Nginx Servers to Hacking

A critical vulnerability in Nginx UI allows attackers to take full control of servers, affecting numerous deployments worldwide.
Information security
fromThe Hacker News
1 week ago

New PHP Composer Flaws Enable Arbitrary Command Execution - Patches Released

Two high-severity vulnerabilities in Composer could allow arbitrary command execution through command injection flaws in the Perforce VCS driver.
Information security
fromThe Hacker News
2 weeks ago

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

Threat actors exploit HTTP cookies for PHP web shells on Linux servers, enabling remote code execution with stealthy control mechanisms.
Information security
fromSecurityWeek
1 month ago

Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea

The 2024 Polyfill.io supply chain attack affecting over 100,000 websites involved both Chinese and North Korean threat actors, with Funnull serving as a corporate front for the operation.
Information security
fromThe Hacker News
1 month ago

Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials

Two critical vulnerabilities in n8n workflow automation platform enable arbitrary command execution through sandbox escape and unauthenticated expression evaluation, affecting both self-hosted and cloud deployments.
fromCSS-Tricks
1 month ago

An Exploit ... in CSS?! | CSS-Tricks

Google credits security researcher Shaheen Fazim with reporting the exploit to Google. The dude's LinkedIn says he's a professional bug hunter, and I'd say he deserves the highest possible bug bounty for finding something that a government agency is saying "in CSS in Google Chrome before 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page."
Information security
fromBleepingComputer
1 month ago

Fake Next.js job interview tests backdoor developer's devices

The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments. The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns.
Information security
[ Load more ]