iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack

Popular student engagement platform iClicker's website was compromised with a ClickFix attack. A fake "I'm not a robot"…...

PT-2025-20889

The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user due to additional vulnerabilities, then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a fl...

A week in security (May 4 – May 10)

Last week on Malwarebytes Labs: The AI chatbot cop squad is here Lock and Code S06E09 Android fixes 47 vulnerabilities, including one zero-day. Update as soon as you can! "Your privacy is a promise we don’t break": Dating app Raw exposes sensitive user data FBI issues warning as scammers target...

Trojaned AI Tool Leads to Disney Hack

This is a sad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job...

Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers

The U.S. Federal Bureau of Investigation FBI formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea North Korea was responsible for the the...

Crypto and Cybersecurity: The Rising Threats and Why Reliable Wallets Matter

Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to…...

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering...

Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange

In a major cybersecurity incident, Bybit, the world's 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from…...

Canadian Charged in $65M KyberSwap, Indexed Finance DeFi Hack

Canadian man charged in $65 million DeFi hack. Exploited KyberSwap, Indexed Finance smart contracts, laundered funds, and attempted extortion. Faces 20 years...

CVE-2024-54353

Cross-Site Request Forgery CSRF vulnerability in wpgear Hack-Info hack-info allows Stored XSS.This issue affects Hack-Info: from n/a through = 3.17...

CVE-2025-24367

creationtimestamp| type| source ---|---|--- 2025-01-27 17:20:06+00:00| seen| https://infosec.exchange/users/cve/statuses/113901463554547835 2025-01-27 18:16:28+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lgqkdmlf7e2e 2025-01-27 18:55:22+00:00| seen|...

The FCC’s Jessica Rosenworcel Isn’t Leaving Without a Fight

As the US faces “the worst telecommunications hack in our nation’s history,” by China’s Salt Typhoon hackers, the outgoing FCC chair is determined to bolster network security if it’s the last thing she does...

CVE-2025-23713

Cross-Site Request Forgery CSRF vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through = 1.2...

CVE-2025-23713 WordPress Hack me if you can plugin <= 1.2 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Artem Anikeev Hack me if you can allows Stored XSS.This issue affects Hack me if you can: from n/a through 1.2...

CVE-2025-23713

The connected Red Hat advisory for CVE-2025-23713 confirms a Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in the Hack me if you can plugin/app (affected range: from n/a through 1.2). The description in the CVE entry itself also notes a CSRF to Stored XSS vulnerab...

WordPress Hack me if you can plugin <= 1.2 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO in WordPress Plugin Hack me if you can versions = 1.2...

PT-2025-5045 · Unknown · Hack Me If You Can

Name of the Vulnerable Software and Affected Versions: Hack me if you can versions n/a through 1.2 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and...

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes...

Apple May Owe You $20 in a Siri Privacy Lawsuit Settlement

Plus: The FBI discovers a historic trove of homemade explosives, new details emerge in China’s hack of the US Treasury Department, and more...

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m , a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT &T and Verizon. As first reported by KrebsOnSecurity last month, th...