Ticker feed

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608 that has compromised over 700 Next.js servers using the React2Shell vulnerability (CVE-2025-55182). The attackers exploit this remote code execution flaw to automatically steal credentials without needing passwords or user interaction.

In just 24 hours, their "NEXUS Listener" dashboard recorded 766 compromised hosts. Over 90% had database credentials stolen, nearly 80% lost SSH keys, and hackers also grabbed AWS credentials, Stripe payment keys, and GitHub tokens.

The stolen data gives attackers access to private user information, financial records, and the ability to move across company networks or take over entire cloud environments. Companies using Next.js should immediately update their applications and change all passwords and security tokens.

Source: Cybersecurity News

Toy giant Hasbro confirmed hackers breached its network on March 28, affecting brands like Peppa Pig, Transformers, Monopoly, and Dungeons & Dragons. The company's websites displayed error messages Wednesday afternoon, with Hasbro warning the attack could delay product deliveries for several weeks.

The 103-year-old entertainment company filed notice with the SEC but hasn't revealed whether hackers remain in their systems or if customer data was compromised. Hasbro took swift action by taking some systems offline while keeping business operations running.

This attack follows a wave of recent cyber incidents hitting major retailers including M&S, Co-op, and Jaguar Land Rover in what became the UK's costliest cyber event.

Source: BBC News

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608, which has compromised over 700 servers in just 24 hours. The attackers are exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw in Next.js applications that requires no passwords or user interaction.

The hackers use automated tools to scan for vulnerable servers, then deploy malicious scripts that steal credentials like digital vacuum cleaners. Their custom "NEXUS Listener" dashboard shows devastating results: 90% of compromised hosts lost database credentials, 80% had SSH keys stolen, plus AWS credentials, Stripe payment keys, and GitHub tokens were taken.

Companies must immediately update Next.js applications and change all passwords, API keys, and security tokens.

Source: Cybersecurity News

AI recruiting startup Mercor was caught up in a massive supply chain attack that compromised thousands of companies through the popular LiteLLM library. The attack began March 27 when hackers from TeamPCP used stolen credentials to publish malicious versions of LiteLLM on PyPI for 40 minutes.

The Lapsus$ extortion group now claims to have stolen over 4 terabytes of Mercor's data, including candidate profiles, personal information, employer data, video interviews, source code, and VPN credentials. They're reportedly auctioning this information online.

Mercor says it's working with forensics experts to investigate the breach, but hasn't confirmed the extent of the data theft.

Source: Security Week

Google released an emergency Chrome update fixing a zero-day vulnerability already being exploited by attackers. The flaw, CVE-2026-5281, affects Chrome's WebGPU system and allows hackers to execute malicious code by exploiting freed memory.

Chrome has been updated to version 146.0.7680.177/178, rolling out over the coming weeks. An anonymous researcher discovered the vulnerability on March 10, 2026. Google confirmed active exploitation but won't release technical details until most users are patched.

This massive update includes 21 security fixes total, with 19 rated high severity. The concentration of memory-related bugs highlights ongoing browser security challenges.

Update now: Menu → Help → About Google Chrome.

Source: Cybersecurity News

Toy giant Hasbro confirmed hackers breached its network on March 28, affecting brands like Peppa Pig, Transformers, Monopoly, and Play-Doh. The company's websites showed error messages Wednesday, with Hasbro warning the attack could delay product shipments for several weeks.

Hasbro filed with the SEC about the "unauthorized access" and took some systems offline as a precaution. While business operations continue, the company implemented temporary measures for orders and shipping that may cause delays.

It's unclear if hackers remain in Hasbro's systems, made demands, or accessed customer data. The 103-year-old company joins other major retailers hit by cyberattacks this year.

Source: BBC News

North Korean hackers compromised the widely-used Axios JavaScript library on March 31, 2026, publishing two malicious versions that were downloaded by roughly 3% of users before being removed three hours later. The attackers hijacked the NPM account of Axios maintainer @jasonsaayman and inserted a backdoor dependency called plain-crypto-js that deployed cross-platform malware capable of remote shell access and system reconnaissance.

With over 100 million weekly downloads, Axios is present in about 80% of cloud environments, making this breach particularly significant. The malware targeted Windows, macOS, and Linux systems and was designed to erase its tracks to avoid detection. Google attributed the attack to UNC1069, a North Korean group known for targeting cryptocurrency and DeFi platforms since 2018.

Organizations that installed the compromised versions should treat their systems as breached and immediately audit dependencies, rotate credentials, and scan for malware.

Source: SecurityWeek

Cisco disclosed six new vulnerabilities in its SD-WAN Manager on February 25, with three already exploited in the wild. While CVE-2026-20127 grabbed headlines with its perfect 10 CVSS score and three years of zero-day exploitation, researchers at VulnCheck warn that fake proof-of-concept exploits are muddying the waters.

Meanwhile, CVE-2026-20133 is flying under the radar despite allowing attackers to steal private keys and escalate to root access. VulnCheck found most public PoCs for the high-profile bug were either fake or misleading, with one actually exploiting three different vulnerabilities instead.

The chaos highlights how organizations struggle to prioritize patches amid overwhelming vulnerability noise and unreliable exploit code.

Source: Dark Reading

A hacker briefly hijacked the npm account of axios's lead maintainer and published malicious versions of the popular JavaScript library, which has 100 million weekly downloads. The attack occurred Sunday night into Monday morning, with poisoned versions "axios@1.14.1" and "axios@0.30.4" injecting remote access trojans targeting MacOS, Windows, and Linux devices.

Google attributes the attack to suspected North Korean hacking group UNC1069. Security researchers estimate around 600,000 downloads occurred during the brief window before the malicious versions were removed. The malware scrapes access credentials and could enable attackers to pivot to AWS and GitHub accounts.

Experts advise axios users to pin their current version immediately and avoid upgrading while auditing for potential compromises.

Source: CyberScoop

Security researchers at ReliaQuest have discovered DeepLoad, a sophisticated malware that steals passwords and credentials the moment it infects a system. The malware uses AI-generated code buried under thousands of lines of junk code to fool security scanners, then injects itself into legitimate Windows processes like LockAppHost.exe.

DeepLoad spreads through ClickFix social engineering tricks that prompt users to run fake "fix" commands. Once installed, it captures both stored browser passwords and live keystrokes through a malicious browser extension. The malware creates persistent triggers in Windows Management Instrumentation that can relaunch attacks days after apparent cleanup.

In one case, DeepLoad spread to USB drives within 10 minutes, disguising itself as familiar installers like Chrome and Firefox. Standard cleanup methods fail because the malware uses advanced persistence mechanisms that survive reboots and partial detection.

Source: Dark Reading