Cybersecurity researchers
Coverage of Cybersecurity researchers in the Nexus archive.
- Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT
Cybersecurity researchers have discovered malicious npm packages designed to deliver a Windows-based remote access trojan (RAT). The identified packages include aes-decode-runner-pro (145 downloads), postcss-minify-selector (256 downloads), and postcss-minify-selector-parser (615 downloads), all published in the past month by an npm user.
- Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Cybersecurity researchers have identified a new attack method called Agentjacking, which exploits AI coding agents by tricking them into executing malicious code via fake error reports generated through the Sentry platform. The attack leverages an open-source error-tracking and performance-monitoring system to compromise developer machines.
- Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT
Cybersecurity researchers have identified a new malspam campaign exploiting Google's DoubleClick domain to bypass detection and deliver the DesckVB RAT. The campaign uses a legitimate Google-owned domain to route traffic before reaching attacker-controlled infrastructure.
- Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
Cybersecurity researchers disclosed an unpatched vulnerability in the Windows search: URI handler that could allow attackers to steal NTLMv2 hashes. The issue is similar to CVE-2026-33829, which affected the Windows Snipping Tool's ms-screensketch: URI handler, and was identified by Huntress.
- Gitea Vulnerability Exposes Private Container Images without Authentication
A security flaw in Gitea, an open-source version control platform, allows unauthenticated attackers to access private container images. The vulnerability, CVE-2026-27771, affects all versions prior to 1.26.2 and was disclosed by cybersecurity researchers.
- 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Cybersecurity researchers have disclosed a 9-year-old Linux kernel vulnerability (CVE-2026-46333) with a CVSS score of 5.5 that enables unprivileged local users to execute arbitrary commands as root on major Linux distributions. The flaw involves improper privilege management and affects default installations across several major distros.
- Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
Cybersecurity researchers discovered 28 fraudulent apps on the Google Play Store that tricked users into joining a subscription with fake data, resulting in financial loss. The apps collectively gained over 7.3 million downloads. One app alone accounted for a significant portion of these downloads.
- Telegram Mini Apps abused for crypto scams, Android malware delivery
Cybersecurity researchers discovered a large-scale fraud operation exploiting Telegram's Mini App feature to conduct crypto scams, impersonate brands, and deliver Android malware.
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
Cybersecurity researchers discovered a malicious npm package, '@validate-sdk/v2', used in attacks attributed to the DPRK. The package, falsely presented as a legitimate SDK, was linked to Anthropic's Claude Opus LLM and employs AI-inserted malware, fake firms, and RATs for cyber operations.
- Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
Cybersecurity researchers discovered a critical remote code execution (RCE) vulnerability in GitHub.com and GitHub Enterprise Server, tracked as CVE-2026-3854 (CVSS score: 8.7). The flaw allows authenticated users with push access to exploit a command injection vulnerability via a single 'git push' command.
- Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware
Cybersecurity researchers discovered 73 fake Microsoft Visual Studio Code extensions on the Open VSX repository linked to the GlassWorm v2 malware campaign. The malicious extensions, cloned from legitimate ones, include six confirmed to deliver malware.
- Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Cybersecurity researchers identified a critical design flaw in the Model Context Protocol (MCP) that could enable remote code execution (RCE), posing significant risks to systems using vulnerable MCP implementations and threatening the AI supply chain.
- Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems
Researchers have identified a new malware named ZionSiphon, specifically targeting Israeli water treatment and desalination operational technology (OT) systems. The malware, detected by Darktrace, is capable of establishing persistence, modifying configuration files, and scanning for OT services.
- New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges
A researcher named 'Chaotic Eclipse' has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called 'RedSun,' which grants SYSTEM privileges. The exploit was published as a protest against Microsoft's handling of cybersecurity researchers.
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
The GlassWorm campaign has evolved with a new Zig dropper designed to infect multiple developer IDEs. Researchers identified the threat in a malicious Open VSX extension named 'specstudio.code-wakatime-activity-tracker,' which disguises itself as the legitimate WakaTime tool.
- New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
A new variant of Chaos malware is targeting misconfigured cloud deployments, expanding its scope beyond routers and edge devices. Darktrace reported this development in a recent analysis.
- Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices
Cybersecurity researchers have uncovered the Masjesu Botnet, a DDoS-for-hire service advertised on Telegram since 2023. It targets global IoT devices, including routers and gateways, across multiple architectures.