Yesterday, a vulnerability in OpenSSH, CVE-2025-61984, was published that potentially allows command execution on the client when ProxyCommand is used with usernames containing control characters (e.g., newlines). Some OpenSSH input streams were not properly stripping control characters from usernames. An attacker could exploit this behavior by constructing a username containing, for example, a newline followed by a string that should be interpreted as a command. When that username is inserted into the string invoked by the ProxyCommand, some shells bypass the syntax error introduced by the newline and continue execution: the next line can then be executed as the payload. Essentially, a

The story of SoopSocks is one we, unfortunately, know well: a PyPI package that promises utility — a SOCKS5 proxy — but in reality introduces a well-orchestrated malicious implementation . We’re not talking about your average improvised script; SoopSocks is built with a chain of actions designed to achieve persistence, reduce noise, and establish a stable command/control channel. The package has been published to PyPI (Python Package Index) , the official Python package registry. The deceptive package, dubbed ” soopsocks ,” had 2,653 downloads before being removed. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same

In September 2025, a new incarnation of the notorious LockBit ransomware emerged, dubbed LockBit 5.0. It’s not just an “update”: it’s an operational adaptation designed to be faster, less noisy, and have a greater impact on virtualized infrastructures. The feature that should be emphasized right away is that 5.0 is cross-platform: samples have been identified for Windows, Linux, and VMware ESXi—which expands the attack surface and requires coordination between different teams (endpoints, servers, virtualization). What changes The attack chain remains the same, but LockBit 5.0 carries it forward faster and with measures designed to minimize traces: The image shows the parameters, and

In recent days, a malvertising campaign targeting business users trying to download Microsoft Teams has been discovered. At first glance, the attack seems trivial: a sponsored ad leads to a download page, and the user downloads a file called MSTeamsSetup.exe and runs it. But the details make all the difference, and it’s precisely these details that make the operation so insidious. The file isn’t a regular malicious executable; it’s digitally signed . For many, this signifies trustworthiness. In fact, attackers have found a way to exploit trust in digital signatures to their advantage: they use “disposable” certificates , valid for only a

Microsoft recently published a security advisory regarding a new vulnerability affecting Active Directory Domain Services (AD DS). The flaw, identified as CVE-2025-21293, is classified as an Elevation of Privilege vulnerability and, if successfully exploited, could allow an attacker to gain SYSTEM privileges, the highest level of authorization in a Windows environment. This is an extremely relevant issue because domain controllers are the heart of corporate infrastructure: they control authentication, authorization, and centralized management of users, groups, computers, and security policies. A successful attack against a domain controller is, in many cases, equivalent to complete control of the entire corporate network. Source of

In early September 2025, Palo Alto Networks confirmed it had been the victim of a data breach. The compromise did not affect its core products or services, but rather some internally used Salesforce instances due to an integration with the third-party Salesloft Drift app. The incident is part of a larger supply chain attack campaign conducted in August 2025 and once again demonstrates how SaaS integrations can be a significant weakness. Between August 8 and 18, 2025, a threat actor identified by Google as UNC6395 exploited compromised OAuth tokens associated with the Drift app. These tokens allowed access to Salesforce instances without

At the end of August 2025, a high-impact vulnerability affecting HikCentral Professional, the Hikvision platform used to centrally manage video surveillance and access control, was disclosed. The flaw, classified as CVE-2025-39247, has a CVSS score of 8.6 (High) and allows a remote attacker to gain administrative access without authentication. In other words: anyone, via the network, can access the heart of the security management system. Why it’s important Environments that adopt HikCentral often consider it part of “physical security,” but in reality it’s software exposed like any other IT service. This makes it an attractive target: if compromised, it could provide access