Developers learned to trust the tools that help their AI assistants handle routine tasks, from sending emails to using databases. But this trust proved vulnerable: the postmark-mcp package, downloaded over 1,500 times a week since version 1.0.16, silently forwarded copies of all emails to an external server owned by its author . Internal company correspondence, invoices, passwords, and confidential documents were at risk. The incident demonstrated for the first time that MCP servers can be used as a full-fledged conduit for supply chain attacks . Researchers at Koi Security identified the issue when their system detected a sudden change in packet behavior.

Rhadamanthys is an advanced information stealer that first emerged in 2022. Featuring a rapid development cycle—with at least ten different releases since its inception—the malware is promoted and marketed on underground forums. Despite a ban on its use against Russian and/or former Soviet republics, the product is still available on the black market; prices start at $250 for 30 days of access, a price that favors its spread among cybercriminals. Evasion features and techniques Rhadamanthys is designed to collect a wide range of data: system information, credentials, cryptocurrency wallets, passwords stored in browsers, cookies, and data from numerous applications. It integrates numerous

Active Directory (AD) contains the organization’s digital keys: unauthorized access to this service exposes sensitive information and credentials that can lead to a complete domain compromise. Among the most critical assets is the NTDS.dit file, which stores the domain dataset and password hashes. This article reconstructs a real-world case in which malicious actors gained elevated privileges, extracted NTDS.dit, and attempted to exfiltrate it by bypassing common controls. The strategic value of NTDS.dit In a Windows environment dominated by Active Directory, the NTDS.dit (NT Directory Services Directory Information Tree) file represents the central database for the domain: it contains user accounts, group policies,

In a new report, Zscaler ThreatLabz has revealed details of a new malware family called YiBackdoor , first observed in June 2025. From the outset, the analysis highlighted significant source code matches with the IcedID and Latrodectus downloaders, and it is this connection that Zscaler points to as crucial to understanding the new sample’s possible origin and role in the attacks. The malware is a modular DLL library with a basic set of host remote control functions and a plugin-based extension mechanism. By default, its functionality is limited, but attackers can load additional modules to expand its capabilities. The program copies itself

Researchers discovered a malicious package called fezbox in npm that steals victims’ cookies. To ensure the malicious activity remains undetected, QR codes are used to download the malware from the attackers’ server. According to Socket researchers, attackers have found a new use for QR codes: hiding malicious code within them. Analysts have reported that the packet contains hidden instructions to download a JPG image with a QR code, which is then processed to launch an obfuscated payload as part of the second stage of the attack. At the time of the malware’s discovery, the package had been downloaded at least 327 times

Dutch police have arrested two 17-year-old boys on suspicion of espionage activities, with possible links to Russia, the Telegraaf newspaper reported on Friday. The father of one of the young men claimed his son was recruited via Telegram by a pro-Russian hacker. In August, the boy allegedly showed up at the offices of Europol, Eurojust, and the Canadian Embassy in The Hague carrying a so-called “Wi-Fi sniffer,” a device capable of detecting nearby wireless networks and intercepting their data. The prosecutor has not provided official comment on the case, citing the young age of the suspects. However, it has been confirmed that

Cyber specialists from Ukraine’s defense intelligence have successfully carried out an attack that paralyzed Russia’s national payment system, SBP. DIU sources shared the news with Militarnyi . According to them, the attack targeted the infrastructure used to finance organizations supporting aggression against Ukraine. Following a large-scale DDOS attack on the SBP system and the TransTeleCom provider, a significant number of Russians lost the ability to make instant transfers and pay for online purchases. Residents of Yekaterinburg took to social media to complain about the service disruptions, as people were unable to pay for transportation or refuel at gas stations. The cyberattack also

Zorin OS has released a beta version of its new release, Zorin OS 18. Currently, only the GNOME-based Core edition is available , without the proprietary library. According to Artem Zorin, a lightweight Xfce-based Lite version will arrive later, after the stable release. The system is based on Ubuntu 24.04 Noble Numbat , released almost a year and a half ago. However, the developers adhere to the ” release when it’s ready ” principle, rather than relying on a calendar. The previous version, 17.3, remains current and stable, although some users have been forced to downgrade from Noble to Jammy due to

ChatGPT usage has skyrocketed with the start of the new school year in the West, with token generation hitting record levels. According to OpenRouter , the popular chatbot OpenAI processed 78.3 billion tokens on September 18, the highest level since the summer crash. In June 2025, when most schools were on holiday, average daily usage dropped to 36.7 billion tokens. By comparison, in May 2025, when exams and finals were held, the average was close to 80 billion per day. OpenRouter statistics, which track the activity of 2.5 million users, show how patterns vary dramatically depending on the academic calendar. Although the

Experts at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have reported a serious incident: hackers gained access to the network of a civilian federal agency by exploiting a critical vulnerability in the GeoServer server software. The issue affected an unpatched version of the platform , allowing attackers to remotely execute code and subsequently infiltrate the system. The critical vulnerability, designated CVE-2024-36401, was officially fixed on June 18, 2024, but many servers remained unpatched. About a month later, CISA added it to its public registry of actively exploited vulnerabilities. This was due to the public release of demonstration exploits published by several