Laravel Lang packages hijacked to deploy credential-stealing malware
… The Laravel Lang packages are third-party localization packages and are not part of the official Laravel project. …
Search
Max-severity flaw in ChromaDB for AI apps allows server hijacking
… An attacker can send a crafted request to force ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. …
Flipper One project needs community help to build open Linux platform
… Unlike Flipper Zero, which focuses on offline access control and radio technologies such as NFC, RFID, infrared, and sub-GHz communications, the Flipper One project is designed as a high-performance, Linux-based platform for networking and hardware experimentation, with sufficient processing power … …
Fake OpenAI repository on Hugging Face pushes infostealer malware
… The final payload is a Rust-based infostealer that targets the following sensitive data: Browser data from Chromium- and Gecko-based browsers e.g., cookies, saved passwords, encryption keys, browsing data, session tokens Discord tokens, local databases, and master keys Cryptocurrency wallets and wa… …
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
… The disclosure spree began in April with BlueHammer , a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun , and a Windows Defender DoS tool, UnDefend . …
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
… If CanisterWorm landed on machines that matched Iran's timezone and locales, it would wipe it. …
Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
…CVE-2026-41096 Windows DNS Client Remote Code Execution Vulnerability Critical Power Automate CVE-2026-40374 Microsoft Power Automate Desktop Information Disclosure Vulnerability Important SQL Server CVE-2026-40370 SQL Server Remote…