Matrix Push C2 is a browser-native command-and-control framework that hijacks web push notifications to deliver phishing prompts, brand-spoofed alerts and malware. By abusing legitimate notification flows, it turns a routine “Allow notifications” click into a persistent phishing channel that most security stacks barely monitor.
TamperedChef malware no longer hides only behind a rogue PDF editor. In its latest evolution, the campaign uses signed fake software installers, malvertising and SEO poisoning to deliver an obfuscated JavaScript backdoor via a dropped XML-scheduled task. Telemetry shows a strong footprint in the U.S. and heavy impact on healthcare, construction and manufacturing, where users often search online for product manuals and tools. This article unpacks the global infrastructure, shell-company certificates and execution chain so defenders can hunt and harden effectively.
The RondoDox botnet now targets unpatched XWiki servers through CVE-2025-24893, a critical eval injection flaw that lets any guest execute remote code and drop miners, turning forgotten wiki instances into entry points and compute fuel.
macOS now attracts serious attention from nation-state and criminal actors, especially credential stealers. A new public dataset, Malet, and a static analysis tool, Katalina, give defenders large-scale visibility into Mach-O malware traits. Teams can use them to tune EDR, test vendor claims, and finally treat Mac fleets as first-class citizens.
A threat actor has registered over 4,300 look-alike hotel booking domains, launching a large-scale phishing campaign that impersonates major travel brands to steal payment card data from unsuspecting guests.
A fake Chrome wallet called “Safery” steals seed phrases by encoding them into Sui addresses and sending dust transactions, allowing attackers to reconstruct mnemonics later. Consequently, users risk full account takeover. Enforce extension allowlists, remove unknown wallets, rotate seeds, and migrate assets to new addresses immediately.
CISA warned that multiple federal agencies still haven’t fully patched Cisco ASA/FTD devices despite active exploitation. Because the campaign targets the VPN web server and enables device takeover, teams must apply fixes for CVE-2025-20333/20362, follow ED 25-03 inventory and validation steps, and disconnect end-of-support hardware. This analysis explains impact, attack flow, high-signal detection, and fast remediation so defenders can reduce edge-device risk without slowing operations.
A worm-like spam campaign flooded npm with tens of thousands of fake packages, polluting search results and straining CI/CD. Consequently, treat registries as hostile input. Enforce allowlists, verify npm provenance with Sigstore, disable lifecycle scripts by default, and promote dependencies through SLSA-aligned stages to cut risk.
Apache OpenOffice 4.1.16 fixes seven vulnerabilities that allowed silent external content loading and possible memory corruption during CSV import. Update immediately, restrict DDE and Calc external data sources, and replace templates that embed remote URLs. Verify the new prompts and monitor document-triggered network fetches
Google filed a lawsuit in New York to disrupt “Lighthouse,” a phishing-as-a-service network behind large-scale smishing. Consequently, the case seeks injunctions, domain seizures, and damages. For defenders, the move creates detection windows as operators pivot infrastructure so tighten filters, accelerate takedowns, and harden fraud telemetry now.