The Hacker News

"Researchers uncover 30+ flaws in AI coding tools enabling theft and RCE attacks."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 06 December 2025, 2344 UTC.

Content and Source:  "The Hacker News."

URL-- https://thehackernews.com/

Please check URL or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks

Dec 06, 2025AI Security / Vulnerability

Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. The security shortcomings have been collectively named IDEsaster by security researcher Ari Marzouk (MaccariTA). They affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, among others. Of these, 24 have been assigned CVE identifiers. "I think the fact that multiple universal attack chains affected each and every AI IDE tested is the most surprising finding of this research," Marzouk told The Hacker News. "All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model. They treat their features as inherently safe because they've been there for years. However, once you add A...

Enhance Microsoft Intune to Optimize Endpoint Management

Action1Patching / Endpoint Management

Pairing Intune with a dedicated patching tool improves control and visibility for remote teams. See how.

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

Dec 06, 2025Vulnerability / Patch Management

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities ( KEV ) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It's also tracked as React2Shell. "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," CISA said in an advisory. The problem stems from insecure deserialization in the library's Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbi...

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

Dec 05, 2025Email Security / Threat Research

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them access to read emails, as well as browse files and folders, and perform actions like moving, renaming, or deleting content. For instance, a prompt issued by a benign user might look like this: "Please check my email and complete all my recent organization tasks." This will cause the browser agent to search the inbox for relevant messages and perform the necessary actions. "This behavior reflects excessive agency in LLM-powered assistants where the LLM performs actions that go far beyond the user's explicit request," security researcher Amanda Rousseau said in ...

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Dec 05, 2025Application Security / Vulnerability

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity ( XXE ) injection attack. The vulnerability, tracked as CVE-2025-66516 , is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability. It affects the following Maven packages - org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0) XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This, in tur...

Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability

Dec 05, 2025Vulnerability / Software Security

Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell , which allows unauthenticated remote code execution . It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According to a new report shared by Amazon Web Services (AWS), two China-linked threat actors known as Earth Lamia and Jackpot Panda have been observed attempting to exploit the maximum-severity security flaw. "Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors," CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News. Specifically, the tech giant said it identified infrastructure associated wit...

Default Admin Rights Are a Hacker's Dream – and Keeper is Their Nightmare

Keeper SecurityPrivilege Management / Zero Trust

Eliminate standing admin rights and enable Just-in-Time access across all Windows, Linux and macOS endpoints.

Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery

Dec 05, 2025Mobile Security / Zero Day

A human rights lawyer from Pakistan's Balochistan province received a suspicious link on WhatsApp from an unknown number, marking the first time a civil society member in the country was targeted by Intellexa's Predator spyware, Amnesty International said in a report. The link, the non-profit organization said, is a "Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links." Pakistan has dismissed the allegations, stating "there is not an iota of truth in it." The findings come from a new joint investigation published in collaboration with Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss tech site Inside IT. It's based on documents and other materials leaked from the company, including internal documents, sales and marketing material, and training videos. Intellexa is the mak...

"Getting to Yes": An Anti-Sales Guide for MSPs

Dec 05, 2025Business Continuity / Compliance

Most MSPs and MSSPs know how to deliver effective security. The challenge is helping prospects understand why it matters in business terms. Too often, sales conversations stall because prospects are overwhelmed, skeptical, or tired of fear-based messaging. That's why we created "Getting to Yes": An Anti-Sales Guide for MSPs . This guide helps service providers transform resistance into trust and turn sales conversations into long-term partnerships. In the guide, you'll learn how to shift from persuasion to partnership, uncover what really drives objections, and lead with credibility as a trusted cyber advisor. Why Traditional Cybersecurity Sales Strategies Don't Work Today's buyers aren't saying "no" to your services because they don't care about security. They're saying "no" because they don't understand what they're hearing. Most SMBs already know cybersecurity is important. In fact, 57% call it a top priority. However, they're lost in complexity, jargon, and vendor noise. Wh...

CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems

Dec 05, 2025Network Security / Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said . "BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control." Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-o...

JPCERT Confirms Active Command Injection Attacks on Array AG Gateways

Dec 05, 2025Vulnerability / Network Security

A command injection vulnerability in Array Networks AG Series secure access gateways has been exploited in the wild since August 2025, according to an alert issued by JPCERT/CC this week. The vulnerability, which does not have a CVE identifier, was addressed by the company on May 11, 2025. It's rooted in Array's DesktopDirect, a remote desktop access solution that allows users to securely access their work computers from any location. "Exploitation of this vulnerability could allow attackers to execute arbitrary commands," JPCERT/CC said . "This vulnerability affects systems where the 'DesktopDirect' feature, which provides remote desktop access, is enabled." The agency said it has confirmed incidents in Japan that have exploited the shortcoming after August 2025 to drop web shells on susceptible devices. The attacks have originated from the IP address " 194.233.100[.]138 ." There are currently no details available on the scale of the...

Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

Dec 04, 2025Endpoint Security / Cybercrime

The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China. The search engine optimization (SEO) poisoning campaign leverages Microsoft Teams lures to trick unsuspecting users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0), a known malware associated with the Chinese cybercrime group. The activity has been underway since November 2025. "This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified 'ValleyRAT' loader containing Cyrillic elements – likely an intentional move to mislead attribution," ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News. ValleyRAT, a variant of Gh0st RAT, allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-ter...

ThreatsDay Bulletin: Wi-Fi Hack, npm Worm, DeFi Theft, Phishing Blasts— and 15 More Stories

Dec 04, 2025Cybersecurity / Hacking News

Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other. Here's a quick rundown of the latest cyber stories that show how fast the game keeps changing. DeFi exploit drains funds Critical yETH Exploit Used to Steal $9M A critical exploit targeting Yearn Finance's yETH pool on Ethereum has been exploited by unknown threat actors, resulting in the theft of approximately $9 million from the protocol. The attack is said to have abused a flaw in how the protocol manages its internal accounting, stemming from the fact that a cache containing calculated values to save on gas fees was never cleared when the pool was completely emptied. "The attacker achieved this by minting an astronomical number of tokens – 235 septillion yETH (a 41-digit number) – while depositing only 16 wei, worth approxim...

5 Threats That Reshaped Web Security This Year [2025]

Dec 04, 2025Web Security / Data Privacy

As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies. Here are the five threats that reshaped web security this year, and why the lessons learned will define digital protection for years to come. 1. Vibe Coding Natural language coding, " vibe coding " , transformed from novelty to production reality in 2025, with nearly 25% of Y Combinator startups using AI to build core codebases. One developer launched a multiplayer flight simulator in under three hours, eventually scaling it to 89,000 players and generating thousands in monthly revenue. The Result Code that functions perfectly yet contains exploitable flaws, bypassing traditional security tools. AI generates what you ask for, not what you forget...