Starting November 2025, Firefox extension developers must disclose if their add-ons collect or share user data. This info goes in the manifest.json file, ensuring transparency. Extensions with no data collection must also declare this. Non-compliance? Expect a “You Shall Not Pass!” block from Mozilla’s add-on repository.

The Summoning Team conjured victory at Pwn2Own Ireland 2025, snagging the Master of Pwn title and a hefty chunk of the $1,024,750 prize. How? By outsmarting top tech and making zero-days look like just another day in the park. Meanwhile, one hacker’s WhatsApp exploit stayed under wraps, proving some secrets are best left untold.

SecurityWeek’s cybersecurity news roundup is your backstage pass to the digital world’s drama, featuring the latest quirks like iOS 26 deleting spyware evidence faster than you can say “Pegasus,” and a Maryland vulnerability disclosure program that invites you to snitch on their systems—all wrapped in a concise and witty package!

SentinelOne’s report reveals a PhantomCaptcha spear phishing attack using a ClickFix-style CAPTCHA lure. This one-day operation targeted Ukraine’s war relief groups, tricking victims with fake emails and weaponized PDFs. The malicious campaign, hosted on Russian infrastructure, highlights the evolving threats faced by humanitarian efforts in the region.

Microsoft’s out-of-band update for a critical Windows Server Update Services vulnerability is here to save the day—or at least prevent it from turning into a punchline. With CVE-2025-59287 lurking, it’s time for admins to patch up or unplug WSUS until further notice. Otherwise, it’s a one-way ticket to chaosville.

Does your organization suffer from a cybersecurity perception gap? According to the Bitdefender 2025 Cybersecurity Assessment, the answer is probably “yes.” Executives may think they’re ready for cyber threats, but those on the front lines might disagree. This discrepancy can lead to underinvestment and missed opportunities to strengthen cybersecurity.

Toys “R” Us Canada customers got an unexpected surprise when their personal info took a detour to the dark web. While no credit card data was compromised, names and contact details were snagged. The company urges vigilance against potential phishing attacks. Remember, if a talking teddy bear asks for your PIN, just say no!

In a twist that would make any thriller proud, ToolShell vulnerabilities are exploited faster than you can say “SharePoint server.” The villains? None other than Linen Typhoon and Violet Typhoon, targeting everything from government to academia. It’s a strategic drama unfolding, and network segmentation is the hero we need to stop these attacks.

Prime Minister Keir Starmer relaunched his digital ID scheme, claiming it’s about “cutting the faff” and modernizing Britain. While optional for retirees, it’s mandatory for new job seekers. However, the idea of rummage-free drawers has sparked more skepticism than excitement, with 2.9 million petitions calling for the scheme’s removal.

The YouTube Ghost Network is not your average ghost story. This malicious network, active since 2021, has been haunting YouTube users with malware hidden in videos about pirated software and Roblox cheats. It’s like Casper the Unfriendly Ghost—only instead of charming antics, it delivers malware straight to your device. Boo!

A new Android threat, Android.Backdoor.Baohuo.1.origin, is spreading via fake Telegram X apps, giving attackers full control of users’ accounts. Disguised as a dating-enhanced version, it stealthily connects to remote servers. Victims, beware! This malware is as sneaky as a ninja in a library, but far less educational.

Microsoft disables the preview feature in Windows File Explorer for internet-downloaded files to prevent NTLM hash leaks. This update, part of the October 2025 Patch Tuesday, aims to protect users from attackers attempting to capture sensitive credentials. Because who knew that previewing files could be such a risky business adventure?

China-linked hackers exploited the ToolShell SharePoint flaw CVE-2025-53770 to breach a Middle East telecom just days after a patch was issued. These cyber marauders are like digital ninjas, slipping through defenses with the agility of a caffeinated squirrel, leaving a trail of compromised servers and bewildered IT staff in their wake.

Shield AI claims their new X-BAT drone can take off vertically, eliminating the need for a runway. It’s like a jet-powered ballerina—graceful, yet capable of delivering a tactical pirouette right into enemy territory. With VTOL, range, and multirole capability, X-BAT might just be the Swiss Army knife of the skies.

At Pwn2Own Ireland 2025, the excitement was overshadowed by a researcher pulling a WhatsApp exploit worth $1 million. While hacks on routers, NAS devices, and smart speakers cashed in, the WhatsApp drama left everyone buzzing about what could have been—and what might still be lurking in Eugene’s code.

Microsoft has unveiled OOB security updates for a critical WSUS vulnerability, CVE-2025-59287. This flaw enables remote code execution on Windows servers with WSUS Server Role enabled. With proof-of-concept exploit code lurking online, patching is crucial to prevent potential wormable threats. Admins should update pronto or risk unleashing chaos on their networks.

The GlassWorm worm spreads like a bad rumor through Visual Studio Code extensions, targeting developers and using the Solana blockchain for command-and-control. With invisible Unicode characters and Google Calendar as a backup, this worm turns developer machines into crypto-draining, proxy-serving zombies. It’s the malware equivalent of a really bad house guest.

At Pwn2Own Ireland 2025, hackers snagged $1,024,750 by exploiting 73 zero-day vulnerabilities. From iPhones to smart glasses, nothing was safe from their digital wizardry. Summoning Team took top honors, while Team Z3 skipped a $1 million prize, choosing discretion over dollars. Zero Day Initiative ensures these cyber secrets don’t end up in the wrong hands.

MuddyWater strikes again! Iran’s favorite cyberespionage crew has breached over 100 government entities across the Middle East and North Africa. Using a legitimate mailbox and VPN, they sent phishing emails packed with malware. With these muddy tactics, they’re proving that when it comes to espionage, Iran’s playbook is clear—even if the waters aren’t.

Pwn2Own Ireland 2025 Day 2 ends with hackers earning $792,750 for 56 zero-days, led by The Summoning Team’s Samsung Galaxy exploit. The event targets flagship smartphones, smart home devices and more, with $167,500 already claimed by the leading team. Will hackers leave any device unexploited? Stay tuned for Day 3!