PhantomRaven is a crafty software supply chain attack targeting the npm registry with over 100 malicious packages. By exploiting Remote Dynamic Dependencies, attackers cleverly hide their code, making it invisible to security scanners. Developers beware! These packages are stealthier than a ninja in a library.

People’s Postcode Lottery players got a surprise peek at others’ personal info due to a technical glitch. Instead of winning numbers, users saw names and addresses. PPL swiftly pulled the site offline, ensuring no more accidental prize draws for privacy breaches. They’re now offering free Experian credit monitoring to those affected.

Matrix hopes to be the lifeboat as Europe looks for secure communication alternatives. With France and Germany leading the charge, the continent is embracing Matrix’s decentralized approach. Meanwhile, the European Commission is dipping its toes in the Matrix pool, but anyone hoping for a Teams breakup? Keep dreaming!

Australian Peter Williams, 39, former boss of a US defense contractor, confessed to selling zero-day exploits to a Russian cyber broker. For a tidy sum in cryptocurrency, he transmitted stolen cyber secrets in encrypted form, aiding Russian cyber actors. This cybersecurity breach is being viewed as a national security threat.

Dentsu’s U.S. subsidiary Merkle got hacked, exposing staff and client data. Cyber crooks left the marketing giant scrambling to unplug systems faster than a bad karaoke machine. No ransom note yet, but Dentsu’s on high alert, and impacted folks are getting free dark web monitoring as a silver lining.

An Australian national, Peter Williams, has pleaded guilty to stealing trade secrets from a US defense contractor and selling them to a Russian broker. He traded $35 million worth of cyber exploits for cryptocurrency, which he then used to buy luxury items. He faces up to 20 years in prison and hefty fines.

Beware of sneaky impostors! Ten malicious npm packages, including typescriptjs and react-router-dom.js, have been pilfering sensitive data from nearly 10,000 developers. These impostor packages use typosquatting and a fake CAPTCHA to trick users into downloading an info-stealer that loves collecting credentials. Always double-check package names before installing—you don’t want your data taking an unexpected vacation!

Microsoft suffered a massive infrastructure disruption on October 29, 2025, due to a misconfiguration in its cloud network. The outage impacted Azure, Microsoft 365, Teams, and even gaming services like Xbox Live. As Microsoft scrambles to fix the chaos, businesses are left pondering their dependency on single cloud providers.

Cybersecurity threat alert! Zimperium’s investigation reveals a new malware menace targeting Android users through tap-to-pay systems. Dubbed “Tap-and-Steal,” this NFC relay malware disguises itself as trusted apps, turning devices into payment fraud tools. Stay alert, download apps wisely, and don’t let your phone become a cybercriminal’s dream machine!

Canada’s cyber agency warns that hacktivists have breached the country’s critical infrastructure, causing chaos at water, oil, and agricultural facilities. These cyber pranksters have turned serious systems into a high-stakes game of whack-a-mole, risking public safety to discredit organizations and tarnish Canada’s image.

AI cloaking is turning classic SEO tricks into powerful misinformation weapons, fooling AI crawlers like Atlas into swallowing bogus narratives. Researchers have shown how easy it is to make AI tools rank fake profiles highly by feeding them doctored résumés. It’s context poisoning, not hacking—just serving up digital deception with a side of chaos.

Microsoft’s Azure cloud platform had an outage due to an “inadvertent configuration change.” This marks the second major cloud outage in two weeks. Even Azure’s status page went down—talk about a bad day at the office! Remember, when one tech giant sneezes, the whole internet catches a cold.

CyberCorps scholars, eager to protect the nation’s infrastructure, now face a plot twist: a career fair cancellation and looming debt. This “Hunger Games”-style job hunt has them scrambling for opportunities, as federal hiring freezes leave them in the lurch. Will the program’s future be a comedy or tragedy? Only time will tell.

PhantomRaven’s invisible dependencies pose a serious challenge by using Remote Dynamic Dependencies to sneak malicious code past security tools. These packages cleverly exploit npm’s little-known feature, masquerading as harmless. Threat actors employ slopsquatting, using AI hallucinations to name fake packages, duping developers into compromising their systems with malicious npm packages.

Hold onto your server hats, folks! The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is dealing with a vulnerability that’s got subscribers reading files like a bestseller. Identified as CVE-2025-11705, this bug invites low-privileged users to peek at confidential info. Plugin update 4.23.83 is your new best friend!

A critical bug in Chromium’s Blink engine allows browsers to crash in seconds, causing chaos for billions worldwide. Security researcher Jose Pino’s exploit, Brash, highlights the issue that affects nine major browsers. It won’t lead to ransomware but could still ruin your day and your open tabs.

Hacktivists have repeatedly breached Canada’s critical infrastructure, and the Canadian Centre for Cyber Security urges stronger security for internet-exposed Industrial Control Systems (ICS). Recent incidents involved tampering at key facilities, causing disruptions and potential dangers. Authorities emphasize that while these attacks weren’t sophisticated, they highlight the risk of poorly protected ICS components.

Automated attacks on PHP servers are spiking, thanks to botnets like Mirai, Gafgyt, and Mozi exploiting CVE vulnerabilities. These botnets are now the digital Swiss Army knives of cybercrime, targeting everything from IoT devices to cloud gateways. Keep your systems updated and your debug tools at bay, or risk becoming another botnet minion.

Microsoft’s Azure virtual networks are getting a security makeover, shifting default settings from public to private subnets. This change, now delayed until March 2026, aims to align with zero-trust principles and prevent unintended internet access. Companies should prepare or risk their cloud apps throwing tantrums like toddlers in a candy store.

Stay updated with EFF’s EFFector newsletter, where we serve digital privacy and free expression with a side of humor. Learn about our lawsuit against the U.S. government’s ideological social media surveillance program, and enjoy our audio companion featuring EFF Staff Attorney Lisa Femia. Join us in the fight for a brighter digital future!