The Hacker News

🚨 CISA added a real-world exploited flaw in OpenPLC ScadaBR to its Known Exploited Vulnerabilities list. Hackers used the bug (CVE-2021-26829) to deface a fake water plant system in under 26 hours — disabling logs and alarms. Read → https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html

⚠️ Researchers found old Python code that could expose projects to a supply chain attack. Some PyPI packages — including Tornado and slapos.core — still call an expired domain that anyone could buy and use to run malicious code. Details ↓ https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html

🚨 North Korean hackers uploaded 197 malicious npm packages (31K+ downloads). They drop a new OtterCookie variant that steals passwords, crypto data, and screenshots — all from a fake job interview setup. Details here ↓ https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

VPNs weren’t built for today’s hybrid networks. Hackers now exploit them as entry points to steal admin creds. Remote Privileged Access Management (RPAM) closes that gap — no VPNs, no shared passwords, full session tracking. Why it’s replacing PAM → https://thehackernews.com/2025/11/why-organizations-are-turning-to-rpam.html

Hackers posing as Kyrgyzstan’s Justice Ministry are spreading 2013-era NetSupport RAT across Kyrgyzstan and Uzbekistan using fake PDFs and old Java tricks—blocking outsiders to hide the attack. Old tools. New victims. → https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html

Microsoft will block all non-Microsoft scripts on Entra ID logins starting Oct 2026. If your sign-in flow or browser extension injects any code, it may break — so test ASAP. The new Content Security Policy only lets trusted Microsoft-hosted scripts. Read more → https://thehackernews.com/2025/11/microsoft-to-block-unauthorized-scripts.html

🚨 New ThreatsDay Bulletin is live! 🤖 AI malware that learns your habits 📞 Voice bots turned into attack tools 💸 Crypto rings laundering billions 🔌 IoT gear under siege again 🌍 Smishing scams spreading worldwide All that and 20+ more stories shaping the week in cybersecurity. 🔗 Read now: https://thehackernews.com/2025/11/threatsday-bulletin-ai-malware-voice.html

🛑 Gainsight just revealed more customers were affected than originally disclosed. Salesforce revoked all Gainsight access tokens after the breach tied to ShinyHunters — and the same user-agent from prior Salesloft attacks popped up again. The full scope remains unknown. Read here → https://thehackernews.com/2025/11/gainsight-expands-impacted-customer.html

⚠️ Hundreds of Maven packages just got caught running Shai-Hulud v2 — the same malware that hijacked npm. It spread through automated rebuilds, infecting devs who never used npm. Hiding in the Bun runtime, it steals GitHub + cloud creds and self-replicates like a worm — already leaking 11,000+ secrets across 4,600 repos. Details here ↓ https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

⚠️ Eight “advanced” tools failed at once. A phishing attack slipped past all of them and reached exec inboxes. Only one thing stopped it — a strong SOC. 🔗 Learn why your “first line” is useless without the last ↓ https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

🔥 Hackers hit South Korea’s banks through one IT vendor — spreading Qilin ransomware to 28 firms and stealing 2 TB of data. Evidence suggests Russian and North Korean groups worked together. Full story ↓ https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

🤖 We talk a lot about securing AI. Almost no one talks about where it’s actually hiding. NetworkChuck just dropped a video with Wiz, showing how they’re finding hidden AI risks—“shadow AI”—before attackers do. It’s a smart look at where cloud security is headed next. 🚀See Wiz in Action → https://thn.news/cloud-security-demo