Cybersecurity researchers have discovered a vulnerability in OpenAI's ChatGPT Atlas browser that allows attackers to inject malicious instructions into the AI's persistent memory via a CSRF flaw, potentially leading to unauthorized code execution, account hijacking, and malware deployment, especially due to weak anti-phishing controls and the ability of tainted memories to persist across sessions and devices.
Cisco warns of two critical zero-day vulnerabilities in its ASA and FTD software, actively exploited in the wild, prompting CISA to issue an emergency mitigation directive for federal agencies. The vulnerabilities allow remote code execution and unauthorized access, with ongoing attacks linked to a threat group called ArcaneDoor, posing significant risks to affected networks.
A security flaw in the Gemini CLI coding tool allows hackers to execute malicious commands silently, bypassing user notifications, due to inadequate command whitelisting. The vulnerability was exploited through crafted prompt injections that tricked the tool into running harmful commands without alerting the user. Users are advised to update to version 0.1.14 and run untrusted code in sandboxed environments to mitigate risks.
Google released emergency patches for Chrome after discovering a high-severity zero-day vulnerability (CVE-2025-5419) actively exploited in the wild, affecting the V8 engine and prompting users to update their browsers immediately.
Thousands of ASUS routers have been compromised by a persistent botnet that survives firmware updates and reboots, potentially controlled by a nation state, with affected models including RT-AC3100, RT-AC3200, and RT-AX55. The only recommended mitigation is to factory reset the routers and then update the firmware, as the infection cannot be removed by updates alone.
Velocore, a decentralized exchange on the zkSync and Linea blockchains, suffered a $10 million exploit targeting its liquidity provider tokens. Despite passing security audits, hackers transferred over 700 ETH to the Ethereum mainnet. While Velocore's stable pools were unaffected, the team is working with security experts and centralized exchanges to freeze the stolen assets. The incident caused a 5% drop in Velocore's native token VC, though zkSync and Linea blockchains remained largely unaffected.
The meme coin Normie (NORMIE) plummeted 99% after attackers exploited a tax function in its contract, manipulating the token's supply and draining its liquidity pools. The attacker offered to return 90% of the stolen funds if the developers agreed to relaunch the project, which they accepted. The attacker criticized the contract code as a "copy-paste" job, highlighting the lack of thorough review. The exploit caused significant losses for investors, with one losing $1.6 million. Normie's market cap dropped from over $40 million to just $700.
Wuthering Waves, a new Gacha game from Kuro Games, is facing technical issues at launch, prompting an apology and compensation from the developer. Players discovered an exploit to access an upcoming character early by changing their system date, which has been patched in the Chinese version but may still work in the western version. Kuro Games is working to resolve various issues including login problems, crashes, and performance glitches.
Helldivers 2 players have been exploiting a glitch to farm Super Credits for free, prompting developer Arrowhead to acknowledge the issue. Players have been using a method involving force-quitting the game on PC or shutting down their PS5 console to retain the earned Super Credits. Arrowhead has assured the community that they are aware of the exploit and are working on a fix, although the timing of the remedy is uncertain due to other ongoing development priorities.
Google's Threat Analysis Group and Mandiant observed a significant increase in zero-day vulnerabilities exploited in attacks in 2023, with over 50% linked to spyware vendors and their clients. Commercial surveillance vendors were responsible for 50% of all zero-day exploits used in the wild, with Chinese cyber espionage groups exploiting 12 zero-day vulnerabilities. Google advised high-risk users to enable security features on their devices and enroll in its Advanced Protection Program to defend against zero-day attacks. The U.S. has also taken actions, including sanctions and visa restrictions, targeting individuals and entities linked to commercial spyware.
Researchers have uncovered the GoFetch security exploit affecting Apple M-series and Intel Raptor Lake CPUs, which takes advantage of data memory-dependent prefetchers (DMPs) to leak potentially sensitive data. While software patches can disable DMP on some processors, it's not possible for M1 and M2 chips, posing a significant security risk. One workaround involves running cryptographic work solely on the Icestorm cores, but this may result in performance penalties. The potential for future vulnerabilities in Apple's next generation CPUs raises concerns about the security of DMP and the need for effective solutions.
University security researchers have discovered a chip-level exploit in Apple Silicon Macs that can bypass encryption and access security keys, potentially exposing private data to hackers. The exploit, named GoFetch, requires complex conditions and the circumvention of Apple’s Gatekeeper protections, reducing the real-world threat. While Apple may not be able to fix existing chips with software updates without impacting performance, Gatekeeper's default settings provide a significant level of protection against installing malicious apps.
The individual responsible for hacking an Apex Legends global tournament claims it was done "just for fun" and to prompt developer Respawn to patch the exploit. The hack affected two players during the North American finals, causing the tournament to be postponed. The hacker insists they did not access the players' computers and that the exploit was not related to the game's server. Despite refusing to disclose the details of the exploit, the hacker believes Respawn can patch it without external reports. Respawn has issued updates to protect the Apex Legends community.
A Baldur's Gate 3 player has managed to beat the game's hardest difficulty setting, Honour Mode, by casting the game's worst spell, True Strike, 2,468 times. True Strike is known for being one of the worst spells in D&D and Baldur's Gate 3, as it doesn't deal any damage. The player used a cheesy strategy involving stacking Reverberation to eventually deal minimal thunder damage. This feat adds to the player's list of impressive challenges, including beating the game without leveling up and finishing a run without resting.
Scene developer Kameleon has released a port of PSFree to PS4 Firmware 7.02, integrated with the 7.02 Kernel exploit implementation by Chendochap, offering a more stable implementation for those on lower firmwares. PsFree is a webkit exploit for PS4 firmwares 6.00 to 9.60 and PS5 1.00 to 5.50, providing limited access to run unsigned code on the console. Users can access the exploit directly from Kameleon's host or self-host the files to use the exploit.
