Google has shipped a security update for Chrome that fixes a critical use-after-free vulnerability in the ServiceWorker component, tracked as CVE-2025-10200. The issue, reported by security researcher Looben Yang, earned a $43,000 bug bounty. A second flaw, CVE-2025-10201, affecting Mojo (Chrome’s IPC framework), was also addressed, with $30,000 awarded to Sahan Fernando and an anonymous … Read more

Researchers at Wiz have detailed a significant supply chain compromise involving NX, a widely used open-source build and monorepo platform for JavaScript/TypeScript. The s1ngularity-led intrusion affected 2,180 accounts and exposed contents from 7,200 repositories, with a portion of stolen secrets still valid—underscoring systemic risk across CI/CD workflows and package ecosystems. Scope and impact: active secrets … Read more

Google is integrating Content Credentials based on the C2PA standard into the Pixel 10 camera app and Google Photos. The move aims to make image provenance verifiable by default, helping users distinguish authentic photos from AI-generated or AI-edited content and strengthening platform defenses against deepfakes and visual disinformation. What C2PA Content Credentials are and how … Read more

A former WhatsApp employee has filed a whistleblower lawsuit against Meta, alleging that his February 2025 termination followed repeated efforts to flag systemic cybersecurity weaknesses. The complaint, brought under the Sarbanes–Oxley Act (SOX), claims the issues could mislead investors and undermine internal controls required by securities regulations. Whistleblower lawsuit: alleged overbroad engineer access in WhatsApp … Read more

Cloudflare has confirmed that the certification authority Fina issued 12 unauthorized TLS certificates for the IP address 1.1.1.1—Cloudflare’s public DNS resolver—without Cloudflare’s approval. The certificates, dated from February 2024 through August 2025, were surfaced via Certificate Transparency (CT) logs and discussed on the Mozilla dev-security-policy mailing list, prompting swift remediation efforts. What Happened: Chain of … Read more

Google has clarified that it did not issue a broad-based alert or force a mass password reset for Gmail users. Contrary to sensational headlines suggesting a sweeping warning to billions of accounts, the company said there is no evidence of a compromise of Gmail’s infrastructure and that reports of a “mass breach” are inaccurate. What … Read more

Google has released the September 2025 Android Security Bulletin, addressing 120 vulnerabilities across the OS and ecosystem components. The company confirms at least two zero‑days—CVE-2025-38352 (Linux kernel privilege escalation) and CVE-2025-48543 (Android Runtime privilege escalation)—were exploited in limited, targeted, user‑interaction‑free attacks. Android September 2025 security update: what’s fixed and why it matters CVE-2025-38352 is a … Read more

Microsoft’s August 2025 cumulative security update for Windows (KB5063878) and subsequent releases introduced stricter User Account Control (UAC) enforcement for Windows Installer repair flows. The change addresses a privilege escalation vulnerability, CVE-2025-50173, that could allow an authenticated attacker to obtain SYSTEM-level privileges via MSI self-repair scenarios. What changed in UAC and Windows Installer To mitigate … Read more

ESET has verified that samples of PromptLock uploaded to VirusTotal in late August 2025 were not part of an in-the-wild campaign but an academic proof-of-concept (PoC) developed by researchers at NYU Tandon School of Engineering. Despite the clarification, ESET maintains its original assessment: PromptLock is the first publicly known ransomware specimen that delegates malicious logic … Read more

Salesloft has temporarily disabled the Drift platform effective September 5 following a large-scale supply chain intrusion in which attackers stole customer OAuth and refresh tokens. The shutdown is intended to enable full forensic analysis and harden defenses before restoring services. What Happened: OAuth Token Theft Across Integrations The incident centers on Salesloft Drift, which integrates … Read more