reporter

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now. The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline[.]com" by only letting scripts from trusted Microsoft domains run. "This update strengthens security and adds an extraView the full article

If you're using community tools like Chocolatey or Winget to keep systems updated, you're not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch... The very tools that make your job easier might also be the reason your systems are at risk. These tools are run by the community. That means anyone can add or update packages. SomeView the full article

Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world. Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight. But they’re not the only ones moving fast. Governments and security teams are fighting back, shutting down fakeView the full article

Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought. The company said Salesforce initially provided a list of 3 impacted customers and that it has "expanded to a larger list" as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said "weView the full article

The National Trust said it was looking into the matter.View the full article

Mervyn Thomas said the US was right to redesignate Nigeria a “Country of Particular Concern” after an "unprecedented rise in insecurity". View the full article

One victim was told domestic violence was her cross to bear.View the full article

Every fourth Thursday of November, Americans mark Thanksgiving. American Thanksgiving is a relatively modern tradition, but the principle behind it has a long biblical basis and liturgical history. This is the story …View the full article

"We were having dinner one night, just the two of us in Dallas, and I said, 'You know, the thing we need to do is the Resurrection.'"View the full article

The government of the world’s oldest Christian nation, the first to raise the Cross above the crescent and the hammer and sickle alike, now persecutes its own clergy. The message is chilling: faith itself is a political crime in Armenia.View the full article

More than a year after she filed for divorce from televangelist Benny Hinn, Suzanne Hinn's marriage to the popular faith-healer is now officially over for a second time in 46 years.View the full article

More than a year after she filed for divorce from televangelist Benny Hinn, Suzanne Hinn's marriage to the popular faith-healer is now officially over for a second time in 46 years.View the full article

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." TheView the full article

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father. Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers. In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom. Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company. SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies). The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies. Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r. The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania. A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators. Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums. On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion. “This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said. Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey. WHO IS REY? According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC). In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password. The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously. “Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.” A message posted to Telegram by Rey/@wristmug. In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot. O5TDEV Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: [email protected]. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA). Intel 471 shows the email address [email protected] belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team. Rey/o5tdev’s defacement pages. Image: archive.org. A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity. “Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.” The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog]. ‘I’M A GINTY’ Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland. Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.” Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint. Spycloud indexed hundreds of credentials stolen from [email protected], and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan. The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines. MEET SAIF The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy. Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him. “I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.” Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group. “Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said. The former Hellcat ransomware site. Image: Kelacyber.com He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.” Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers. “I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.” Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group. “A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.” Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims. “I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said. View the full article

On November 24, 2025, Docker Hardened Images resolved CVE-2025-12735 in the Kibana project, which is the visualization and user interface layer for Elasticsearch. This CVE is a critical remote code execution vulnerability that scored 9.8 on the CVSS scale. While images from other hardened image vendors were still carrying the vulnerability, Docker’s security team and tooling not only patched the CVE for Docker Hardened Images users, but also submitted the fix to the upstream LangChain.js project. Once that pull request merges, every application that depends on LangChain.js will benefit from a more secure foundation across the entire ecosystem. We always default to upstream patching when possible because it protects everyone who depends on these libraries – not just Docker users. Upstream patches require effort. You have to submit a PR and get it approved by the project. That can mean back and forth with maintainers. Security teams are under intense time pressures. But when we fix expr-eval for LangChain.js, we’re protecting not just Kibana users but every application that depends on that library. That’s over one million weekly downloads that become more secure. Another Nested Dependency, Another Ticking Time Bomb CVE-2025-12735 originated in expr-eval, a JavaScript expression parser and evaluator library. The vulnerability allowed attackers to inject crafted variables into evaluate(), enabling untrusted code paths to execute logic the application never intended. Three layers deep into the dependency chain, there was a critical RCE vulnerability in unmaintained code. In practice, this gave attackers a pathway to execute malicious behavior within affected applications. The library hadn’t been updated in years. LangChain.js depends on expr-eval, which means any application or service built with LangChain.js inherits the vulnerability. This includes AI assistants, workflow tools, and LLM-powered applications widely deployed across the industry. Kibana was affected by the same dependency chain. This matters because LangChain.js has become a foundational component in modern application development. The library provides a framework for building applications powered by large language models, and it has been downloaded millions of times from npm. As of November 18, 2025, the npm package langchain (which includes LangChain.js) receives approximately 1,018,076 weekly downloads. Organizations use LangChain.js to build chatbots, document analysis systems, customer service platforms, and AI-powered search tools. When a vulnerability exists in LangChain.js or its dependencies, it potentially affects thousands of production applications across the technology industry. This is exactly the attack surface that sophisticated adversaries target. The 2024 XZ Utils backdoor attempt demonstrated how attackers focus on dependencies precisely because they affect so many downstream projects. Old vulnerabilities remain a persistent challenge because organizations focus on direct dependencies while nested dependencies slip through the cracks. Why We Must Fix at the Source, Fast Many security and hardened image vendors scan for CVEs, flag them, and patch their own images. The vulnerability remains in the upstream project. The next build cycle reintroduces it. The problem persists for every other user of that dependency chain. This approach treats symptoms instead of causes. You patch your copy of Kibana. The next developer who builds from upstream gets the vulnerable version. Other container image providers may still ship the vulnerable dependency until their next update cycle. When the next CVE gets assigned to expr-eval, the cycle repeats. Docker takes a different approach. When the Docker Security team identified CVE-2025-12735 in Kibana, we traced it back through the dependency chain to expr-eval. Rather than applying a surface-level patch, we replaced the unmaintained library with math-expression-evaluator, an actively maintained alternative that did not have the vulnerability. Then we contributed that fix upstream to LangChain.js: Pull Request #9391. This approach delivers three outcomes: Docker Hardened Images users got immediate protection. The updated Kibana image shipped without the vulnerable dependency. There was no waiting for upstream maintainers and no emergency patching required. The entire LangChain.js ecosystem will benefit. Once the PR merged, every project using LangChain.js inherits the fix automatically. Web applications, data processing pipelines, AI tools, and analytics platforms all get safer because the fix lives where it belongs. Future builds are secure by default. Docker doesn’t have to maintain downstream patches or worry about the vulnerability reappearing in the next release cycle. The fix lives in the upstream project where it belongs. Docker Hardened Images responded faster than other vendors. We identified the root cause, selected a maintained replacement, verified it worked correctly, and contributed the fix back to the upstream project. This is possible because Docker’s security architecture is designed for a high-speed workflow without sacrificing thoroughness or attention to detail. (We are also, as a team, strongly committed to contributing back to open source!) Continuous dependency analysis through Docker Scout identifies issues the moment they’re disclosed. Deep supply chain visibility shows not just what packages are in an image but the entire dependency chain. Direct upstream engagement means we can contribute fixes rather than wait for maintainers to respond to bug reports. What This Means for Your Organization If you’re running Kibana in production, CVE-2025-12735 posed a critical risk. Organizations using Docker Hardened Images received immediate protection with secure, minimal, production-ready container images built from source and backed by a fast SLA that ensures rapid remediation.. The updated image shipped with expr-eval replaced by a maintained alternative. No emergency patching was required and there was no downtime. Organizations using other container distributions may still be exposed. Check your Kibana images for the vulnerable expr-eval dependency. If you’re running upstream Kibana, monitor for the LangChain.js update that incorporates Docker’s fix. But the implications extend beyond this single CVE. The nested dependency problem affects every modern application. Your development teams probably don’t know what libraries are three or four levels deep in your dependency trees. Your security scanners might not catch them. Your vendors might not fix them upstream. Helping Open Source Projects Helps Us All The container ecosystem depends on thousands of open source projects. Most are maintained by small teams, often volunteers, who juggle security alongside feature development, bug fixes, and user support. When vulnerabilities emerge, maintainers may lack resources for immediate response. Commercial vendors who benefit from open source have a responsibility to contribute back. When Docker Security fixes vulnerabilities upstream, open source maintainers get security support at no cost. The entire community benefits from hardened dependencies. Docker builds trust with the projects that power modern infrastructure. Future vulnerabilities become easier to address as relationships deepen. Together, we are more secure. Docker is not the only company to push patches upstream, but it is a core part of our DNA. We don’t just protect our own customers but strengthen the entire ecosystem. Fixes go upstream so everyone benefits. The focus is on eliminating vulnerabilities at their source rather than playing endless rounds of patch-and-scan. Modern supply chain attacks move faster than traditional security response times. Docker Hardened Images and Docker Scout are designed to match that speed while strengthening the entire ecosystem through upstream contributions. When vulnerabilities emerge, our customers get immediate protection. When our fixes go upstream, everyone gets safer. Learn more about how Docker Hardened Images deliver security that protects your organization and strengthens the ecosystem. View the full article

Conor McGregor has revealed an intense spiritual episode he says occurred while undergoing trauma-focused treatment earlier this year.View the full article

South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. "This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP)View the full article

Christians have responded positively to the announcement in the Budget on Wednesday that the two-child benefits cap is to be lifted from next April. View the full article

The World Council of Churches (WCC) has expressed gratitude for a meeting with Christian organisations in China.View the full article

Britain’s oldest serving MP has criticised the Israeli government for failing to prevent violence and intimidation against Christians in the West Bank.View the full article

Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors. As a result, most organizations' security investments are asymmetrical, robust detection tools paired with an under-resourced SOC,View the full article

Baptist leaders are exploring ways to encourage and increase the recruitment of church ministers, following a decline of nearly a quarter in the last decade.View the full article

Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that's capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. The extension, named Crypto Copilot, was first published by a user named "sjclark76" on May 7, 2024. The developer describes the browser add-on asView the full article

The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. "This is the first time that a RomCom payload has been observed being distributed by SocGholish," Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report. The activity has been attributed with medium-to-highView the full article

The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes. The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262View the full article