Hackers are now turning popular social media platforms into malware delivery channels, using the promise of free software to trap unsuspecting users.

Short-form video platforms like TikTok and Instagram Reels have become the latest tools in a cybercriminal’s playbook, with attackers posting polished tutorial videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office.

Instead of the freebies they are after, viewers end up with a dangerous infostealer quietly running on their Windows devices. The shift marks a clear evolution in how attackers choose to reach their targets.

Cybercriminals have moved far beyond traditional phishing emails. Today, they are crafting content that looks and feels like everyday social media, blending in seamlessly with legitimate tech tips and tutorials.

The videos are so well-produced that many viewers do not suspect anything is wrong until the damage is already done. This approach lets attackers reach millions of people through the very platforms those people trust most.

Researchers at ReversingLabs uncovered two active campaigns using these short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites.

Analysts at Malwarebytes said in a report shared with Cyber Security News (CSN) that similar campaigns have been flagged by other researchers and national cybersecurity agencies, pointing to a growing trend.

Cybercriminals are learning to exploit social media algorithms just as effectively as professional marketers, amplifying the reach of these attacks at almost no cost.

The malware at the center of these campaigns is Vidar, a well-known infostealer built to quietly siphon sensitive data from infected devices.

Once it lands on a machine, Vidar goes to work collecting saved browser passwords, autofill data, browser cookies, cryptocurrency wallet details, two-factor authentication data, and even TOR browser data.

Everything harvested is then sent back to servers controlled by the attackers, giving them a detailed key to the victim’s entire digital life.

Hackers Use Free Spotify Premium Hacks

The first campaign is deceptively polished. Accounts using names like “windows.tips” or “windows.insights” post videos designed to look like genuine tech support content, complete with Windows-style branding and professional editing.

The videos are tagged with Windows and Office-related keywords so they appear right alongside legitimate troubleshooting videos in search results and recommendation feeds.

Viewers are walked through step-by-step instructions that include opening PowerShell, a legitimate Windows administrative tool, and pasting in a set of commands.

Figure 1: Example of a fake Windows tutorial video used to deliver the Vidar infostealer (Image courtesy of ReversingLabs)

Those commands then silently download and execute the Vidar infostealer in the background, with the user none the wiser.

The technique closely mirrors what researchers have called ClickFix attacks, where users are socially engineered into running malicious code themselves, bypassing most traditional security defenses.

Vidar’s Evasion Tricks and Security Risks

Once Vidar is on a device, it does not just steal data and leave. Research into similar TikTok-based attack chains shows that the malicious scripts commonly add exclusions to Windows Defender, effectively blinding the built-in security tool to future threats.

This means even after the initial infection is cleaned up, the device can remain exposed to follow-on attacks.

The stolen information represents a serious risk beyond just one account or one platform. Browser cookies can be used to hijack active sessions without needing a password, and cryptocurrency wallet data can lead to direct financial loss.

Two-factor authentication data in the wrong hands can defeat even accounts that appear to be securely protected.

Security experts recommend downloading software only from official vendor websites and treating any “free” or cracked version of a paid product with real skepticism.

Users should avoid following instructions on unfamiliar web pages, especially those asking them to run commands or paste code, as many of these pages use countdown timers or fake user counters to push people into acting fast.

Checking that downloaded files match what was expected, verifying a file’s digital signature before running it, and keeping a real-time anti-malware solution active are all practical steps that can stop an infostealer before it ever runs.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer appeared first on Cyber Security News.

The critical-severity OS command injection vulnerability allows attackers to execute arbitrary code with root privileges.

The post Ivanti Sentry Exploitation Attempts Hitting Honeypots appeared first on SecurityWeek.

A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI.

The operation, tracked as “Solana FakeFix,” deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or imported.

The campaign stands out for how convincing its lures are. Instead of using random package names, the threat actor crafted names closely resembling real Solana tooling, such as solana-web3-stable, solana-rpc-client, and @solana-labs/web3.js.

Developers dealing with build issues or dependency conflicts were the prime targets, making the attack feel like a helpful fix rather than a threat.

Analysts at JFrog Security Research identified the campaign and published a detailed report shared with Cyber Security News (CSN).

JFrog’s findings split the operation into two distinct clusters: the Solana FakeFix group of 20 packages targeting Solana developers, and a CMS-themed cluster of 5 packages that loaded hidden Windows executables on infected machines.

The campaign also shows a clear evolution in technique. Early versions used simple install-time scripts, while later versions shipped fully functional Solana bundles with stealer code injected after legitimate exports, making detection much harder.

The threat actor promoted packages through GitHub issue spam, opening nine issues across different projects and framing the malicious package as a community fix for the real Solana SDK.

The total scope includes 16 malicious npm packages and 4 PyPI packages under the FakeFix banner, plus 5 additional npm packages in the CMS loader group.

Each package was carefully built to appear functional during testing while quietly executing a stealer payload in the background.

Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages

The packages used two delivery paths depending on the platform. On npm, a postinstall lifecycle hook fired a JavaScript payload the moment a developer ran an install command, requiring no further action.

On PyPI, malicious code lived inside the __init__.py file and ran as soon as the package was imported in any script, notebook, or test.

Once triggered, the payload searched for Solana keypair files, SSH private keys, AWS credential files, .env files, and environment variables containing names like KEY, SECRET, MNEMONIC, or PASSWORD. All stolen data was sent to an attacker-controlled Telegram bot in real time.

More advanced packages also installed persistent backdoors that polled Telegram for remote commands. The attacker could grab SSH keys, pull environment variables, or run arbitrary shell commands on the victim machine.

One variant tried to drain the victim’s Solana funds and redirect local RPC settings, turning a one-time stealer into a persistent remote access threat.

The actor also ran a fake MEV bot package called solana-mev-bot, using social engineering to ask users to paste their Solana private key directly. It presented itself as an automated profit tool, phishing the one credential needed to empty a wallet entirely.

CMS Windows Loader: A Second Hidden Cluster

The second cluster targeted Windows developers through a completely different payload family. Packages like cms-storehub, cms-helpgit, and cms-github used npm install-time PowerShell scripts to install the Deno runtime and fetch remote JavaScript from an attacker-controlled server.

The loader established persistence through Windows Registry Run keys and pulled a dynamic second-stage payload on a 30-second loop.

Two other packages, to-cms and shopifyto-cms, acted as download-and-execute droppers.

They fetched a Windows executable, launched it from the temp directory, and attempted to erase the evidence afterward. The attacker’s server also received registration telemetry, giving the operator a live record of compromised systems.

JFrog recommends that developers immediately remove all affected packages, rotate Solana wallets and any secrets potentially exposed, and audit machines for persistence artifacts including Registry Run keys, scheduled tasks, and crontab entries.

Rebuilding CI runners from clean images is strongly advised over relying on package removal alone. Any package that triggers network access at install time or runs hidden PowerShell scripts should be treated as a serious red flag.

Indicators of Compromise (IoCs):-

Affected Packages

Telegram C2 IOCs

Network and Wallet IOCs

Targeted File Paths and Persistence Indicators

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets appeared first on Cyber Security News.

The browser refresh resolved critical and high-severity security defects, including a dozen use-after-free bugs.

The post Chrome 149 Update Patches 28 Vulnerabilities appeared first on SecurityWeek.

Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word that stem from low‑level memory‑safety flaws in the Word rendering engine and its integration with Outlook Classic.

These bugs, tracked as CVE‑2026‑45456, CVE‑2026‑45458, and CVE‑2026‑47635, are rated Critical with a CVSS v3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability if exploited.

Although the CVSS vectors show a local attack vector (AV:L), Microsoft classifies them as remote code execution because a remote attacker can deliver malicious content over the network (for example, via email). At the same time, the actual exploit triggers locally when Office processes the content.

Microsoft Outlook and Word RCE Flaws

All three vulnerabilities are rooted in unsafe memory handling within the Office document parsing pipeline.

CVE‑2026‑45456 and CVE‑2026‑47635 involve type confusion, where internal data structures are accessed with an incompatible or incorrect type, breaking type safety guarantees at runtime.

In practice, a crafted document can manipulate object layout assumptions so that the Word engine interprets attacker‑controlled data as a valid object or pointer.

Once the engine performs operations on that mis‑typed object, it can cause controlled memory corruption, which attackers can exploit to execute arbitrary code by hijacking control‑flow, such as function pointers or vtable entries.

CVE‑2026‑45458 involves a use-after-free pattern. In this scenario, Word frees a memory object but continues to hold a dangling pointer to it.

An attacker‑crafted document can cause the freed region to be reallocated to attacker‑controlled data, so when the stale pointer is later dereferenced, execution flows through data the attacker controls, again enabling code execution.

A key operational detail for defenders is that Outlook Classic uses Word as the rendering engine for email content, including in the Preview Pane.

That means a specially crafted email body or attachment that triggers one of these memory‑corruption paths can execute code merely when the message is rendered, without requiring the user to open an attachment explicitly.

From a kill‑chain perspective, this allows a remote attacker to send a single weaponized email to a target, rely on automatic rendering or user preview in Outlook, and achieve arbitrary code execution with the victim user’s permissions.

Because the vulnerabilities do not require additional privileges or explicit user interaction beyond normal rendering, a successful exploit can be chained with privilege‑escalation or lateral‑movement techniques to pivot deeper into the environment.

The affected scope includes Microsoft Office LTSC 2024 (32‑bit and 64‑bit) and other supported Word/Outlook builds that use the same rendering components.

Microsoft’s guidance stresses that customers must apply all applicable Office security updates to their installations in environments with multiple Office SKUs, and that administrators must ensure each product line receives its corresponding security package.

Some Mac Office channels (Office LTSC for Mac 2021/2024 and Microsoft 365 for Mac) may receive their patches slightly later than others. However, they are part of the same remediation effort.

From a defensive posture standpoint, patching remains the primary and non‑negotiable mitigation, as these are core engine‑level issues that cannot be fully neutralized by configuration changes alone.

However, organizations can reduce exploitability and blast radius through layered controls. Hardening Outlook by disabling or limiting Preview Pane for untrusted mailboxes, enforcing Protected View for files originating from the internet.

Using Attack Surface Reduction (ASR) rules to restrict Office from spawning child processes can materially raise the bar for successful exploitation and post‑compromise actions.

On the detection side, security teams should watch for anomalous Word or Outlook processes exhibiting unusual memory‑access violations, crashes when rendering specific messages, or suspicious child processes spawned from Office, which can be indicative of exploit attempts or successful code execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code appeared first on Cyber Security News.

Palo Alto Networks fixed a new command injection vulnerability in PAN‑OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface.

Two related medium‑severity issues in the same advisory window cover CLI privilege escalation (CVE‑2026‑0272) and a tunnel traffic denial‑of‑service bug (CVE‑2026‑0269).

CVE‑2026‑0273 affects PA‑Series and VM‑Series firewalls as well as Panorama appliances running specific PAN‑OS 12.1, 11.2, 11.1 and 10.2 versions.

The flaw is rated 6.1 under CVSS v4.0. It stems from improper input handling, allowing an authenticated admin to bypass normal system restrictions and run arbitrary OS commands with root privileges via the CLI or the management web UI.

No special configuration is required: if a privileged user can log in to a vulnerable management interface, the device is at risk. Cloud NGFW and Prisma Access are explicitly listed as not affected.

Palo Alto PAN-OS Vulnerability

CVE‑2026‑0272 is a medium‑severity privilege escalation vulnerability in the PAN‑OS CLI that allows an authenticated administrator to perform actions on the device with root privileges.

Like CVE‑2026‑0273, it impacts PA‑Series, VM‑Series and Panorama across supported 12.1, 11.2, 11.1 and 10.2 trains, but not Cloud NGFW or Prisma Access.

CVE‑2026‑0269 is a memory corruption flaw in tunnel traffic processing that allows an authenticated user to repeatedly reboot a firewall by sending crafted packets.

Devices configured with IPsec tunnels or GlobalProtect gateways are exposed, and repeated exploitation can push the firewall into maintenance mode, impacting availability.

Palo Alto Networks says it is not aware of any malicious exploitation of these three vulnerabilities at the time of disclosure.

For CVE‑2026‑0273, vulnerable branches include PAN‑OS 12.1, 11.2, 11.1, and 10.2 up to, but not including, hotfixes such as 12.1.4‑h7, 11.2.4‑h18, 11.1.4‑h34, 10.2.7‑h35, and later maintenance releases such as 12.1.7, 11.2.12, 11.1.15, and 10.2.18‑h7.

CVE‑2026‑0272 and CVE‑2026‑0269 follow similar patterns, with fixes provided in the latest “‑h” hotfixes and subsequent maintenance versions for each train.

Organizations running older, unsupported PAN‑OS branches are advised to upgrade to a supported, fixed release rather than relying solely on configuration.

Palo Alto recommends restricting management access to only trusted internal IP addresses and limiting CLI access to a small group of administrators, in line with its administrative access best‑practice guidance.

Using a hardened jump box as the sole host with access to the firewall management interfaces further reduces the risk that stolen credentials can be abused.

Customers with a Threat Prevention subscription can also block exploit attempts for CVE‑2026‑0273 by enabling the dedicated Threat IDs, provided management traffic is routed through a data plane interface and decrypted so the firewall can inspect it.

For the tunnel DoS bug CVE‑2026‑0269, Palo Alto lists no practical workaround and directs customers to upgrade to fixed code and review tunnel exposure.

While all three issues require authenticated access, they offer strong post‑compromise leverage, allowing attackers to gain root control of devices or disrupt VPN and remote access services.

So patching should be prioritized in environments where management or tunnel endpoints are reachable from semi‑trusted networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User appeared first on Cyber Security News.

An AI hacker claims to have achieved a prompt-based jailbreak shortly after Fable 5’s launch, but Anthropic says it’s not a real jailbreak.

The post Anthropic Disputes Fable 5 AI Jailbreak appeared first on SecurityWeek.

Google has released a new Chrome security update addressing 28 vulnerabilities, including several critical flaws that could allow attackers to execute malicious code on affected systems.

The latest Stable channel update upgrades Chrome to version 149.0.7827.114/.115 on Windows and macOS, and to 149.0.7827.114 on Linux.

The rollout is being deployed gradually and is expected to reach users over the coming days and weeks. Google has also published a detailed changelog outlining all modifications included in this release.

Critical Vulnerabilities Enable Code Execution

Among the most serious issues patched are multiple critical memory-corruption vulnerabilities.

These include several use-after-free flaws in core components, including Core, DigitalCredentials, and WebMIDI, identified as CVE-2026-12007, CVE-2026-12008, and CVE-2026-12011.

Such vulnerabilities occur when memory is improperly managed, allowing attackers to manipulate freed memory regions.

Google also addressed a critical heap buffer overflow vulnerability in the GPU component, tracked as CVE-2026-12010, along with an insufficient validation of untrusted input issue in the Accessibility component, identified as CVE-2026-12009.

These flaws could be exploited by convincing users to visit specially crafted web pages, potentially enabling arbitrary code execution and leading to full system compromise.

In addition to the critical vulnerabilities, the update resolves numerous high-severity issues affecting a wide range of Chrome components.

Several of these involve use-after-free vulnerabilities across Network, Media, Autofill, GPU, Video, and Views modules. These bugs can lead to memory corruption and are often leveraged in exploit chains.

Other high-severity issues include out-of-bounds read and write vulnerabilities in components such as Codecs, Video, and VideoCapture, which could allow attackers to access or manipulate memory in unintended ways.

A heap buffer overflow vulnerability in the GPU component further increases the risk of exploitation. The update also fixes multiple instances of insufficient validation of untrusted input in DevTools, Extensions, Network, and Linux Toolkit Theming.

In addition, Google addressed improper policy enforcement issues in DevTools and Headless mode, as well as a race condition vulnerability in Safe Browsing.

These weaknesses could potentially be abused to bypass security restrictions or interfere with browser protections.

Although Google has not confirmed whether these vulnerabilities are being actively exploited in the wild, the presence of multiple memory-related flaws significantly raises the likelihood of exploitation.

Attackers frequently target such vulnerabilities through malicious websites, exploit kits, or compromised advertising networks.

To minimize risk, Google has restricted access to detailed vulnerability information until a majority of users have installed the update.

This approach helps prevent attackers from analyzing patches to develop exploits before systems are secured. Google credited both internal security teams and external researchers for identifying and reporting these vulnerabilities.

The company also emphasized the role of advanced detection tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL in discovering and mitigating security flaws during development.

Users are strongly encouraged to update Chrome immediately to the latest version to protect against potential threats. While automatic updates are typically enabled, users can manually verify their browser version through the Chrome settings panel.

Organizations should prioritize patch deployment across all systems to reduce exposure and prevent possible exploitation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code appeared first on Cyber Security News.