A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags.

A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence.

What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

Top Malware Reported in the Last 24 Hours

Fake Booking[.]com sites push malware

Cybercriminals are redirecting users from gaming sites and social media to fake Booking[.]com websites, employing malicious Captcha forms that trick users into executing harmful commands. This leads to the installation of Backdoor.AsyncRAT, a remote access tool that allows attackers to control infected devices and steal sensitive information. The campaign's URLs change frequently, and users should be wary of any site prompting them to copy commands into their clipboard, as this can result in significant security breaches and financial loss. 

Hackers exploit PuTTY for malware delivery

Hackers are exploiting the popular SSH client PuTTY to deliver malware on Windows systems. The malware abuses OpenSSH's default behavior and utilizes stealth techniques such as registry manipulation, custom SSH configuration files, and process masquerading to maintain persistence and evade detection. It leverages trusted system binaries like ssh.exe (LOLBIN) and creates invalid SSH configuration files to enable port forwarding and remote access for attackers. 

Backdoors in Python and npm packages

A malicious package campaign targeting Python and npm users was discovered, using typo-squatting and name-confusion attacks on packages like Colorama and Colorizr. The attack involved cross-ecosystem tactics, with payloads allowing remote access and data exfiltration, and attempted to evade detection on Windows systems. The campaign used cross-platform baiting, with payloads for both Windows and Linux. Windows payloads involved environment variable harvesting, persistence through scheduled tasks, and antivirus evasion. Linux payloads included advanced backdoors using encrypted communication and stealth techniques to maintain long-term access.

Top Vulnerabilities Reported in the Last 24 Hours

Multiple bugs in SonicWall NetExtender

NetSPI security researchers have discovered multiple high-risk local privilege escalation vulnerabilities in SonicWall's NetExtender VPN client for Windows, identified as CVE-2025-23009 and CVE-2025-23010. These vulnerabilities could allow a low-privileged user to gain SYSTEM-level access or disrupt services through arbitrary file deletion and overwrite. The investigation began after an earlier bug (CVE-2025-23007) was reported, leading NetSPI to reverse engineer the application and find further vulnerabilities. SonicWall has released a patch in version 10.3.2 of NetExtender for Windows to address these issues.

Information disclosure flaws in Linux

Two vulnerabilities in Linux systems, CVE-2025-5054 and CVE-2025-4598, have been identified in apport and systemd-coredump, allowing local attackers to exploit race conditions to access sensitive data, including password hashes. Both vulnerabilities have a CVSS score of 4.7 and affect Ubuntu, Red Hat Enterprise Linux, and Fedora. The first flaw enables PID-reuse in the apport package, while the second allows access to privileged data by manipulating SUID processes. Debian systems are not affected by these vulnerabilities unless systemd-coredump is manually installed. 

Hackers abuse critical vBulletin bug

Hackers are exploiting critical vulnerabilities in the vBulletin forum software, specifically CVE-2025-48827 and CVE-2025-48828, which allow remote code execution. These flaws affect versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when running on PHP 8.1 or later. Although patches were released, many sites remain vulnerable due to not upgrading. The vulnerabilities involve the misuse of PHP's Reflection API and template engine abuse, leading to potential shell access for attackers.