Zero-Click Vulnerability in Apple Messages Exploited with Paragon Spyware (CVE- 2025-43200)

A critical zero-click vulnerability in Apple’s Messages app has been actively exploited to deploy spyware targeting journalists in Europe. The flaw allows remote code execution without user interaction, enabling full device compromise.

Affected Products:

• iOS 18.2.1 and earlier
• iPadOS 18.2.1 and earlier
• macOS Sequoia 15.3 and earlier, Sonoma 14.7.3 and earlier, Ventura 13.7.3 and earlier
• watchOS 11.3 and earlier
• visionOS 2.3 and earlier

Mitigation/Workaround:

• Update to the latest OS versions (iOS 18.3.1, macOS Sequoia 15.3.1, etc.) immediately.
• Enable automatic updates and monitor Apple threat advisories.
• Disable iMessage in high-risk environments if not needed.
  

References:

https://thehackernews.com/2025/06/apple-zero-click-flaw-in-messages.html

• OneLogin AD Connector Vulnerabilities Enable Credential Leakage and User Impersonation

Multiple serious flaws in OneLogin’s Active Directory Connector expose credentials and configuration secrets, allowing attackers to impersonate users and access protected services.

Impact:

• Full user impersonation via forged JWT tokens
• Access to sensitive SSO applications
• Leakage of user metadata, AWS credentials, and internal API keys

Mitigation/Workaround:

• Treat identity federation components as Tier 0 assets with highest security controls
• Restrict network access to OneLogin API endpoints
• Monitor logs for suspicious API and JWT activity
• Rotate all keys and audit cloud assets for unauthorized access

References:

https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial- tenant-to-compromising-customer-signing-keys/?web_view=true

• CyberEye / TelegramRAT: Modular .NET-Based RAT Using Telegram Bot API

CyberEye (TelegramRAT) is a sophisticated RAT framework that uses Telegram’s Bot API for command-and-control, enabling credential theft, session hijacking, clipboard hijacking, keylogging, and persistence.

Indicators of Compromise (IoCs):

• SHA256:

01a771866f3ca223da3bc988baa0a52dc76ae905d167187167fffd2a6dd4fc3c (builder variant)

• SHA256:

e0ac9404023867022db140d5737b8cb8310ff677debfc89be27bfa9616eacc92 (deployed payload)

Mitigation/Workaround:

• Block Telegram Bot API traffic at network perimeter
• Restrict PowerShell usage and enforce Constrained Language Mode
• Monitor/block ilasm.exe and unknown executables via AppLocker or WDAC
• Clear saved browser credentials and monitor access to Telegram, Discord, and Steam session files
• Educate users on risks of unknown executables and spoofed files
• Conduct regular software audits for suspicious .NET tools

References:

https://www.cyfirma.com/research/understanding-cybereye-rat-builder-capabilities-and- implications/?web_view=true

• WordPress Sites Turned Weapon: VexTrio and Affiliates Run Global Scam Network

The VexTrio cybercriminal group operates a sprawling network of malicious adtech companies distributing scams and malware globally through compromised WordPress sites. Affiliates like Los Pollos and Taco Loco facilitate campaigns involving gift card fraud, phishing, and malicious apps.

Impact:

• Hundreds of thousands of compromised websites redirect users to scam and malware networks annually
• Victims exposed to phishing, malware, and scams via complex redirection chains using DNS TXT records and domain generation algorithms

Mitigation/Workaround:

• Regularly audit and secure WordPress and web platforms
• Monitor DNS TXT records and web traffic for suspicious redirects
• Educate users on risks of push notification scams and malicious redirects
  
• Deploy WAFs and endpoint protection to block malicious traffic
• Collaborate with threat intelligence providers for emerging TDS campaigns

References:

https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html

• Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data (CVE-2025- 32711)

EchoLeak is a critical zero-click AI command injection vulnerability in Microsoft 365 Copilot that allows attackers to exfiltrate sensitive data without user interaction by embedding malicious prompts in markdown content.

Impact:

• Unauthorized disclosure of proprietary Microsoft 365 Copilot context data
• Exploits AI system design flaws in handling untrusted content
• Can be executed in single or multi-turn conversations

Mitigation/Workaround:

• Update Microsoft 365 Copilot with latest patches
• Implement strict content filtering and validation for AI-processed documents
• Apply granular permission controls and continuous auditing
• Enforce authentication and origin validation on MCP servers
• Educate users and admins on AI prompt injection risks

References:

https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html

• Palo Alto Networks PAN-OS Command Injection Vulnerability (CVE-2025-4231)

A medium-severity command injection flaw in PAN-OS allows authenticated admins to escalate privileges and execute commands as root via the management web interface.

Affected Versions:

• PAN-OS 10.1 (all versions)
• PAN-OS 10.2 (up to 10.2.7)
  
• PAN-OS 11.0 (up to 11.0.2)

Mitigation/Workaround:

• Upgrade to PAN-OS 11.0.3 or 10.2.8 or later
• Restrict management interface access to trusted IPs
• Use jump boxes and network segmentation for admin access
• Migrate unsupported versions to patched releases

References:

https://cybersecuritynews.com/pan-os-web-interface-vulnerability

• Microsoft Patches 67 Vulnerabilities Including WebDAV Zero-Day (CVE-2025- 33053)

Microsoft released patches for 67 vulnerabilities, including an actively exploited WebDAV remote code execution zero-day used by Stealth Falcon threat actors.

Key Vulnerabilities:

• WebDAV RCE (CVE-2025-33053, CVSS 8.8)
• Privilege escalations in Power Automate, Common Log File System, Netlogon, SMB Client, and KDC Proxy Service
• Secure Boot bypass via UEFI vulnerability

Mitigation/Workaround:

• Apply Microsoft security updates immediately
• Be cautious of phishing emails with .url attachments
• Monitor system and network logs for exploitation signs

References:

https://thehackernews.com/2025/06/microsoft-patches-67-vulnerabilities.html

• Firefox 139.0.4 Patches Critical Memory Corruption Vulnerabilities

Mozilla Firefox 139.0.4 fixes critical vulnerabilities causing memory corruption and potential remote code execution via crafted canvas operations and JavaScript integer overflow.

Vulnerabilities:

• CVE-2025-49709: Canvas memory corruption (CVSS 8.8)
• CVE-2025-49710: JavaScript engine integer overflow (CVSS 8.6)

Mitigation/Workaround:

• Update to Firefox 139.0.4 immediately
• Deploy updates across managed systems promptly

References:

https://cybersecuritynews.com/firefox-patches-multiple-vulnerabilities/

• Windows Remote Desktop Services Critical RCE Vulnerability (CVE-2025- 32710)

A critical use-after-free and race condition vulnerability in Windows Remote Desktop Gateway allows unauthenticated remote code execution with system privileges.

Affected Products:

• Windows Server 2008 through Windows Server 2025 (various editions)

Mitigation/Workaround:

• Apply June 2025 security updates immediately
• Limit RDP exposure via network segmentation and access controls
• Enable endpoint protection and monitor RDP Gateway activity

References:

https://cybersecuritynews.com/windows-remote-desktop-services-rce-vulnerability/

• Salesforce SOQL Injection Zero-Day Exposes Sensitive Data

A critical SOQL injection flaw in Salesforce Aura controllers allows blind data extraction of sensitive user information. The issue was patched silently without a CVE.

Mitigation/Workaround:

• Sanitize all user inputs in SOQL queries
• Monitor for unusual query patterns
• Apply platform updates and review release notes carefully
  

References:

https://cyberpress.org/new-salesforce-soql-injection-0-day-vulnerability/?web_view=true

• RustStealer Malware Targets Chromium Browsers to Exfiltrate Data

RustStealer is a Rust-based infostealer targeting Chromium browsers to steal credentials, cookies, browsing history, and crypto wallets.

IoCs:

• SHA256: 8f9a3b2c1d4e5f6g7h8i9j0k1l2m3n4o5p6q
• C2 Domain: maliciousrust[.]xyz
• C2 IP: 192.168.1.100
• Registry Key: HKLM\Software\MalRust

Mitigation/Workaround:

• Block known IOCs at network and endpoint levels
• Educate users on phishing risks
• Monitor for abnormal registry and scheduled tasks
• Update browsers and disable unused extensions
• Deploy behavior-based EDR solutions

References:

https://gbhackers.com/new-rust-developed-infostealer/?web_view=true

• Unauthenticated RCE in Erlang/OTP SSH Server (CVE-2025-32433)

A critical pre-authentication remote code execution vulnerability in Erlang/OTP SSH allows arbitrary command execution without authentication.

Mitigation/Workaround:

• Upgrade to OTP 27.3.3, 26.2.5.11, or 25.3.2.20
• Temporarily disable SSH or restrict access via firewall until patched

References:

https://www.cve.org/CVERecord?id=CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

• Rare Werewolf APT Abuses Legitimate Software to Target Russian and CIS Enterprises

Rare Werewolf APT uses legitimate tools like AnyDesk, 4t Tray Minimizer, and Blat to steal credentials, deploy XMRig miners, and exfiltrate data from industrial and educational targets in Russia and CIS.

Mitigation/Workaround:

• Block unsigned PowerShell and batch scripts
• Monitor and restrict third-party tool usage
• Use endpoint detection for scripting activity
• Train users to identify phishing with archive attachments
• Alert on off-hours scheduled tasks

References:

https://thehackernews.com/2025/06/rare-werewolf-apt-uses-legitimate.html

• Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users

A new campaign uses ClickFix social engineering to trick macOS users into running malicious shell scripts that steal system passwords and deploy Atomic macOS Stealer (AMOS). The attack starts on typosquat domains mimicking Spectrum, using fake CAPTCHA checks to copy malicious commands to the clipboard. Victims are instructed to run these commands in Terminal, compromising their systems.

Impact:

• Credential theft and system compromise on macOS
• Bypasses security mechanisms using native macOS commands
• Campaign linked to Russian-speaking cybercriminals

Mitigation/Workaround:

• Educate users about risks of fake CAPTCHA sites and clipboard poisoning
• Avoid running commands from untrusted sources
• Monitor for suspicious shell script execution on macOS endpoints
  

References:

https://thehackernews.com/2025/06/new-atomic-macos-stealer-campaign.html

• Supply Chain Malware Operation Hits npm and PyPI Ecosystems

A supply chain attack compromised multiple npm packages related to GlueStack and React Native ARIA, injecting malware capable of running shell commands, taking screenshots, and uploading files. Similar tactics were used in recent PyPI packages posing as Instagram growth tools that harvest credentials.

Impact:

• Potential widespread infection due to high download volumes
• Malware persistence even after package updates
• Credential harvesting and destructive payloads in npm packages
• PyPI packages exfiltrate Instagram credentials to multiple bot services

Mitigation/Workaround:

• Revert to safe package versions and revoke compromised tokens
• Enable two-factor authentication for package publishing
• Monitor for suspicious package behavior and network activity
• Educate developers on supply chain risks

References:

https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html

• Mirai Botnet Variants Exploit Wazuh Server Vulnerability (CVE-2025-24016)

Two Mirai botnet variants exploit a critical deserialization RCE in Wazuh Server to conduct DDoS attacks. The flaw was patched in version 4.9.1, but attackers rapidly weaponized it to deploy LZRD and Resbot Mirai variants targeting IoT devices globally.

Impact:

• Remote code execution on Wazuh servers
• Large-scale DDoS attacks using infected IoT devices
• Targeting devices in China, India, Egypt, Ukraine, Russia, Turkey, Brazil, and Italy
  

Mitigation/Workaround:

• Apply Wazuh 4.9.1 or later immediately
• Restrict API access and monitor for suspicious activity
• Patch IoT devices and network infrastructure against known exploits

References:

https://thehackernews.com/2025/06/botnet-wazuh-server-vulnerability.html

• China-Linked Cyber Espionage Group Targets 70+ Organizations Including SentinelOne

The PurpleHaze cluster, linked to Chinese APT groups APT15 and UNC5174, conducted reconnaissance and intrusions against over 70 organizations across sectors including manufacturing, government, finance, and telecom. Attacks involved ShadowPad, GoReShell backdoors, and tools from The Hacker’s Choice.

Impact:

• Data exfiltration and persistent access
• Use of advanced malware and SSH-based backdoors
• Targeting of IT logistics and media organizations

Mitigation/Workaround:

• Harden internet-facing servers and monitor for reconnaissance
• Detect and block ShadowPad and GoReShell indicators
• Employ threat intelligence to track PurpleHaze activity

References:

https://thehackernews.com/2025/06/over-70-organizations-across-multiple.html

• Google Fixes Flaw Allowing Brute-Force Discovery of Phone Numbers Linked to Accounts

A vulnerability in Google’s deprecated username recovery form allowed brute forcing of recovery phone numbers, risking SIM swap attacks. The flaw was responsibly disclosed and fixed by removing the vulnerable form.

Impact:

• Potential exposure of recovery phone numbers in seconds to minutes
• Risk of account takeover via SIM swapping

Mitigation/Workaround:

• Use multi-factor authentication and monitor account recovery settings
• Avoid using deprecated recovery methods
• Stay alert for suspicious account activity

References:

https://thehackernews.com/2025/06/researcher-found-flaw-to-discover-phone.html

• 295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Threat intelligence firm GreyNoise observed a surge of coordinated brute-force login attempts targeting Apache Tomcat Manager interfaces from hundreds of malicious IP addresses globally.

Technical Details:

• 295 unique IPs engaged in brute-force attempts on June 5, 2025
• 188 unique IPs recorded in the following 24 hours
• Majority of IPs located in US, UK, Germany, Netherlands, Singapore
• Significant activity from DigitalOcean-hosted infrastructure (ASN 14061)
• No specific vulnerability exploited; opportunistic scanning and brute forcing

Impact:

• Potential unauthorized access to exposed Tomcat Manager services
• Early warning indicator of possible future exploitation attempts

Affected Products:

• Apache Tomcat Manager interfaces exposed to the internet

Mitigation/Workaround:

• Implement strong authentication and access restrictions on Tomcat Manager
• Monitor logs for suspicious login attempts
  
• Restrict access to trusted IPs and networks

References:

https://thehackernews.com/2025/06/295-malicious-ips-launch-coordinated.html

• Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Former affiliates of the Black Basta ransomware group continue attacks using email bombing, Microsoft Teams phishing, and Python scripts to establish persistent access and deploy malware.

Technical Details:

• Teams phishing campaigns use onmicrosoft.com and breached domains for stealth
• Python scripts fetched via cURL to establish C2 communications
• Use of Quick Assist and AnyDesk for remote desktop sessions
• Java-based RAT variants abusing cloud file hosting services for proxying commands
• Use of tunneling backdoor QDoor, Rust payloads, and Python RAT Anubis

Impact:

• Persistent access and credential harvesting
• Remote control over infected systems
• Potential lateral movement and data exfiltration

Affected Products:

• Microsoft Teams and related cloud services
• Targeted sectors include finance, insurance, construction, MSPs, and IT vendors

Mitigation/Workaround:

• Educate users on phishing and social engineering tactics
• Monitor Teams and email traffic for suspicious activity
• Restrict use of remote desktop tools and monitor for unauthorized sessions
• Deploy endpoint detection and response (EDR) solutions
  

References:

https://thehackernews.com/2025/06/former-black-basta-members-use.html

• Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Proofpoint uncovered a large-scale account takeover campaign leveraging the open- source TeamFiltration framework to breach Microsoft Entra ID accounts via password spraying and user enumeration.

Technical Details:

• Campaign codenamed UNK_SneakyStrike
• Uses Microsoft Teams API and AWS servers for distributed attacks
• Password spraying waves originate from geographically diverse AWS IPs
• Peaks of 16,500 accounts targeted in a single day

Impact:

• Unauthorized access to Microsoft Entra ID user accounts
• Potential data exfiltration and persistent access

Affected Products:

• Microsoft Entra ID (formerly Azure Active Directory) user accounts

Mitigation/Workaround:

• Monitor for unusual login patterns and password spraying
• Enforce multi-factor authentication (MFA)
• Limit exposure of cloud tenant accounts
• Collaborate with cloud providers to report abuse

References:

https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html

• New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes

Researchers discovered TokenBreak, an attack that bypasses LLM safety and content moderation by manipulating tokenization with subtle text changes.

Technical Details:

• Alters input words to cause tokenization mismatches (e.g., “instructions” to “finstructions”)
• Exploits BPE and WordPiece tokenizers, not Unigram
• Causes false negatives in text classification models without changing meaning

Impact:

• Enables prompt injection and evasion of AI content filters
• Leaves systems vulnerable to malicious inputs

Affected Products:

• LLMs using BPE or WordPiece tokenization strategies

Mitigation/Workaround:

• Use Unigram tokenizers where possible
• Train models with examples of bypass techniques
• Log and analyze misclassifications for patterns

References:

https://thehackernews.com/2025/06/new-tokenbreak-attack-bypasses-ai.html

• Microsoft 365 Authentication Issues Disrupt User Access Across Multiple Regions

Microsoft 365 users in Asia Pacific, Europe, Middle East, and Africa experienced significant authentication disruptions preventing administrators from adding MFA sign-in methods.

Technical Details:

• Service degradation began June 13, 2025
• Root cause: recent infrastructure changes to improve MFA functionality caused authentication processing failures
  
• Temporary configuration update deployed to mitigate impact
• Similar MFA outages occurred earlier in 2025 due to CPU resource spikes

Impact:

• Administrators unable to configure MFA for users
• Blocking new security implementations across affected organizations
• Disruption reported in critical sectors including healthcare (e.g., NHS England)

Affected Products:

• Microsoft 365 authentication infrastructure affecting MFA setup

Fixed Products:

• Ongoing mitigation; updates and fixes in progress

Indicators of Compromise (IoCs):

• Not applicable

Mitigation/Workaround:

• Monitor Microsoft service health dashboard for updates
• Consider temporary access passes for urgent user access
• Maintain alternative authentication methods and contingency plans

References:

https://cybersecuritynews.com/microsoft-365-authentication-issues/

• New SmartAttack Steals Sensitive Data From Air-Gapped Systems via Smartwatches

Researchers demonstrated “SmartAttack,” a novel method to exfiltrate data from air- gapped systems using ultrasonic signals received by compromised smartwatches.

Technical Details:

• Malware installed on air-gapped computer and victim’s smartwatch
• Data encoded via Binary Frequency Shift Keying (B-FSK) in 18-22 kHz ultrasonic range
• Smartwatch uses microphone and signal processing (FFT, Butterworth filter, Kalman filter) to decode data
  
• Transmission rates up to 50 bps tested; optimal reception depends on smartwatch orientation

Impact:

• Exfiltration of keystrokes, encryption keys, credentials, confidential documents
• Bypasses physical air-gap security protections

Affected Products:

• Air-gapped computer systems with nearby smartwatch devices

Mitigation/Workaround:

• Restrict wearable devices in sensitive areas
• Deploy ultrasonic monitoring and jamming systems
• Implement “audio-gapping” by removing speakers/microphones from critical systems

References:

https://cybersecuritynews.com/smartattack-steals-air-gapped-systems/

• Acer Control Center Vulnerability Lets Attackers Execute Malicious Code as Privileged User

A critical vulnerability in Acer Control Center’s ACCSvc.exe process allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges via misconfigured Windows Named Pipe permissions.

Technical Details:

• Vulnerability in Windows Named Pipe permissions in ACCSvc.exe
• Attackers can connect to the pipe and invoke internal functions to run executables as NT AUTHORITY\SYSTEM
• Exploitation requires minimal technical skill

Impact:

• Privilege escalation to SYSTEM level
• Potential for persistent backdoors, ransomware deployment, data theft, full system compromise
• Risk of lateral movement in enterprise environments
  

Affected Products:

• Acer Control Center software (versions prior to May 15, 2025 update)

Fixed Products:

• Patched in Acer Control Center update released May 15, 2025

Mitigation/Workaround:

• Immediately update Acer Control Center to latest version
• Restrict network access to vulnerable systems until patched
• Temporarily disable Acer Control Center Service if update is not possible (with loss of functionality)

References:

https://cybersecuritynews.com/acer-control-center-vulnerability/

• New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens

A sophisticated phishing campaign abuses GitHub’s OAuth2 device authorization flow to steal developer authentication tokens, enabling access to repositories, CI/CD pipelines, and secrets.

Technical Details:

• Attackers generate device codes via GitHub OAuth API requesting broad scopes (user, repo, workflow)
• Social engineering convinces developers to enter codes at https://github.com/login/device
• Uses legitimate client IDs (e.g., Visual Studio Code’s) to reduce suspicion
• Tokens retrieved provide persistent access to victim’s GitHub resources

Impact:

• Unauthorized access to source code and secrets
• Potential supply chain attacks via backdoored repositories

Mitigation/Workaround:

• Educate developers on device code phishing risks
  
• Monitor OAuth token usage and authorization flows
• Implement behavioral analysis to detect anomalous device code requests

References:

https://cybersecuritynews.com/new-github-device-code-phishing-attacks/

• Microsoft Defender Spoofing Vulnerability Allows Privilege Escalation and AD Access (CVE-2025-26685)

A critical spoofing vulnerability in Microsoft Defender for Identity’s Lateral Movement Paths feature allows unauthenticated attackers to capture Net-NTLM hashes and escalate privileges in Active Directory.

Technical Details:

• Targets MDI sensor on Domain Controllers using SAM-R protocol
• Downgrades authentication from Kerberos to NTLM to capture DSA account hash
• Exploitation requires attacker system to have DNS record and initiate anonymous SMB null session
• Attack chain demonstrated combining with ESC8 ADCS relay attack to obtain TGTs and NT hashes

Impact:

• Privilege escalation and unauthorized AD access
• Reconnaissance capabilities over AD objects and local admin groups

Mitigation/Workaround:

• Migrate to unified XDR sensor (version 3.x)
• Monitor DSA authentication events from non-DC IPs
• Configure DSA accounts as Group Managed Service Accounts (gMSA)
• Disable Lateral Movement Paths data collection if possible

References:

https://cybersecuritynews.com/microsoft-defender-spoofing-vulnerability/

• Fog Ransomware Actors Exploit Pentesting Tools to Exfiltrate Data and Deploy Ransomware

Fog ransomware group uses legitimate pentesting tools and employee monitoring software in a May 2025 campaign targeting a financial institution in Asia, combining espionage and ransomware tactics.

Technical Details:

• Tools used: Syteca employee monitoring, GC2 C2 framework, Adaptix C2 Agent Beacon, Stowaway proxy
• GC2 uses Google Sheets/Microsoft SharePoint for command execution and data exfiltration
• Persistence via service “SecurityHealthIron” created post-ransomware deployment

Impact:

• Data exfiltration, lateral movement, ransomware deployment
• Long-term persistence and espionage beyond ransomware

Mitigation/Workaround:

• Monitor for use of pentesting and monitoring tools in unusual contexts
• Detect creation of suspicious services and backdoors
• Harden Exchange Servers and network segmentation

References:

https://cybersecuritynews.com/fog-ransomware-actors-exploits-pentesting-tools/

• Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation

A large-scale campaign injected obfuscated JavaScript using the JSFireTruck method into over 269,000 webpages, redirecting visitors from search engines to phishing and fake download sites.

Technical Details:

• JSFireTruck obfuscation uses only six ASCII characters ([, ], (, ), !, +)
• Malicious scripts detect visitors from Google, Bing, DuckDuckGo, Yahoo, AOL
  
• Injected iframe overlays entire page to hijack browsing sessions

Impact:

• Redirects users to fraudulent content and phishing pages
• Evades traditional pattern-based detection due to obfuscation

Mitigation/Workaround:

• Monitor websites for injected obfuscated JavaScript
• Use advanced detection tools capable of deobfuscation
• Educate users on risks of redirected downloads and phishing

References:

https://cybersecuritynews.com/threat-actors-compromise-270-legitimate-websites-with- malicious-javascript/

• OpenPGP.js Vulnerability Lets Attackers Spoof Message Signature Verification (CVE-2025-47934)

A critical flaw in OpenPGP.js allows attackers to forge digital signatures by exploiting packet processing discrepancies, causing signature verification to succeed on malicious content.

Affected Products:

• OpenPGP.js versions prior to v5.11.3 and v6.1.1
• Platforms using OpenPGP.js such as Mailvelope (Proton Mail unaffected)

Mitigation/Workaround:

• Update OpenPGP.js to v5.11.3 or v6.1.1 or later

References:

https://cybersecuritynews.com/openpgp-js-vulnerability/