-
Wikipedia hit by self-propagating JavaScript worm that vandalized pages
The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
- March 05, 2026
- 03:42 PM
2
-
QuickLens Chrome extension steals crypto, shows ClickFix attack
A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
- February 28, 2026
- 02:18 PM
0
-
State of Browser Attacks: Learn from John Hammond, Troy Hunt & Matt Johansen
Join Push Security's free three-part webinar series where top security researchers break down the browser-based attacks driving today's biggest breaches - from AiTM phishing and ConsentFix to compromised credentials and session hijacking.
-
What 5 Million Apps Revealed About Secrets in JavaScript
Leaked API keys are nothing new, but the scale of the problem in front-end code has been largely a mystery - until now. Intruder's research team built a new secrets detection method and scanned 5 million applications specifically looking for secrets hidden in JavaScript bundles. Here's what we learned.
- February 17, 2026
- 09:40 AM
- 0
-
Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets.
- February 15, 2026
- 10:17 AM
- 0
-
Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies
The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.
- January 26, 2026
- 09:02 AM
- 0
-
New ErrTraffic service enables ClickFix attacks via fake browser glitches
A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating 'fake glitches' on compromised websites to lure users into downloading payloads or following malicious instructions
- December 30, 2025
- 04:08 PM
- 0
-
Popular Forge library gets fix for signature verification bypass flaw
A vulnerability in the 'node-forge' package, a popular JavaScript cryptography library, could be exploited to bypass signature verifications by crafting data that appears valid.
- November 26, 2025
- 02:32 PM
- 0
-
Popular JavaScript library expr-eval vulnerable to RCE flaw
A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input.
- November 10, 2025
- 01:32 PM
- 0
-
NPM package caught using QR Code to fetch cookie-stealing malware
Newly discovered npm package 'fezbox' employs QR codes to hide a second-stage payload to steal cookies from a user's web browser. The package, masquerading as a utility library, leverages this innovative steganographic technique to harvest sensitive data, such as user credentials, from a compromised machine.
- September 23, 2025
- 06:42 AM
- 0
-
Popular npm linter packages hijacked via phishing to drop malware
Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft.
- July 19, 2025
- 08:51 AM
- 0
-
North Korean XORIndex malware hidden in 67 malicious npm packages
North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems.
- July 15, 2025
- 01:47 PM
- 0
-
Windows 11 now uses JScript9Legacy engine for improved security
Microsoft announced that it has replaced the default scripting engine JScript with the newer and more secure JScript9Legacy on Windows 11 version 24H2 and later.
- July 10, 2025
- 04:46 PM
- 0
-
Dozens of malicious packages on NPM collect host and network data
60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor.
- May 23, 2025
- 01:37 PM
- 0
-
Phishing kits now vet victims in real-time before stealing credentials
Phishing actors are employing a new evasion tactic called 'Precision-Validated Phishing' that only shows fake login forms when a user enters an email address that the threat actors specifically targeted.
- April 09, 2025
- 09:49 AM
- 0
-
Phishing attack hides JavaScript using invisible Unicode trick
A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- February 19, 2025
- 03:14 PM
- 1
-
Brave now lets you inject custom JavaScript to tweak websites
Brave Browser is getting a new feature called 'custom scriptlets' that lets advanced users inject their own JavaScript into websites, allowing deep customization and control over their browsing experience.
- February 09, 2025
- 10:09 AM
- 6
-
European Space Agency's official store hacked to steal payment cards
European Space Agency's official web shop was hacked as it started to load a piece of JavaScript code that generates a fake Stripe payment page at checkout.
- December 24, 2024
- 12:07 PM
- 1
-
Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.
- November 19, 2024
- 04:52 PM
- 0
-
Hackers inject malicious JS in Cisco store to steal credit cards, credentials
Cisco's site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout.
- September 04, 2024
- 11:48 AM
- 0
-
Cloudflare: We never authorized polyfill.io to use our name
Cloudflare, a lead provider of content delivery network (CDN) services, cloud security, and DDoS protection has warned that it has not authorized the use of its name or logo on the Polyfill.io website, which has recently been caught injecting malware on more than 100,000 websites in a significant supply chain attack.
- June 27, 2024
- 05:18 AM
- 1
