Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Critical Roundcube bug CVE-2025-49113 affects versions before 1.6.11, enabling code execution via URL flaw.
Latest CyberSec News by @thecyberpicker
Un lanceur d’alerte expose le train de vie luxueux du groupe de cybercriminels Conti
Un lanceur d’alerte anonyme, « GangExposed », publie une fuite inédite sur les chefs du groupe de ransomware Conti/Trickbot. Pour la première fois, des preuves visuelles, des documents financiers et des détails sur leur vie quotidienne à Dubaï viennent appuyer des identités déjà connues des autorités, bouleversant la
Scattered Spider: Three things the news doesn’t tell you
Scattered Spider isn't one group — it's an identity-first threat model evolving fast. From vishing to AiTM phishing, they're exploiting MFA gaps to hijack the cloud. Watch the Push Security webinar to learn how their identity-based tactics work — and how to stop them.
Juice jacking warnings are back, with a new twist
This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?
Victoria’s Secret delays earnings release after security incident
Fashion retail giant Victoria's Secret has delayed its first quarter 2025 earnings release because of ongoing corporate system restoration efforts following a May 24 security incident.
#Infosec2025: Demand More of Your Vendors to Ease Quantum Transition, Say Experts
CISOs should demand more of their vendors and use regulation as an ally to persuade board members to accelerate the transition to post-quantum safety
LLMs Writing Code? Cool. LLMs Executing It? Dangerous | CSA
Large Language Models are great for software development. But letting them run code is a step too far. Giving LLMs execution rights is a major security risk.
Lessons from Ireland on closing the cybersecurity talent gap
This week in cybersecurity from the editors at Cybercrime Magazine
Fake Docusign Pages Deliver Multi-Stage NetSupport RAT Malware
Malware campaign used fake DocuSign pages to deploy NetSupport RAT through clipboard manipulation
New Linux Vulnerabilities - Schneier on Security
They’re interesting: Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. […] “This means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace.”...
Future-ready cybersecurity: Lessons from the MITRE CVE crisis | CyberScoop
The domino effect of CVE disruption is something all cybersecurity practitioners must be aware of, a Morphisec executive argues.
Top Security Tools for Startups in 2025 | CSA
Discover essential security tools for startups in 2025. Learn how to streamline compliance and protect your business with expert insights.
Scattered Spider: Understanding Help Desk Scams and How to Defend Your Organization
Help desk scams let hackers bypass MFA to breach UK retailers and enterprises, costing millions
.jpg?width=350&height=&ar=16:9&mode=crop&format=avif&dpr=2)
Android malware Crocodilus adds fake contacts to spoof trusted callers
The latest version of the 'Crocodilus' Android malware has introduced a new mechanism that adds a fake contact on the infected device's contact list to deceive victims.
Google patches new Chrome zero-day bug exploited in attacks
Google has released an emergency security update to fix the third Chrome zero-day vulnerability exploited in attacks since the start of the year.
https://securelist.com/host-based-logs-container-based-threats/116643/
Top FBI cyber official Cynthia Kaiser exits for Halcyon | CyberScoop
The 20-year bureau pro wants to see what it’s like to fight ransomware from the private sector.
#Infosec2025: VEC Attacks Alarmingly Effective at Driving Engagement
Abnormal AI found that engagement rates with VEC attacks globally is “worrisomely high”, overtaking BEC in the EMEA region
Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets
Android malware Crocodilus now targets 8 countries, stealing banking and crypto data using fake apps.
Google fixed the second actively exploited Chrome zero-day since the start of the year
Google addressed three vulnerabilities in its Chrome browser, including one that it actively exploited in attacks in the wild.
Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion
Microsoft and CrowdStrike map over 80 threat actors to reduce naming confusion and help analysts respond faster.
Google Chrome to Distrust Two Certificate Authorities Over Compliance and Conduct Issues
Google Chrome to Distrust Chunghwa and Netlock TLS Certificate Authorities Over Repeated Compliance Failures and Behavioral Issues
#Infosec2025: Half of Firms Suffer Two Supply Chain Incidents in Past Year
Risk Ledger found that 90% of UK professionals view supply chain cyber incidents as a top concern for 2025
New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch
Google fixed CVE-2025-5419 in Chrome after detecting active exploitation, affecting all platforms using V8 engine.
The North Face warns customers of April credential stuffing attack
Outdoor apparel retailer The North Face is warning customers that their personal information was stolen in credential stuffing attacks targeting the company's website in April.
Cartier discloses data breach amid fashion brand cyberattacks
Luxury fashion brand Cartier is warning customers it suffered a data breach that exposed customers' personal information after its systems were compromised.
Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
After years of confusion, leading threat-intelligence companies will streamline how they name threat groups.
INE Security Alert: $16.6 Billion in Cyber Losses Underscore Critical Need for Advanced Security Training
Cary, North Carolina, 2nd June 2025, CyberNewsWire
SentinelOne: Last week’s 7-hour outage caused by software flaw
American cybersecurity company SentinelOne revealed over the weekend that a software flaw triggered a seven-hour-long outage on Thursday.
Protection des données : l'éditeur français Atempo repris par HorizonH
La société d'investissement installée au Luxembourg HorizonH met la main sur l'éditeur de solutions de gestion et de protection des...-Cybersécurité