Netcrook
#Java
Spring’s High-Severity Fix Exposes a Bigger Problem: Hidden Java Risk
A newly patched Spring vulnerability is a reminder that the real danger in enterprise Java is often not the headline bug, but the unknown version, transitive dependency, and unreviewed deployment path hiding underneath it.
How Minecraft Mods and Ethereum Smart Contracts Can Power Harder-to-Disrupt Credential Theft
A malware package tied to a Minecraft modding path and on-chain control logic shows how ordinary-looking software can be turned into a resilient access theft tool.
npm Lookalikes Put PostCSS Trust Chains on the Hook for Chrome Passwords
A deceptive package name can be enough to turn a routine JavaScript install into a staged Windows malware chain with browser-credential risk.
IBM WebSphere Patches Close High-Severity Holes in a Quiet but Critical Layer
Security updates fix four WebSphere flaws, including three rated high severity, with potential impacts on authentication, confidentiality, and service availability.
When a Mac App Becomes a Moving Target: The FlutterShell Case
A macOS malware family linked to remote JavaScript delivery shows how attackers can shift meaningful logic off the binary and into infrastructure that can change at any time.
Mastra’s npm Trail Turns a Package Update Into a Crypto-Extension Risk
A malicious dependency found in more than 140 Mastra packages shows how a software supply-chain incident can move from build tools to browser-facing cryptocurrency surfaces.
A Lookalike npm Package Turned a Trusted CSS Name Into a Windows Malware Pipe
A deceptive package name in the PostCSS orbit shows how open-source trust can be abused before any code ever reaches production.
When a Package Registry Turns into a Blind Spot for AI Builders
Microsoft’s attribution of a Mastra AI-related npm compromise to Sapphire Sleet shows how a software supply chain incident can ripple through developer tooling long before anyone notices a malicious build.
SocGholish Under Pressure as Police Target Its Malware Network
An international operation targeted SocGholish infrastructure, a reminder that disrupting a loader can matter as much as stopping the final payload.
Node.js Patch Wave Exposes the Hidden Cost of Runtime Trust
A June security release for the JavaScript runtime fixes 12 flaws, including a TLS authentication-bypass risk and a WebCrypto crash path that can knock services offline.
The Review Widget Trap: How Shopper Pages Became a Malware Delivery Layer
A client-side commerce widget reportedly became a staging point for JavaScript loaders, showing how embedded tools can turn ordinary storefront traffic into a high-value browser attack surface.
When a Review Badge Turns Into a Browser Trap
A reported injection into a widely used e-commerce reviews widget shows how a trusted storefront component can become a client-side risk surface.
SocGholish Hit in a Coordinated Sweep, but the Loader Era Is Not Over
A multinational disruption of 106 servers and 101 domains shows how much modern malware depends on fragile web infrastructure, not just code on disk.
SocGholish Infrastructure Hit Hard as Authorities Pull 106 Servers and 101 Domains Offline
The takedown targets the delivery machinery behind a long-running JavaScript loader, showing how much modern malware depends on compromised websites, staging servers, and trust in the browser.
When the Fake Update Chain Breaks: A Law-Enforcement Hit on SocGholish’s Web Lures
Nearly 15,000 WordPress sites were cleaned and more than 100 servers were taken down, cutting into a delivery system that turns ordinary websites into malware launchpads.
Compromised WordPress Pages Are Being Used as Traps for the Curious Click
ErrTraffic turns ordinary site visits into a social-engineering path to infostealers, relying on fake errors, malicious JavaScript, and user action rather than a classic exploit chain.
When a Glitched Page Becomes a Shell Prompt
A WordPress compromise can do more than deface a site: in this campaign, injected JavaScript turns a broken-looking page into a lure that pushes users toward PowerShell.
A Trusted npm Namespace Became the Weak Link in an AI Build Chain
A hijacked contributor identity and a burst of package publishing turned the @mastra/* ecosystem into a supply-chain warning for anyone shipping JavaScript or TypeScript at scale.
Deno Turns into a Trojan Horse as Phishing Pressure Pushes the First Click
A modular JavaScript implant reportedly uses Deno permission flags, while inbox flooding and Teams impersonation help force the execution decision.
When a Trusted Plugin Becomes the Weak Link
A reported issue around OptinMonster and related WordPress tools highlights how one tainted delivery path can create a broad trust problem for site owners.