At least 18 widely-used JavaScript code packages, collectively downloaded over two billion times per week, were briefly compromised after a developer was phished. The phishing email tricked the maintainer into submitting a one-time two-factor authentication token on a fake NPM login page, giving attackers access to his account. The malicious code was narrowly focused on intercepting cryptocurrency transactions, redirecting funds to attacker-controlled wallets without visible signs to users. Security experts warn that a similar attack with a more harmful payload could easily trigger a large-scale malware outbreak.

Bridgestone, the world’s largest tire manufacturer, confirmed it is investigating a cyberattack that has disrupted operations at some of its North American facilities. The company reported that its rapid response helped contain the incident early, preventing customer data theft or deep network infiltration. Initial reports identified disruptions at Bridgestone Americas (BSA) facilities in Aiken County, South Carolina, and Joliette, Quebec, sparking concerns about potential supply chain impacts.

Cloudflare has successfully defended against the largest distributed denial-of-service (DDoS) attack ever recorded, a 35-second flood that peaked at 11.5 terabits per second.

Hackers have exploited a vulnerability in the Salesloft Drift application to steal OAuth tokens and access Salesforce data, leading to the exposure of sensitive customer information across several major companies.

TransUnion has reported a new security breach to law enforcement, stating that hackers gained access through a third-party application used to store customer data for its U.S. consumer support operations.

A new report from AI startup Anthropic warns that cybercriminals are weaponizing AI assistants in increasingly sophisticated ways. In one case, attackers used Anthropic’s own coding tool, Claude Code, to carry out nearly every stage of a large-scale data extortion campaign targeting at least 17 organizations across multiple industries.

Mobile security firm Zimperium has issued an alert about a dangerous evolution in mobile malware. Its zLabs research team discovered a new variant of the Hook banking trojan, dubbed Hook Version 3, which goes far beyond stealing banking credentials. The malware now combines features of ransomware, spyware, and traditional bank-hacking tools, giving attackers sweeping control over infected Android devices.