For at least a year, attackers have used malicious Node Package Manager (npm) packages mimicking the popular "noblox.js" library to infect Roblox game developers with malware. The malware steals Discord tokens and system data, as well as deploys additional payloads. Checkmarx researchers say the campaign involves brandjacking, combosquatting, and starjacking. This article continues to discuss findings regarding the evolving npm package campaign targeting Roblox game developers.

Virtualization software technology vendor VMware recently announced a security update for its Fusion hypervisor to address a high-severity vulnerability that exposes users to code execution exploits.  The root cause of the issue, which is tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable.  VMware noted that the CVE-2024-38811 defect could be exploited to execute code in the context of Fusion, which could potentially lead to complete system compromise.

 According to Google, two security updates released over the past week for the Chrome browser resolve eight vulnerabilities, including six high-severity bugs reported by external researchers.  Last week, Google announced a Chrome 128 update with patches for four externally reported high-severity memory safety flaws.  Google noted that three of the security defects affect the browser’s V8 JavaScript engine.  They include two type confusion issues and a heap buffer overflow.

Fota Wildlife Park, in County Cork, Ireland, has recently advised customers to cancel their payment cards following a cyberattack.  The attraction is warning customers who carried out financial transactions on its website between 12 May and 27 August 2024 to cancel their debit or credit cards via their bank.  The advice only applies to online transactions.  Fota Wildlife Park stated that visitors who bought tickets or made other purchases in the park itself do not need to cancel their cards.  The park is open for visitors as normal.

Transport for London (TfL) recently announced that it is dealing with an "ongoing cybersecurity incident." TfL is responsible for the extensive London Underground network, Docklands Light Railway, buses, taxis, river services, major road and cycle routes, and selected train services, including London Overground and the Elizabeth Line.  TfL noted that currently, there is no evidence that any customer data has been compromised and that there has been no impact on TfL services.

JFrog researchers have brought further attention to security risks in the Machine Learning (ML) software supply chain after discovering over 20 vulnerabilities that attackers could exploit to target ML Operations (MLOps) platforms. The discovered flaws, which are said to be inherent and implementation-based, could result in arbitrary code execution, the loading of malicious datasets, and more. This article continues to discuss the discovery of supply chain vulnerabilities in MLOps platforms.

Researchers with the Maryland Cybersecurity Center (MC2) recently presented eight papers at symposiums focusing on privacy and online security. Three papers were presented at the 33rd USENIX Security Symposium, and five were presented at the Symposium on Usable Privacy and Security (SOUPS). The MC2 papers discussed privacy-related app reviews, user reactions to data access laws, password management for shared accounts, and diversity and safety in the cybersecurity community.

The US Artificial Intelligence (AI) Safety Institute at the Department of Commerce's National Institute of Standards and Technology (NIST)  announced agreements enabling formal collaboration on AI safety research, testing, and evaluation with Anthropic and OpenAI. The agreements support collaborative research on evaluating capabilities, risks, and methods to mitigate those risks.

Researchers led by Professor Isabel Wagner of the Department of Mathematics and Computer Science at the University of Basel studied the security and privacy of smart toys. The researchers investigated whether data traffic was encrypted and how well. They also looked into data protection, how easy it is for users to see what data is collected, and compliance with the EU General Data Protection Regulation (GDPR). This article continues to discuss key findings from the study "No Transparency for Smart Toys."

Gabriel Kaptchuk, a security and privacy expert and assistant professor of computer science at the University of Maryland, is at the forefront of human-centered cryptography research. Kaptchuk is developing privacy systems, focusing on a human-centered approach that takes into account how people interact with technology. According to Kaptchuk, cryptography and security are fundamentally social sciences masquerading as mathematics. This article continues to discuss Kaptchuk's research efforts in the realm of human-centered cryptography.