![\"Weekly](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOfFdXJ8Rz_j54jmzoeyw1-ABeY_zVMU65emz4VcnH8TSb1rnZiGw7W-RdWA3v_tytJIGAPfHzBKJzB4upWVKRxcec03OfydwomEG1F3j5b3NY3pzyYWjfdFBe5KDyCFOcV6sc5X_nZLgw05JYVuAz9zEhqctSlCFYwGsLcZo9SzhMaHBqDLtiHNzKpjMg/s728-rw-e365/recap.jpg\" "\\"Weekly")
The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach.
This week’s recap explores the trends driving that constant churn: how threat actors reuse proven tactics in unexpected ways, how emerging technologies widen the attack surface, and what defenders can learn before the next pivot.
Read on to see not just what happened, but what it means—so you can stay ahead instead of scrambling to catch up.
⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day — Google released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability, CVE-2025-10585, has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. The company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. “Google is aware that an exploit for CVE-2025-10585 exists in the wild,” it acknowledged. CVE-2025-10585 is the sixth zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.
🔔 Top News
- AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads — A new artificial intelligence (AI)-native penetration testing tool called Villager has reached nearly 11,000 downloads on the Python Package Index (PyPI) just two months after release. The rapid adoption of what appears to be a legitimate tool echoes the trajectory of Cobalt Strike, Sliver, and Brute Ratel C4 (BRc4), which were created for legitimate use but have since become some of the favorite tools among cybercriminals. The release of Villager has also raised concerns over dual-use abuse, with threat actors potentially misusing it to run advanced intrusions with speed and efficiency.
- RowHammer Attack Against DDR5 RAM From SK Hynix — Researchers have devised a new technique to trigger RowHammer bit flips inside the memory cells of DDR5 RAM modules, which were believed to be protected against such attacks. The attack allows controlled memory modification, leading to privilege escalation exploits or the leaking of sensitive data stored in restricted memory regions. “Our reverse-engineering efforts show that significantly longer RowHammer patterns are nowadays necessary to bypass these new protections,” the researchers said. “To trigger RowHammer bit flips, such patterns need to remain in-sync with thousands of refresh commands, which is challenging. Our new RowHammer attack, called Phoenix, resynchronizes these long patterns as necessary to trigger the first DDR5 bit flips in devices with such advanced TRR protections.”
- Scattered Spider Members Arrested — Law enforcement authorities in the U.K. arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London, and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses. In parallel, the U.S. Department of Justice (DoJ) unsealed a complaint charging Jubair with conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extorting 47 U.S. entities from May 2022 to September 2025. Victims of the ransomware attacks paid at least $115,000,000 in payments. In a related but separate announcement, the Los Angeles Metropolitan Police Department said a teenage male surrendered by himself on September 17, 2025, for allegedly attacking multiple Las Vegas casino properties between August and October 2023. The juvenile suspect has been charged with three counts of Obtaining and Using Personal Identifying Information of Another Person to Harm or Impersonate Person, one count of extortion, one count of Conspiracy to Commit Extortion, and one count of Unlawful Acts Regarding Computers. The arrests came as 15 well-known e-crime groups, including Scattered Spider, ShinyHunters, and LAPSUS$, announced that they are shutting down their operations. The collective announcement was posted on BreachForums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion. While it’s very much possible that some of the members may have decided to step back and enjoy their earnings, it does not stop copycat groups from rising up and taking their spots, or even for the threat actors to resurface under a different brand.
- Gameredon and Turla Join Hands to Strike Ukraine — The Russian hacker group known as Turla has carried out some of the most innovative hacking feats in the history of cyber espionage, including hijacking other hackers’ operations to cloak their own data extraction. Even when they’re operating on their home turf, they have adopted equally remarkable methods, such as using their control of Russia’s internet service providers to directly plant spyware on the computers of their targets in Moscow. The latest approach involves leveraging the access obtained by fellow FSB group Gamaredon to selectively target high-value targets with a backdoor known as Kazuar. The development marks the first known cases of collaboration between Gamaredon and Turla.
- Microsoft and Cloudflare Dismantle RaccoonO365 PhaaS — Microsoft’s Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that was behind a phishing-as-a-service (PhaaS) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024. RaccoonO365 is marketed to other cybercriminals under a subscription model, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999. Cloudflare said it banned all identified domains, placed interstitial “phish warning” pages in front of them, terminated the associated Workers scripts, and suspended the user accounts.
- Self-Replicating Worm Hits npm Registry — Another software supply chain attack hit the npm registry, this time infecting several packages with a self-replicating worm that searches developer machines for secrets using TruffleHog’s credential scanner and transmits them to an external server under the attacker’s control. The attack is capable of targeting both Windows and Linux systems. The incident is estimated to have affected over 500 packages.
️🔥 Trending CVEs
Hackers don’t wait. They exploit newly disclosed vulnerabilities
