The Hacker News

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Two fake spellchecker packages on PyPI hid a Python RAT in dictionary files, activating malware on import in version 1.2.0.

Critical sandbox escape flaw discovered in popular vm2 NodeJS library

A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system.
Cybernews

North Korea is turning open-source projects into malware traps

North Korea is doubling down on a familiar playbook by weaponizing trust in open-source software and developer workflows. The ...

He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive

A source trapped inside an industrial-scale scamming operation contacted me, determined to expose his captors’ crimes—and ...
The Hacker News

Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

A critical Grist-Core flaw (CVE-2026-24002, CVSS 9.1) allows remote code execution through malicious formulas when Pyodide ...

Malicious Microsoft AI extensions might have hit over 1.5 million users

Two VSCode extensions are harvesting sensitive data and sending it to China.

3 risks hindering enterprise-ready AI — and how low-code workflows help

This is particularly high-risk for enterprises, like financial systems or anything touching personal data, where data leakage ...
Pocket Tactics

Dueling Grounds codes January 2026

January 26, 2026: We added a new Dueling Grounds code to our list for 500 coins and 75 gems! We also removed some expired codes If you want to get yourself an advantage, you should really grab some ...