Hackers are crafting convincing traps by mimicking trusted platforms. Nearly 1,000 fake web pages imitating Reddit and WeTransfer are being used to distribute Lumma Stealer. Fraudsters fake Reddit discussions and provide malicious WeTransfer links, creating an illusion of authenticity.

Juniper edge devices are under attack by J-magic, a stealthy malware that activates only when it detects a specific magic packet. Targeting multiple industries J-magic’s reverse shell remains dormant until triggered, enabling covert communications.

A flaw in Cloudflare's CDN exposes users’ locations via images sent through apps like Signal and Discord. By exploiting this vulnerability, attackers can pinpoint a target’s location within a 250-mile radius, leveraging Cloudflare's caching system to silently gather data.

Top Malware Reported in the Last 24 Hours

Fake Reddit sites drop Lumma Stealer

Hackers are spreading nearly 1,000 fake web pages that imitate Reddit and WeTransfer to distribute Lumma Stealer. On these sites, fraudsters create a false Reddit discussion where one user seeks help with a download and another offers it via a fake WeTransfer link, making the scam seem real. A researcher found 529 pages posing as Reddit and 407 as WeTransfer. 

Magic Packet malware targets Juniper VPN

A malicious campaign is targeting Juniper edge devices, mainly used as VPN gateways, with the J-magic malware. This malware opens a reverse shell only upon detecting a “magic packet” in network traffic. The attacks focus on organizations in sectors like semiconductor, energy, manufacturing, and IT. J-magic is a modified version of the cd00r backdoor, remaining silent until it identifies a specific packet, enabling communication with the attacker. 

Malware redirects WordPress traffic

Investigation by Sucuri revealed that a customer site was infected with malicious code causing these redirects, along with nine other websites. The harmful code was found in the theme's functions.php file. Through SiteCheck, the malware was identified as Known JavaScript Malware: redirect? fake_click.1. The code checks for a specific cookie to avoid running during the same session, keeping it undetected. It also avoids execution for logged-in WordPress users and filters requests based on certain user agents. 

Top Vulnerabilities Reported in the Last 24 Hours

Zero-click Outlook RCE flaw

Microsoft issued a critical patch to address the CVE-2025-21298 vulnerability, a zero-click RCE flaw in Windows OLE. This vulnerability impacts millions of systems with little user interaction necessary. The flaw can be triggered just by previewing a harmful RTF file in Microsoft Outlook. The vulnerability impacts many systems, including Windows Server 2008 to Server 2025, and Windows 10/11 workstations, allowing specially crafted RTF files to execute remote code. A public PoC has been released online, indicating an increased risk of exploitation. 

Cloudflare CDN bug anonymized user locations

A flaw in Cloudflare CDN can reveal someone’s location through images sent via apps like Signal and Discord, making users vulnerable without their knowledge. The flaw enables an attacker to determine a target’s location within a 250-mile radius if a vulnerable app is on their device. The issue centers around Cloudflare's caching feature, which saves copies of frequently accessed content to improve performance. 

Critical flaw in Next.js

A new report has revealed security issues in the popular open-source framework Next.js, showing how improper caching can lead to serious server-side cache poisoning attacks. The research highlights vulnerabilities in two main functions: getStaticProps (SSG) and getServerSideProps (SSR). Attackers can exploit caching misconfigurations to inject harmful responses that can cause DoS and stored XSS vulnerabilities.