In today’s cybersecurity news…
Google uncovers PROMPTFLUX malware
Google says it identified an experimental malware called PROMPTFLUX that uses Gemini to continuously rewrite its own VBScript code to avoid detection. The malware requests new obfuscation instructions from the Gemini API and saves updated versions to persist and spread, though it currently appears to still be in testing and lacks full attack capabilities. The discovery reflects a broader trend of threat actors using AI systems to dynamically adapt malware during execution. (The Hacker News)
CISA warns of CentOS Web Panel bug
CISA warned that a critical remote code execution flaw in CentOS Web Panel (CWP) is being actively exploited, letting unauthenticated attackers with a valid username execute arbitrary shell commands. It affects all CWP versions before 0.9.8.1204 and was patched in version 1205. Federal agencies must apply updates or stop using CWP by November 25th. The flaw stems from unsanitized input in the file-manager changePerm endpoint, enabling shell injection and reverse shells. (BleepingComputer)
Threat group targets academics
Proofpoint identified a previously unknown threat group, dubbed UNK_SmudgedSerpent, that targeted academics and foreign policy experts focused on Iran between June and August. The group initiated benign email conversations before moving to credential theft and malware delivery, impersonating think tank figures and using spoofed collaboration links tied to health-themed infrastructure. The campaign blended tactics associated with several Iranian-linked clusters, but researchers say the overlap isn’t strong enough for firm attribution. (Infosecurity Magazine)
Operational technology security poses manufacturing risks
Despite rising awareness, manufacturers continue to face major operational technology (OT) security challenges, according to Dark Reading. Legacy systems, sprawling access points, and human error are leaving factories vulnerable, while the integration of cloud and AI-driven tools is expanding attack surfaces. Recent incidents, including a ransomware attack on Asahi, have highlighted both financial and supply chain impacts. Security experts say identity-focused strategies, governance, and full visibility across OT assets are essential to reduce risks and improve resiliency. (Dark Reading)
Huge thanks to our sponsor, ThreatLocker
Google gets the green light to acquire Wiz
Google’s $32 billion acquisition of cloud security startup Wiz cleared U.S. antitrust review, moving the deal closer to completion. Wiz CEO Assaf Rappaport said while the DOJ approval is a milestone, the acquisition isn’t finalized, but expected to close in early 2026. Google initially offered $23 billion in 2024, which Wiz rejected, later agreeing to the $32 billion deal in March 2025 after renewed negotiations. (TechCrunch)
AMD bug kills cryptographic security
AMD is releasing a microcode patch for a high-severity flaw affecting Zen 5 Ryzen and Epyc CPUs that use the 16-bit and 32-bit RDSEED instruction. The bug can return 0 instead of a random number, potentially weakening cryptographic keys. Exploitation requires local privileges, meaning attackers already have significant system access. Workarounds include using 64-bit RDSEED or disabling the function via boot/VM options. Patches are available for Epyc 9005 series; fixes for Ryzen and other Epyc Embedded series are expected by January. (The Register)
Court reimposes original sentence for Capital One hacker
U.S. District Judge Robert Lasnik reimposed former Amazon Web Services engineer Paige Thompson’s sentence for the 2019 Capital One breach affecting over 100 million people. After time served, she will undergo five years of supervised release, three years of home confinement, 250 hours of community service, and maintain $40.7 million in restitution. The resentencing follows a Ninth Circuit ruling vacating her original 2022 sentence. (CyberScoop)
M&S profits tumble after cyber attack
How much does a cyberattack affect your bottom line? A dramatic example is UK retailer Marks & Spencer, whose pre-tax profits fell from £391.9m to £3.4m after an April attack disrupted its systems, closed its website, and caused stock and food waste issues. The incident cost the company £101.6m, partly offset by £100m in cyber insurance. The attack was linked to the Scattered Lapsus$ Hunters gang, also affecting Co-op, Harrods, and Jaguar Land Rover. (Computer Weekly)
Critical flaw affects WordPress sites
A vulnerability in the WordPress plug-in Post SMTP, installed on more than 400,000 sites, lets attackers take over accounts and websites. The flaw stems from missing capability checks, letting unauthenticated actors reset passwords, including for admins. Attacks began November 1st with 4,500 blocked so far. Post SMTP released version 3.6.1 on Oct. 29th to patch the issue. Users are urged to update immediately, with broader exploitation campaigns expected. (Dark Reading)