code Archives

Winsage

April 7, 2026

Disgruntled researcher drops “BlueHammer” Windows zero-day LPE exploit

A security researcher, known as "Nightmare-Eclipse," released proof-of-concept exploit code for a Windows zero-day vulnerability called "BlueHammer," which allows local privilege escalation (LPE). The exploit has been validated by another researcher, Will Dormann, who confirmed it can escalate privileges on Windows systems, allowing non-administrative users to gain SYSTEM-level access. The exploit's reliability varies across different Windows versions, with inconsistent success rates reported. Microsoft has not acknowledged the vulnerability or provided a patch, raising concerns about potential exploitation by threat actors. Users are advised to restrict local user access, monitor for suspicious activity, and enable advanced endpoint protection.

AppWizard

April 7, 2026

Perplexity is changing its wake word from ‘Hey Plex,’ and here’s the proof

Users of the Samsung Galaxy S26 reported issues with the integration of Perplexity AI, specifically that the app was missing from the voice wake-up list and the wake word "Hey Plex" was not functioning. Samsung described the situation as part of an "ongoing product refinement process" but did not clarify the cause. Perplexity CEO Aravind Srinivas hinted at a transition to a new wake word, "Hey Perplexity," which is supported by an update to the Perplexity Android app (version 2.81.2) that prepares for this change. The app is being updated with screens related to the new command, indicating that the transition is in progress. Speculation suggests that the change may be to differentiate from the Plex media service and address potential pronunciation challenges. An APK teardown can provide insights into future features, but there is no guarantee they will be included in a public release.

AppWizard

April 7, 2026

Researchers find 50 ‘dangerous’ Android apps that are secretly hijacking phones: Who is at risk

Recent findings from McAfee have revealed a malware campaign named Operation NoVoice that has infiltrated over 50 applications on the Google Play Store, which collectively received over 2.3 million downloads before being removed. The malware uses a rootkit attack strategy to gain administrator-level control of Android devices while remaining undetected. Affected apps appeared benign, performing tasks like cleaning files or managing photos, but were secretly communicating with a remote server to send device information. This allowed attackers to deploy custom exploit code, achieving root-level access and posing significant security risks. The malware persists even after factory resets, potentially requiring firmware reinstallation for complete removal. Users with older or unpatched Android versions are at greater risk, as well as anyone who downloaded the compromised apps.

AppWizard

April 7, 2026

Join our Twitch Tiny Takeover

The Twitch Tiny Takeover campaign, a collaboration between Twitch and Mojang Studios, will launch on April 6th at 9:00 AM PT. Streamers can participate by streaming at least one hour of Minecraft gameplay and may earn up to ,000. Viewers can earn hats by watching Minecraft streams for five minutes and can obtain a Baby Chick Badge by purchasing or gifting a subscription. Streamers must be part of the Twitch Affiliate Program to qualify for rewards. Rewards will be sent to Twitch inboxes and can be redeemed on Minecraft.net.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

AppWizard

April 6, 2026

Dangerous “NoVoice” malware found in over 50 Play Store apps that were installed 2.3 million times

A new malware threat called "NoVoice" has been found in over 50 applications on the Google Play Store, with 2.3 million installations on Android devices. Discovered by McAfee, this malware is hidden in seemingly harmless apps like system cleaners, games, and image galleries. It exploits Android vulnerabilities to gain root access, potentially allowing attackers to steal sensitive information and manipulate applications without user consent. In some cases, it may persist even after a factory reset. Google has stated that Android devices updated since May 2021 are protected against this threat and that Google Play Protect actively removes malicious apps and blocks new installations. The malware was not able to infect devices in Beijing and Shenzhen, suggesting the attackers may be avoiding local law enforcement. One identified app carrying the NoVoice payload is SwiftClean, developed by Biodun Popoola. The malware operates using a silent audio file, executing its code without user detection. Users are advised to download apps only from the Google Play Store and keep their devices updated.

Winsage

April 6, 2026

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

Exploit code for a Windows privilege escalation vulnerability, named BlueHammer, has been released, allowing attackers to gain SYSTEM or elevated administrator permissions. This zero-day vulnerability was disclosed by a researcher, Chaotic Eclipse, who expressed frustration with Microsoft's handling of the issue. The exploit combines a time-of-check to time-of-use (TOCTOU) issue with path confusion, granting local attackers access to the Security Account Manager (SAM) database, which contains password hashes for local accounts. While the exploit is confirmed to work, it has been found unsuccessful on Windows Server due to bugs that hinder its effectiveness. Attackers can gain local access through various means, raising significant security risks. Microsoft has not yet responded to inquiries about the BlueHammer flaw.

Winsage

April 6, 2026

Why Microsoft is forcing Windows 11 25H2 update on all eligible PCs

Microsoft has announced that eligible Windows 11 PCs currently on the 24H2 version will be automatically upgraded to the 25H2 edition, with no user action required, although users can temporarily postpone the update. The eligibility assessment for the update uses machine learning, considering factors such as testing results, user feedback, and diagnostic data. The update is mandatory for individual users of Windows 11 Home or Pro editions, as support for 24H2 will expire on October 13, ending security patches for that version. IT-managed computers are excluded from this automatic update. Users can check for eligibility by navigating to Settings and selecting Windows Update. The 25H2 update is designed to be more compact and efficient, updating only necessary files and sharing the same code base as 24H2, which improves stability and reliability. To check the current version of Windows 11, users can go to Settings, select System, and click on About.

AppWizard

April 6, 2026

Slack Messenger: Revolutionizing Team Communication

Slack Messenger is a cloud-based platform for workplace collaboration that enhances team communication through real-time messaging, file sharing, and workflow integrations. Since its launch in 2013, it has replaced traditional email chains with organized channels for discussions and direct messaging. Users can create dedicated channels for specific projects, utilize threaded replies for clarity, and send targeted notifications through mentions. Key features include an intuitive interface accessible on various devices, unlimited message history on paid plans, voice and video huddles, and support for over 2,600 applications like Google Workspace and Salesforce. Security features include data encryption and compliance with regulations such as GDPR and HIPAA. Slack is used across various sectors including project management, customer support, and engineering, and is widely adopted by companies like IBM, Shopify, and NASA. On a daily basis, teams use Slack for status updates, file sharing, and conducting polls. For larger organizations, it offers multi-workspace setups and analytics. A free tier is available for freelancers and small teams, while its mobile app facilitates coordination for gig economy workers. Slack operates in over 150 countries and supports multiple languages. The collaboration software market, valued at over a billion dollars, continues to grow, driven by hybrid work demands. Competitors include Microsoft Teams, Discord, and Mattermost, although Slack remains distinguished by its integrations. Slack is supported by AWS cloud infrastructure and boasts an uptime of 99.99%. Recent updates introduced AI features aimed at enhancing efficiency. Salesforce acquired Slack in 2020 for .7 billion, integrating it into its Customer 360 ecosystem while maintaining its standalone brand. Slack is publicly listed under the ISIN US79466L3024.

Winsage

April 5, 2026

Microsoft Ships Emergency Windows 11 Fix for Broken Patch

On March 31, Microsoft released emergency update KB5086672 in response to issues caused by the previous preview patch KB5079391, which left many Windows 11 devices in a loop with error code 0x80073712, blocking access to March security fixes. Microsoft withdrew KB5079391, which was launched on March 26, and replaced it with KB5086672, a cumulative update that includes all fixes from March 2026. KB5086672 supersedes previous updates, including KB5079473, KB5085516, and KB5079391. Users with the "Get the latest updates as soon as they’re available" setting will receive KB5086672 automatically, while others can manually check for updates or download it from the Microsoft Update Catalog. Microsoft has been issuing multiple emergency updates recently, raising concerns about the quality of its update pipeline, with a history of emergency patches for various issues affecting Windows 10, Windows 11, and Windows Server. The issues from KB5079391 may resurface in the upcoming April cumulative update.