Long-time World of Warcraft players have been waiting 21 years for the new in-game housing features that Blizzard officially announced last year and which launched in early access last week. Shortly after that launch, though, players quickly discovered a way to make their houses float high above the ground by exploiting an unintended, invisible UI glitch.

Now, Blizzard says that the overwhelming response to that accidental house hovering has been so strong that it’s pivoting to integrate it as an official part of the game.

“We were going to fix flying houses to bring them back to terra firma, but you all made such awesome stuff, so we made it possible with the base UI instead,” WoW Principal Designer Jesse Kurlancheek posted on social media Tuesday. Lead Producer Kyle Hartline followed up on that announcement with some behind-the-scenes gossip: “Like no joke we had an ops channel about how to roll out the float fix but folks shared like 5 of the dopest houses and we all kinda immediately agreed this was way too cool to change,” he wrote.

Read full article

Comments

© Twitter / Zorbix

A critical React2Shell (CVE-2025-55182) RCE flaw in React and Next.js is being actively exploited by China-nexus threat groups, prompting urgent patching and global mitigations.

The post Cloudflare Forces Widespread Outage to Mitigate Exploitation of Maximum Severity Vulnerability in React2Shell  appeared first on Security Boulevard.

Google Threat Intelligence Group discovered a full iOS zero-day exploit chain deployed in the wild against targets in Egypt, revealing how sanctioned commercial surveillance vendor Intellexa continues purchasing and deploying digital weapons despite US government restrictions and extensive public scrutiny.

The three-stage attack chain was developed by Intellexa to install its Predator spyware onto victim devices, which is known to act as a surveillance tool for its government clients worldwide.

Google researchers partnered with CitizenLab in 2023 to capture and analyze the complete exploit chain after identifying attacks targeting individuals in Egypt. According to metadata, Intellexa referred to this exploit chain internally as "smack," with compilation artifacts revealing the build directory path including the codename.

First Stage: Purchased Safari Exploit

The initial stage leveraged a Safari remote code execution zero-day that Apple patched as CVE-2023-41993. The exploit utilized a framework internally called "JSKit" to achieve arbitrary memory read and write primitives, then execute native code on modern Apple devices.

Google researchers assessed with high confidence that Intellexa acquired its iOS RCE exploits from an external entity rather than developing them internally. The identical JSKit framework has appeared in attacks by other surveillance vendors and government-backed threat actors since 2021.

In 2024, Google publicly reported that Russian government-backed attackers used this exact same iOS exploit and JSKit framework in a watering hole attack against Mongolian government websites.

Read: Russian State Hackers Using Exploits ‘Strikingly Similar’ to Spyware Vendors NSO and Intellexa

The framework also appeared in another surveillance vendor's exploitation of CVE-2022-42856 in 2022. The JSKit framework is well-maintained, supports a wide range of iOS versions, and is modular enough to support different Pointer Authentication Code bypasses and code execution techniques. The framework can parse in-memory Mach-O binaries to resolve custom symbols and manually map and execute Mach-O binaries directly from memory, with each exploitation step tested carefully.

Debug strings at the RCE exploit entry point indicated Intellexa tracked it internally as "exploit number 7," suggesting the external supplier likely possesses a substantial arsenal of iOS exploits targeting various versions.

Second Stage: Sandbox Escape and Privilege Escalation

The second stage represents the most technically sophisticated component of the chain, breaking out of the Safari sandbox and executing an untrusted third-stage payload as system by abusing kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992. This stage communicates with the first stage to reuse primitives like PAC bypass and offers kernel memory read and write capabilities to the third stage.

The technical sophistication of these exploits, especially compared to the less sophisticated spyware stager, supports Google's assessment that Intellexa likely acquired the exploits from another party rather than developing them internally.

Third Stage: Spyware Deployment and Anti-Detection

The third stage, tracked by Google Threat Intelligence Group as PREYHUNTER, comprises two modules called "helper" and "watcher." The watcher module ensures the infected device does not exhibit suspicious behavior, generating notifications and terminating the exploitation process if anomalies are detected while monitoring crashes.

The module detects multiple indicators including developer mode, console attachment, US or Israeli locale settings, Cydia installation, presence of security research tools like Bash, tcpdump, frida, sshd or checkrain processes, antivirus software from McAfee, Avast or Norton, custom HTTP proxy setup, and custom root certificate installation.

The helper module communicates with other exploit components via a Unix socket and can hook various system functions using custom frameworks called DMHooker and UMHooker. These hooks enable basic spyware capabilities including recording VOIP conversations, running keyloggers, and capturing pictures from the camera. The module hooks into SpringBoard to hide user notifications caused by surveillance actions.

Google researchers believe these capabilities allow operators to verify the infected device is the correct target before deploying more sophisticated spyware like Predator.

Prolific Zero-Day Exploitation Record

Intellexa is responsible for 15 unique zero-day vulnerabilities out of approximately 70 discovered and documented by Google's Threat Analysis Group since 2021, including Remote Code Execution, Sandbox Escape, and Local Privilege Escalation vulnerabilities. All have been patched by respective vendors.

Beyond iOS exploitation, Intellexa deployed a custom Chrome framework with CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and most recently CVE-2025-6554 in June 2025, observed in Saudi Arabia. All these vulnerabilities in Chrome's V8 engine can leak TheHole object for code execution.

Google delivered government-backed attack warnings to several hundred accounts across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan associated with Intellexa customers since 2023. The company added all identified websites and domains to Safe Browsing to safeguard users from further exploitation.

A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-replicating worm, and more than 25,000 compromised repositories labeled “Sha1-Hulud: The Second Coming” have been created containing sensitive information like passwords, API keys, cloud tokens, and GitHub or npm credentials. “The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks,” Aikido’s Charlie Eriksen said. “With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline.”

Shai-Hulud Attack Affects Packages from Zapier, AsyncAPI and Others

Shai-Hulud, named after the giant sandworms from Dune, is a self-replicating npm worm built to spread quickly through compromised developer environments. The latest attack has hit major npm packages from the likes of Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. “Once it infects a system, it searches for exposed secrets such as API keys and tokens using TruffleHog and publishes anything it finds to a public GitHub repository,” Eriksen said. “It then attempts to push new copies of itself to npm, helping it propagate across the ecosystem, while exfiltrating data back to the attacker.” If a developer installs one of these malcicious packages, the malware runs quietly during installation before anything even finishes installing, giving the malware access to the developer’s machine, build systems, or cloud environment, he said. If stolen secrets include access to code repositories or package registries, attackers can use those secrets to break into additional accounts and publish more malicious packages, spreading the attack even further. “Because trusted ecosystems were involved and millions of downloads are affected, any team using NPM should immediately check whether they were impacted and rotate any credentials that may have leaked,” Eriksen said.

Shai-Hulud Worm Details

Ashish Kurmi of Step Security noted that the latest evolution of the malware “disguises the entire payload as a helpful Bun installer.” The core payload - bun_environment.js - is 10MB and uses “extreme obfuscation techniques,” Kurmi added. These include “a massive hex-encoded string array containing thousands of entries,” an anti-analysis loop “that performs millions of arithmetic operations,” and every string in the code is retrieved through an obfuscated function. The malware delays full execution on developer machines by “forking itself into the background,” Kurmi said. “The user’s terminal returns instantly, giving the illusion of a normal install, while seconds later a completely detached process begins exfiltration.” “It executes a sophisticated, multi-stage pre-install attack that targets both CI/CD runners and developer workstations with equal effectiveness,” Kurmi said. Wiz noted that the malware targets AWS, Azure and Google Cloud Platform (GCP) by “bundling official SDKs to operate independently of host tools.”