This content originally appeared on DEV Community and was authored by Habdul Hazeez
Malware, vulnerabilities, and a spice of AI deepfake are what we’re going to review this week.
Welcome everyone, how are you preparing for the weekend? Let me know in the comments section.
Here’s how deepfake vishing attacks work, and why they can be hard to detect
In a situation where the other party on the call with you is urging you to act, stay calm, it might be a vishing attack. And by the way, here is a funny Instagram Reel that shows how you can fall victim to vishing.
From the article:
Precautions for preventing such scams from succeeding can be as simple as parties agreeing to a randomly chosen word or phrase that the caller must provide before the recipient complies with a request. Recipients can also end the call and call the person back at a number known to belong to the caller. But it’s best to follow both steps.
Android adware: What is it, and how do I get it off my device?
If you have ever been affected by an Android adware, this article is for you. Read it and follow the advice in the article.
The following should get you started:
If you think your device may have already been compromised with adware, disconnect your device from Wi-Fi and mobile data. Reboot it in Safe Mode (this will vary from device to device), then go to Settings > Apps and notifications > See all apps and uninstall anything that looks suspicious. It may also be necessary to clear your browser cache and cookies.
Chrome Sandbox Escape Earns Researcher $250,000
It’s a lot of money. If there is any factor that will serve as motivation for anyone to start a career in bug hunting, this is the one. But, wait. You’re not here for the money. I know. Now, let’s switch back to what happened, leading to the escape and then the payout.
Here you go:
The vulnerability, tracked as CVE-2025-4609, was reported to Google on April 22 by a researcher who uses the online moniker ‘Micky’. Google described CVE-2025-4609 as a “very complex logic bug and high quality report with a functional exploit, with good analysis and demonstration of a sandbox escape”.
The researcher said his PoC exploit achieved a sandbox escape and system command execution — he opened the calculator app to demonstrate the exploit — with a success rate of 70-80%.
WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately
If you’re not using the latest version of WinRAR, pause now, update, and come back. You done?
Here is what happened:
Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.
The development is the second time a WinRAR security vulnerability has been weaponized in the wild in as many years.
Flaws in Major Automaker’s Dealership Systems Allowed Car Hacking, Personal Data Theft
At the time of writing, there is no name of the affected automaker. Nonetheless, this shows that car hacking is still a thing.
From the article:
The goal of this research is not to call out one company — it’s to highlight broader, systemic risks in dealer-manufacturer platforms that often fly under the radar. Naming names shifts the conversation away from what really matters: improving security across the industry.
‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks
It’s not always good news when you read “DDoS Attack” in an article’s title. The same applies here. To make it worse, this MadeYouReset attack is reportedly difficult to detect because it blends with normal traffic. The excerpt below details the affected software.
The underlying vulnerability, tracked as CVE-2025-8671, has been found to impact projects and organizations such as AMPHP, Apache Tomcat, the Eclipse Foundation, F5, Fastly, gRPC, Mozilla, Netty, Suse Linux, Varnish Software, Wind River, and Zephyr Project.
Credits
Cover photo by Debby Hudson on Unsplash.
That’s it for this week, and I’ll see you next time.
This content originally appeared on DEV Community and was authored by Habdul Hazeez