News

• OpenCart websites were silently injected with malware that mimics trusted tracking scripts
• Script hides in analytics tags and quietly swaps real payment forms for fake ones
• Obfuscated JavaScript allowed attackers to slip past detection and launch credential theft in real time

A new Magecart-style attack has raised concerns across the cybersecurity landscape, targeting ecommerce websites which rely on the OpenCart CMS.

The attackers injected malicious JavaScript into landing pages, cleverly hiding their payload among legitimate analytics and marketing tags such as Facebook Pixel, Meta Pixel, and Google Tag Manager.

Exepers from c/side, a cybersecurity firm that monitors third-party scripts and web assets to detect and prevent client-side attacks, says the injected code resembles a standard tag snippet, but its behavior tells a different story.

This particular campaign disguises its malicious intent by encoding payload URLs using Base64 and routing traffic through suspicious domains such as /tagscart.shop/cdn/analytics.min.js, making it harder to detect in transit.

At first, it appears to be a standard Google Analytics or Tag Manager script, but closer inspection reveals otherwise.

When decoded and executed, the script dynamically creates a new element, inserts it before existing scripts, and silently launches additional code.

The malware then executes heavily obfuscated code, using techniques such as hexadecimal references, array recombination, and the eval() function for dynamic decoding.

The key function of this script is to inject a fake credit card form during checkout, styled to appear legitimate.

Once rendered, the form captures input across the credit card number, expiration date, and CVC. Listeners are attached to blur, keydown, and paste events, ensuring that user input is captured at every stage.

Importantly, the attack doesn’t rely on clipboard scraping, and users are forced to manually input card details.

After this, data is immediately exfiltrated via POST requests to two command-and-control (C2) domains: //ultracart[.]shop/g.php and //hxjet.pics/g.php.

In an added twist, the original payment form is hidden once the card information is submitted - a second page then prompts users to enter further bank transaction details, compounding the threat.

What stands out in this case is the unusually long delay in using the stolen card data, which took several months instead of the typical few days.

The report reveals that one card was used on June 18 in a pay-by-phone transaction from the US, while another was charged €47.80 to an unidentified vendor.

This breach shows a growing risk in SaaS-based e-commerce, where CMS platforms like OpenCart become soft targets for advanced malware.

There is therefore a need for stronger security measures beyond basic firewalls.

Automated platforms like c/side claim to detect threats by spotting obfuscated JavaScript, unauthorized form injections, and anomalous script behavior.

As attackers evolve, even small CMS deployments must remain vigilant, and real-time monitoring and threat intelligence should no longer be optional for e-commerce vendors seeking to secure their customers’ trust.

• Downloaded something dodgy? These are the best malware removal tools
• Nail the basics with the best firewalls available now
• DOGE employee leaks private xAI API key from sensitive database

• ChatGPT can’t tell if a site was hacked, expired, or repurposed for casino spam
• AI-generated answers may seem reliable, even when they cite completely hijacked and fake sources
• Expired charity domains are reborn as gambling sites and still pass as trustworthy AI sources

ChatGPT is quickly becoming a go-to source for people seeking recommendations, from online services to local businesses, but new evidence suggests its AI-generated suggestions may not always be grounded in trustworthy sources.

In fact, some are being drawn from websites that have either been hacked or whose domains have expired and been repurposed, often to promote online casinos and gambling platforms.

Over the past several months, James Brockbank, managing director and founder at Digitaloft, has been documenting how widespread the problem has become, uncovering examples of ChatGPT citing content from sites that have clearly been manipulated.

In one instance, a functioning legal practice’s website, run by attorney Veronica T. Barton, had pages recommending UK casinos buried within it.

“Their site has been hacked and this page added,” Brockbank noted after reviewing the evidence.

In another case, a site once affiliated with a United Nations youth coalition had been transformed into a platform pushing “casinos not on GamStop.”

Although the listicle it hosted contained only one external link, it led to yet another repurposed domain.

The pattern continued with expired domains, including one that had belonged to a now-defunct arts charity previously linked by the BBC, CNN, and Bloomberg.

That domain, now pushing gambling content, was cited by ChatGPT in response to a query about no-deposit casinos.

These tactics exploit weaknesses in how ChatGPT selects and cites sources, as unlike traditional search engines, the model lacks mechanisms for verifying the legitimacy of a site’s ownership or editorial intent.

As a result, content injected onto compromised websites can surface in its answers without any obvious red flags to the user.

ChatGPT appears to favor recent content and still attributes authority based on legacy domain reputation, even when the domain’s content has no continuity with its past - which opens the door for bad actors to manipulate visibility through means that have little to do with credibility.

The bottom line is that users turning to ChatGPT for recommendations should not assume that every answer is backed by a credible source.

A quick check of the cited site’s authority, its history, ownership, and relevance can go a long way in avoiding misleading or harmful suggestions.

• Trump's "One Big Beautiful Bill" set to award $1 billion funding to "offensive cyber operations"
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

- The first four episodes will be released on September 4
- Entirely new cast, except for Oscar Nuñez, who reprises his role
- The plot follows a declining Midwestern newspaper
- There's no official trailer yet

The Paper is Peacock's follow-up to the hit NBC series The Office, a beloved sitcom that is one of my firm favorites. This is our first time diving into this world since 2013, and I am intrigued to see how it will play out.

While set in the same universe as The Office, the creators have confirmed that The Paper is set in a new company, and we've moved out of Scranton, Pennsylvania, to a new location.

The Office's Greg Daniels and Late Night with Conan O'Brien's Michael Koman are the ones behind the series, so it looks like it's in good hands.

With The Office being such a hit and a show I quote daily, it'll be interesting to see if The Paper can reach the same highs or, at the very least, be a highly entertaining entry into the mockumentary genre.

Here's everything we know about The Paper so far.

A post shared by Rotten Tomatoes (@rottentomatoes)

A photo posted by on

The Paper will be exclusively on Peacock, with the first four episodes dropping on September 4. It will then have a weekly release schedule with two episodes arriving until the season finale on September 10.

So those wanting to binge-watch might be disappointed, but it's definitely nice having a double bill to enjoy each week after the show's four-episode premiere.

Right now, we don't have an official trailer for The Paper, but we should expect to see it closer to the release date.

When it does drop, it's likely fans will be hopeful that it'll match the quality of its predecessor, so the pressure is on for the new Peacock show. Only time will tell, as we haven't seen any video footage from the show yet.

While we don't have a trailer yet, we do know who will be in the cast, and we've got a very familiar face showing up for a new job.

Oscar Nuñez will reprise his role as The Office’s Oscar Martinez, and he's now working in the accounting department at The Truth Teller.

Speaking about his return at an NBCUniversal Upfront, Nuñez said: “I told Mr. Greg Daniels that if Oscar came back, he would probably be living in a more bustling, cosmopolitan city. Greg heard me, and he moved Oscar to Toledo, Ohio, which has three times the population of Scranton. So, it was nice to be heard.”

Elsewhere, we've got a brand new cast, including Domhnall Gleeson as a new hire and Sabrina Impacciatore, who is described as the "no nonsense managing editor" of The Truth Teller.

The rest of the newsroom includes Chelsea Frei, Melvin Gregg, Ramona Young, Gbemisola Ikumelo, Alex Edelman, and Tim Key.

Confirmed to be set in the same universe as The Office, the same fictional documentary crew that once filmed the lives of Dunder Mifflin employees will now be setting their sights on The Truth Teller.

With that in mind, the new series will follow the everyday chaos at this fictional small-town newspaper. There's big work to be done, though, as the paper's publisher begins recruiting volunteer reporters to try and keep the presses running. A plot has teased that we should expect "all the dysfunction, awkwardness, and heart" that we saw in The Office, which should reassure long-term fans.

Right now, we don't have any details about a potential season 2 but if that changes we'll be sure to update you.

For now, it's up to season one to make a good first impression so this is likely where Peacock's focus lies.

Marvel’s First Family is primed to light up the silver screen starting on July 25, 2025 in The Fantastic Four: First Steps, the fifth attempt at a live-action Hollywood transformation for the comic book icons, this time as a retro-futuristic affair starring Pedro Pascal, Vanessa Kirby, Joseph Quinn, and Ebon Moss-Bachrach and directed by Matt Shakman (WandaVision).

Attempts at its adaptation as a Hollywood feature film since the unreleased Roger Corman-led movie in 1994 and the last version being director Josh Trank’s 2015 disaster have had a poor track record, with each successive effort failing miserably to capture the spirit, heart and style of The Fantastic Four. But one of the most satisfying ways to experience the gamma-ray’d metahuman gang is by engaging with one of the many fun Fantastic Four animation series presented over the years.

By far the most overlooked example of these flashy cartoon shows is Fantastic Four: The Animated Series. It’s a natural way to gear up for Marvel Studios’ $200 million summer tentpole by absorbing its familial dynamics and splashy fun that skirt the dated humor, primitive character design and sterile backgrounds of Hanna-Barbera’s The Fantastic Four animated series that appeared on Saturday mornings from 1967-68. There was also The New Fantastic Four, a short-lived 1978 series which strangely had no Human Torch and swapped H.E.R.B.I.E. the Robot due to licensing rights and rumored fears that kids might light themselves on fire!

Airing for two “fantastic” seasons starting on September 24,1994 and ending on February 24, 1996, The Fantastic Four: The Animated Series lasted for two 13-episode outings and is currently streaming all 26 chapters on Disney+. It was originally produced by Genesis Entertainment and New World Entertainment, then broadcast in syndication as part of The Marvel Action Hour (aka Marvel Action Universe) with Iron Man taking flight for the first half of the program and The Fantastic Four jumping in to finish with its 22-24 minute episodes.

Conceived by Stan Lee and Jack Kirby in 1961, this close-knit superhero team dealing with inter-dimensional villains and everyday domestic responsibilities was the House of Idea’s biggest selling title of the decade and even sported the auspicious title of The World’s Greatest Comic Magazine on its cover.

The main lineup of scientific genius Reed Richard (Mister Fantastic), Sue Storm (Invisible Woman), Johnny Storm (The Human Torch), and Ben Grimm (The Thing) has been an ongoing roster since their experimental space flight first found themselves peppered with cosmic radiation that was the cause of their uncanny superpowers.

Any self-respecting ‘90s-era animated series need a seriously cheesy theme song and Fantastic Four: The Animated Series has that one locked down tight with a goofy anthem that’s even sillier than the tunes written for the original The Karate Kid, but that’s exactly why we love it! We forgive the show for its early campiness.

Written by Ron Friedman, Glen Leopold, Elwin Ransom and a handful of others, and executive produced by Avi Arad, Stan Lee, and Rick Ungar, it showcased everything essential about the Fantastic Four, their messy interpersonal affairs and thrilling crimefighting against notorious foes like Galactus, Doctor Doom, Ego-The Living Planet (Guardians of the Galaxy Vol. 2), Silver Surfer, Annihilus, Psycho-Man, Skrulls, Mole Man, Puppet Master, Blastaar and Sub-Mariner.

Fellow comic book heroes that were featured in multiple storylines and cameos throughout the two seasons included The Inhumans, The Incredible Hulk, Thor, Ghost Rider, Daredevil, and many others. Season 2 improved greatly with the arrival of Philippine Animation Studios taking over for Wang Film Productions.

The premiere episode of the debut season is a hoot, with the Fantastic Four recalling their origin story before a studio audience during a taping of Dick Clark’s Scholarship Telethon TV show, with the real Dick Clark actually voicing himself. Subsequent installments all carry the authentic Fantastic Four flair.

Often overshadowed by the quaint charm of the 1967 Hanna-Barbera series, Fantastic Four: The Animated Series often pulled stories from legacy story arcs written by Stan Lee and drawn by Jack “King” Kirby with later illustrator John Buscema and other artists who picked up the pen.

In particular, the two-part segment, The Silver Surfer and the Coming of Galactus, was taken directly from the 1965 comic book event displayed in Fantastic Four #48-50, which was the inspiration for the screenwriters in crafting their own plot for this month's The Fantastic Four: First Steps.

Remember that this renaissance of ‘90s animation also brought us X-Men: The Animated Series, Batman: The Animated Series, and Gargoyles, so it’s the ideal chance for fans to revisit this nostalgic, highly entertaining, and vastly under-appreciated Fantastic Four cartoon show that many of a certain generation hold dear to their hearts. With its solid vocal cast, smart writing, sharp animation, and vibrant colors, give Fantastic Four: The Animated Series a heroic spin on Disney+!

• The Fantastic Four: First Steps is reportedly getting a sequel
• The Fantastic Four: First Steps trailer confirms two of the worst-kept secrets
• Marvel announces The Fantastic Four: First Steps prequel story

• More folding iPhone details have leaked
• We have more hints about pricing and battery capacity
• The phone could launch next year

We're getting closer and closer to the foldable iPhone being a real rather than a rumored device, and new leaks suggest that the handset is going to set two records for Apple's smartphone series to date.

These leaks come from tipster Dingzhuo Digital and Mydrivers (via Wccftech). Bear in mind that we are relying on Google Translate here – and that nothing is certain until Apple makes the device official (which will probably be next year).

First up, the folding iPhone is apparently going to have the largest battery of any iPhone to date, with this leak putting the capacity at 5,000-5,500 mAh. For comparison, the Apple iPhone 16 Pro Max that launched last September packs in a 4,685 mAh battery.

We'll have to see how that works out in terms of actual battery life between charges. The foldable iPhone will of course have two screens that need powering, and a larger screen to light up when unopened (which could be 7.74 inches, corner to corner).

The second part of this leak is the pricing of this device, and it's no surprise that the foldable iPhone is set to be the most expensive iPhone in history – far exceeding the starting price of the iPhone 16 Pro Max, which is set at $1,199 / £1,199 / AU$2,149.

This leak puts the price at more than 15,000 yuan in China. That works out as $2,090 / £1,560 / AU$3,205 with a rough currency conversion at today's rates, but those are unlikely to be the final figures Apple settles on internationally.

Previous rumors have put the price of the folding iPhone somewhere between $1,800 and $2,500, depending on which tipsters and analysts you want to believe. Whatever the final figure ends up being, you're certainly going to have to pay a lot for this phone.

Before we get the folding iPhone though, we're going to get the iPhone 17 series, which will include the iPhone 17 Air in place of the iPhone 16 Plus. If Apple sticks to its usual schedule, we should see those handsets in September.

• Apple's iPhone Fold is tipped to be an annual release
• We're getting closer to a folding iPhone launch
• The Z Fold 8 could match the foldable iPhone in this way

A new NYT Strands puzzle appears at midnight each day for your time zone – which means that some people are always playing 'today's game' while others are playing 'yesterday's'. If you're looking for Sunday's puzzle instead then click here: NYT Strands hints and answers for Sunday, July 20 (game #504).

Strands is the NYT's latest word game after the likes of Wordle, Spelling Bee and Connections – and it's great fun. It can be difficult, though, so read on for my Strands hints.

Want more word-based fun? Then check out my NYT Connections today and Quordle today pages for hints and answers for those games, and Marc's Wordle today page for the original viral word game.

SPOILER WARNING: Information about NYT Strands today is below, so don't read on if you don't want to know the answers.

• Today's NYT Strands theme is… I fold!

Play any of these words to unlock the in-game hints system.

• BANK
• BRINE
• FLOW
• SHIFT
• TURBO
• WHEY

• Spangram has 7 letters

First side: left, 4th row

Last side: right, 5th row

Right, the answers are below, so DO NOT SCROLL ANY FURTHER IF YOU DON'T WANT TO SEE THEM.

The answers to today's Strands, game #505, are…

• KITE
• FROG
• FISH
• CRANE
• BUTTERFLY
• SPANGRAM: ORIGAMI

• My rating: Hard
• My score: 2 hints

It took me until my fourth word, which was CRANE, to understand the significance of “I fold!”. After that it was a case of finding a letter-O close to an edge and connecting ORIGAMI.

Despite this moment of revelation, today’s search didn’t get any easier – mainly because a crane is the most obvious shape you can make, but also because hundreds of items can be created by folding a square piece of thin paper.

Thankfully, FLOWER and BUTTERFLY were easy to spot, but even though there were only five letters left I still struggled to see HEART (trying “earth” first – maybe you just screw the paper up into a ball).

• WRAP
• BIKINI
• SARONG
• TRUNKS
• SANDALS
• SWIMSUIT
• SPANGRAM: BEACH ATTIRE

Strands is the NYT's not-so-new-any-more word game, following Wordle and Connections. It's now a fully fledged member of the NYT's games stable that has been running for a year and which can be played on the NYT Games site on desktop or mobile.

I've got a full guide to how to play NYT Strands, complete with tips for solving it, so check that out if you're struggling to beat it each day.