Tag: api

Cloud assets have 115 vulnerabilities on average, some several years old

Jun 9, 2025 11:55 AM

Tags: access, ai, api, attack, cloud, credentials, data, data-breach, github, gitlab, iam, infrastructure, risk, service, strategy, threat, vulnerability

Isolated risks lead to bigger issues: Orca also warns that half of organizations have assets exposing attack paths that can lead to sensitive data exposure, as well as 23% with paths that lead to broad permission access and compromised hosts. Attack paths are the combination of risks that appear isolated but can be combined to…
Malicious npm Utility Packages Enable Attackers to Wipe Production Systems

Jun 9, 2025 10:55 AM

Tags: api, backdoor, cyber, data, email, malicious, theft, threat

Socket’s Threat Research Team has uncovered two malicious npm packages, express-api-sync and system-health-sync-api, designed to masquerade as legitimate utilities while embedding destructive backdoors capable of annihilating production systems. Published under the npm alias >>botsailer
Cybersecurity 2025: The Trends Defining Risk and How to Stay Ahead

Jun 7, 2025 5:54 AM

Tags: ai, api, cybersecurity, data, phishing, privacy, risk, service, threat

Cybersecurity 2025: The Trends Defining Risk and How to Stay Ahead Cybersecurity 2025: The Trends Defining Risk and How to Stay Ahead The rules of cybersecurity are shifting”, again. As 2025 unfolds, companies face a paradox: digital acceleration is non-negotiable, but it’s also becoming their biggest liability. From API sprawl to AI-driven phishing, today’s threats…
Chrome extensions transmit sensitive data over HTTP, leak API keys

Jun 6, 2025 9:54 PM

Tags: api, browser, chrome, data, leak

First seen on scworld.com Jump to article: www.scworld.com/news/chrome-extensions-transmit-sensitive-data-over-http-leak-api-keys
Chrome Extensions Flaw Exposes Sensitive API Keys, Secrets and Tokens

Jun 6, 2025 11:55 AM

Tags: api, browser, chrome, credentials, cyber, data, exploit, flaw

A critical security flaw has been uncovered in numerous popular Chrome extensions, affecting millions of users worldwide by exposing sensitive credentials such as API keys, secrets, and tokens directly within their source code. This alarming oversight in modern development practices has left digital doors wide open for cyber attackers to exploit, potentially leading to data…
Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials

Jun 6, 2025 9:55 AM

Tags: api, browser, chrome, credentials, cybersecurity, data, google, leak, privacy, technology

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.”Several widely used extensions […] unintentionally transmit sensitive data over simple HTTP,” Yuanjing Guo, a security researcher in the Symantec’s Security Technology and Response First…
Announcing our Series A – Impart Security

Jun 5, 2025 7:55 PM

Tags: ai, api, application-security, attack, ceo, ciso, cloud, cve, defense, detection, framework, healthcare, infrastructure, monitoring, risk, saas, technology, threat, tool, vulnerability, waf

Today, we’re announcing our $12 million Series A led by Madrona. This funding represents more than capital”, it validates our solution to what I call the ‘last mile problem’ in application security. Here’s a scenario every security professional will recognize: Your team demos an impressive application security tool that catches sophisticated attacks in real-time. The…
Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

Jun 5, 2025 6:54 PM

Tags: api, browser, chrome, credentials, cybersecurity, data, google, leak, privacy, technology

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.”Several widely used extensions […] unintentionally transmit sensitive data over simple HTTP,” Yuanjing Guo, a security researcher in the Symantec’s Security Technology and Response First…
Meet Escape Copilot: Automate App and Scan Management via MCP

Jun 5, 2025 3:55 PM

Tags: api

Meet Escape Copilot. Powered by the MCP over the Escape Public API, it helps you boost productivity and get more done with less context switching inside Escape. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/06/meet-escape-copilot-automate-app-and-scan-management-via-mcp/
Supply chain attack hits RubyGems to steal Telegram API data

Jun 5, 2025 2:54 PM

Tags: ai, api, attack, communications, data, endpoint, exploit, Internet, malicious, network, open-source, privacy, risk, service, supply-chain, threat, tool

Risk may extend past the regional ban: The malicious packages (Gems) were published by the threat actor on May 24, 2025, three days after Vietnam’s Ministry of Information and Communications ordered a nationwide ban on Telegram and gave internet service providers until June 2 to report compliance.Apart from the timing, the aliases used by the…
Addressing API Security with NIST SP 800-228

Jun 5, 2025 8:54 AM

Tags: api, attack, nist

According to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it’s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a set…
Securing Against Attacks: How WAF Rate Limiting Works

Jun 5, 2025 8:54 AM

Tags: api, application-security, attack, control, credentials, malicious, waf

Rate limiting plays a major role in application security, especially when it is about defending web applications from malicious bot attacks, credential stuffing, brute force attacks and excessive API calls. Rate limiting security ensures that systems function properly without overwhelming them. It controls the number of requests a client or a specific IP address can……
What the Arc Browser Story Reveals About the Future of Browser Security

Jun 5, 2025 5:54 AM

Tags: ai, antivirus, api, browser, ceo, chrome, ciso, crypto, data, email, github, infrastructure, jobs, LLM, macOS, malware, password, phishing, saas, software, startup, update, vulnerability, windows

By Dakshitaa Babu, Security Researcher, SquareX In a candid letter that Joshua Miller, CEO of Arc Browser, wrote to the community, he revealed a truth the tech industry has been dancing around: “the dominant operating system on desktop wasn’t Windows or macOS anymore”Š”, “Šit was the browser.” The evidence is everywhere”Š”, “Šcloud revenue surging year…
Umfassender und von Gartner bestätigter Schutz für Web-Anwendungen und APIs

Jun 5, 2025 5:54 AM

Tags: ai, api, cloud, gartner, guide, software, waf

Check Point Software Technologies gibt bekannt, dass die wichtigsten Anforderungen des aktuellen Gartner-Market-Guide for Cloud-Web-Application and API-Protection (WAAP) erfüllt. Die cloudnative Lösung bietet eine KI-gestützte Sicherheitsarchitektur, die moderne Web-Anwendungen und APIs umfassend schützt von der Entwicklung über den Betrieb bis zur automatisierten Bedrohungsabwehr. In einer zunehmend komplexen Bedrohungslandschaft reichen traditionelle Signatur-basierte WAF-Lösungen […] First seen…
Google Unveils Gemini Nano for On-Device AI in Android Apps

Jun 4, 2025 3:55 PM

Tags: ai, android, api, google

Gemini Nano APIs empower Android developers with on-device AI features like summarization, proofreading, and enhanced privacy. Get started today! First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/06/google-unveils-gemini-nano-for-on-device-ai-in-android-apps/
Don’t Be a Statistic: Proactive API Security in the Age of AI

Jun 4, 2025 2:55 PM

Tags: access, ai, api, attack, breach, business, cloud, compliance, cybercrime, data, data-breach, defense, email, exploit, finance, governance, infrastructure, Internet, iot, mobile, phone, privacy, risk, security-incident, strategy, threat, tool, unauthorized, update, vulnerability

Your business depends on APIs, which are essential for contemporary digital experiences, encompassing everything from mobile applications and IoT devices to the rapidly evolving AI landscape. With more than 80% of internet traffic now routed through APIs”, a number projected to rise significantly due to AI developments”, their security is crucial. Unfortunately, this vital infrastructure…
Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Jun 4, 2025 1:55 PM

Tags: api, attack, crypto, data-breach, malicious, open-source, pypi, supply-chain, threat

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems.The findings come from multiple reports published by Checkmarx, First seen on thehackernews.com…
Improving Cost Efficiency with Karpenter 1.0: An Upgrade Guide

Jun 4, 2025 7:55 AM

Tags: api, guide, infrastructure, kubernetes
Discover First, Defend Fully: The Essential First Step on Your API Security Journey

Jun 4, 2025 5:57 AM

Tags: api, cloud, waf

APIs power today’s digital economy, but their lightning-fast evolution and astronomical call volumes can leave security teams scrambling to keep up. How can you secure what you can’t yet see or quantify? Imperva’s Unlimited Discovery-Only capability for the Cloud WAF (CWAF) add-On delivers continuous, comprehensive visibility into your entire API landscape without requiring up-front commitment……
Salt Security Introduces Instant API Security Deployment with Complete Environment Visibility

Jun 3, 2025 9:55 PM

Tags: api

First seen on scworld.com Jump to article: www.scworld.com/news/salt-security-introduces-instant-api-security-deployment-with-complete-environment-visibility
What Tackling the SaaS Security Problem Means to Me

Jun 3, 2025 6:54 PM

Tags: access, ai, api, attack, authentication, breach, business, ceo, ciso, cloud, control, credentials, crypto, data, data-breach, detection, exploit, google, identity, incident response, infrastructure, jobs, lessons-learned, login, mfa, microsoft, ml, mssp, saas, siem, threat, tool, zero-day

By Kevin Hanes, CEO of Reveal Security When I reflect on the years I spent leading one of the world’s largest Security Operations Centers (SOCs) and incident response teams, the lessons learned aren’t just war stories”¦they’re a playbook for how we should rethink our responsibilities in the face of today’s fast-evolving attack surfaces. Back then,…
Malicious RubyGems pose as Fastlane to steal Telegram API data

Jun 3, 2025 6:54 PM

Tags: api, data, malicious

Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-fastlane-to-steal-telegram-api-data/
The high cost of misconfigured DevOps tools: Global cryptojacking hits enterprises

Jun 3, 2025 4:54 PM

Tags: access, api, attack, authentication, cloud, control, data-breach, docker, exploit, flaw, infrastructure, Internet, jobs, least-privilege, malware, open-source, service, software, tactics, threat, tool, unauthorized

Lockdown of DevOps exposure: Wiz urges organizations to lock down exposed DevOps infrastructure by following established best practices. For Nomad, enforcing access control lists (ACLs) would have blocked the unauthenticated job executions used in this campaign. Public Gitea instances should be fully patched, with git hooks disabled and the installation locked unless absolutely needed.In Consul,…
The high cost of misconfigured DevOps: Global cryptojacking hits enterprises

Jun 3, 2025 12:55 PM

Tags: access, api, attack, authentication, cloud, control, data-breach, docker, exploit, flaw, infrastructure, Internet, jobs, least-privilege, malware, open-source, service, software, tactics, threat, tool, unauthorized

Lockdown of DevOps exposure: Wiz urges organizations to lock down exposed DevOps infrastructure by following established best practices. For Nomad, enforcing access control lists (ACLs) would have blocked the unauthenticated job executions used in this campaign. Public Gitea instances should be fully patched, with git hooks disabled and the installation locked unless absolutely needed.In Consul,…
API Security: The Importance of Vulnerability Assessment and Penetration Testing (VAPT)

Jun 2, 2025 8:54 PM

Tags: api, penetration-testing, vulnerability

First seen on resecurity.com Jump to article: www.resecurity.com/blog/article/api-security-the-importance-of-vulnerability-assessment-and-penetration-testing-vapt
Stealth Syscall Technique Allows Hackers to Evade Event Tracing and EDR Detection

Jun 2, 2025 8:54 PM

Tags: api, cyber, detection, edr, endpoint, hacker, infrastructure, monitoring, threat, windows

Advanced threat actors have developed sophisticated stealth syscall execution techniques that successfully bypass modern security infrastructure, including Event Tracing for Windows (ETW), Sysmon monitoring, and Endpoint Detection and Response (EDR) systems. These techniques combine multiple evasion methods such as call stack spoofing, ETW API hooking, and encrypted syscall execution to render traditional detection mechanisms ineffective,…
Cryptojacking Campaign Exploits DevOps APIs Using OffShelf Tools from GitHub

Jun 2, 2025 6:54 PM

Tags: api, cybersecurity, docker, exploit, github, tool

Cybersecurity researchers have discovered a new cryptojacking campaign that’s targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies.Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and…
Java 25 Launches Stable Values API for Enhanced Immutability

Jun 2, 2025 4:54 PM

Tags: api, startup

The new Stable Values API in JDK 25, enhancing performance with deferred immutability. Learn how it optimizes application startup now! First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/06/java-25-launches-stable-values-api-for-enhanced-immutability/
Over 50,000 Azure AD Users’ Access Tokens Exposed via Unauthenticated API Endpoint

Jun 2, 2025 12:54 PM

Tags: access, api, cyber, data, data-breach, endpoint, microsoft, unauthorized, vulnerability

CloudSEK’s BeVigil platform has uncovered a critical security vulnerability affecting an aviation giant, where an exposed JavaScript file containing an unauthenticated API endpoint led to unauthorized access to Microsoft Graph tokens with elevated privileges. This security lapse resulted in the exposure of sensitive data belonging to more than 50,000 Azure Active Directory users, highlighting significant…
Active Exploits Detected Targeting Critical vBulletin Vulnerability

Jun 2, 2025 11:54 AM

Tags: api, cve, cyber, exploit, flaw, remote-code-execution, software, vulnerability

Two critical vulnerabilities”, CVE-2025-48827 and CVE-2025-48828″, have been assigned to vBulletin, the widely used PHP/MySQL forum software, following public disclosure and observed exploitation in the wild. The flaws, affecting vBulletin versions 5.0.0 through 6.0.3, enable unauthenticated attackers to achieve Remote Code Execution (RCE), putting thousands of online communities at risk. Reflection API Abuse and Template…