Tag: software
-
GitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say
GitHub rejected two formal vulnerability reports identifying design flaws that researchers say are enabling variants of the Shai-Hulud supply-chain worm to infect and compromise hundreds of software packages and developer accounts worldwide. First seen on therecord.media Jump to article: therecord.media/github-dismissed-reports-shai-hulud-deep-specter
-
144 Mastra npm Packages Compromised via Hijacked Contributor Account
As many as 144 npm packages associated with the Mastra namespace (“@mastra/*”), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from JFrog, SafeDep, Socket, and StepSecurity.”A single npm account (ehindero) mass-published more First seen on…
-
JFrog-Plugin für Claude Code bringt Software-Supply-Chain-Security und Governance für KI-Coding-Agenten
KI-Agenten sind längst nicht mehr nur Assistenzsysteme für Entwickler. Sie analysieren Code, schlagen Abhängigkeiten vor, erzeugen Builds und können Plattformaufgaben automatisieren. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/jfrog-plugin-fuer-claude-code-bringt-software-supply-chain-security-und-governance-fuer-ki-coding-agenten/a45515/
-
Angreifer im System: Drei kritische Lücken in Fortinet aktiv ausgenutzt
Das Sicherheitsunternehmen Defused Cyber meldet die aktive Ausnutzung von drei kritischen Schwachstellen in der Sandbox-Software von Fortinet. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/fortinet-drei-kritische-luecken
-
A case for how to shape ‘ingredient lists’ for AI models
AI bills of materials (AIBOMs), modeled on standards that worked for software, could transform how policymakers understand and regulate AI. A new roadmap outlines what they need to include and how to get there. First seen on cyberscoop.com Jump to article: cyberscoop.com/ai-bill-of-materials-policy-roadmap/
-
Der nachlässige Umgang mit den eigenen digitalen Daten
Jede und jeder Zehnte erstellt nie Backups. Nur 43 Prozent installieren angebotene Software-Updates meist sofort. Ob Updates, Backups oder Zugriffsrechte viele Menschen in Deutschland gehen mit der Sicherheit ihrer digitalen Geräte und Daten eher nachlässig um. Nur rund 4 von 10 Internetnutzenden (39 Prozent) erstellen häufig Backups, also digitale Sicherheitskopien ihrer Daten. Weitere… First seen…
-
Software supply chains are heading for a transparency test
Software supply chain visibility is becoming part of product security work as the EU Cyber Resilience Act (CRA) moves toward application in December 2027. ENISA’s SBOM … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/16/enisa-software-supply-chain-transparency/
-
How FDA’s Draft Guidance Shapes AI Medical Device Safety
FDA’s draft guidance for AI-enabled medical devices reflects a major change in how regulators address software that changes over time, recognizing AI’s ability to evolve while emphasizing patient safety, transparency and accountability, said Phil Englert of the Health-ISAC. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/interviews/how-fdas-draft-guidance-shapes-ai-medical-device-safety-i-5550
-
How FDA’s Draft Guidance Shapes AI Medical Device Security
FDA’s draft guidance for AI-enabled medical devices reflects a major change in how regulators address software that changes over time, recognizing AI’s ability to evolve while emphasizing patient safety, transparency and accountability, said Phil Englert of the Health-ISAC. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/interviews/how-fdas-draft-guidance-shapes-ai-medical-device-security-i-5550
-
SimpleHelp bug lets hackers create rogue remote support accounts
A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/
-
SimpleHelp bug lets hackers create rogue remote support accounts
A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/
-
Cybersecurity vets protest ‘dangerous’ US government ban on Anthropic’s most powerful models
A group made up of dozens of cybersecurity experts urged the White House to remove export control restrictions on Anthropic’s models Fable and Mythos, arguing that the order is going to limit the ability of cybersecurity defenders to secure their software and products. First seen on techcrunch.com Jump to article: techcrunch.com/2026/06/15/cybersecurity-vets-protest-dangerous-us-government-ban-on-anthropics-most-powerful-models/
-
âš¡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software…
-
Smart Glasses: Meta benutzt Gesichtserkennungs-Software für US-Polizeibehörden
Tags: softwareDass Meta eine Gesichtserkennung in seine Smart Glasses einbauen möchte, wird schon länger vermutet. Es gibt einen neuen Hinweis. First seen on golem.de Jump to article: www.golem.de/news/smart-glasses-meta-benutzt-gesichtserkennungs-software-fuer-us-polizeibehoerden-2606-209796.html
-
Threat Actor Malware Platform Exposed Through Unlocked PHP Installer Page
A misconfigured PHP-based malware distribution platform has been exposed after a security researcher inadvertently gained administrative access via an unlocked installation page, highlighting critical operational security failures in the active threat actor’s infrastructure. The incident, documented on June 11, 2026, began with routine threat intelligence monitoring on X (formerly Twitter), where a suspicious software download…
-
ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed
A major bug in Oracle’s ERP software disproportionately affected American universities, and hackers have capitalized by stealing gobs of data. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/shinyhunters-oracle-zero-day-higher-ed
-
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data
Vulnerability in the Oracle-owned PeopleSoft software is about as critical as they come. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/
-
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it’s pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans.The network is said to be behind the development and management of a phishing-as-a-service (PhaaS) software kit called Outsider, per the tech giant.”The operation weaponized Gemini…
-
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself.Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary…
-
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/phpbb-forum-fixes-auth-bypass-bug-lurking-for-a-decade/
-
Early Warning Signs of Supply-Chain Attacks Live in the Dark Web
GitHub access sales, leaked repositories, and stolen API keys can all become supply-chain attack footholds. Flare explores how underground forums expose early signals tied to software supply-chain risk. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/early-warning-signs-of-supply-chain-attacks-live-in-the-dark-web/
-
GitHub to Update npm to Thwart Software Supply Chain Attacks
NPM, part of GitHub, announced a new version of the npm package manager with several security improvements, including disabling install scripts First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/github-update-npm-supply-chain/
-
GitHub to Update npm to Thwart Software Supply Chain Attacks
NPM, part of GitHub, announced a new version of the npm package manager with several security improvements, including disabling install scripts First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/github-update-npm-supply-chain/
-
JFrog analysiert Shai-Hulud-Miasma: Manipulierte Red-Hat-npm-Pakete gefährden Software-Lieferketten
Tags: softwareEntwicklerrechner und CI/CD-Pipelines dürfen nicht länger als neutrale Durchgangsstationen betrachtet werden. Sie sind längst ein zentrales Angriffsziel. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/jfrog-analysiert-shai-hulud-miasma-manipulierte-red-hat-npm-pakete-gefaehrden-software-lieferketten/a45454/
-
Fake Spotify Premium tutorials on TikTok and Instagram Reels spread malware
Cybercriminals are using TikTok and Instagram Reels videos to spread Vidar, an infostealer malware, through fake downloads for popular paid software, according to … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/11/vidar-infostealer-tiktok-instagram-reels-malware-campaigns/
-
The Hidden Security Risks of Poor Software Testing
Poor Software Testing can expose hidden flaws, vulnerable dependencies and weak controls, increasing breach risks, downtime and costly fixes after release. First seen on hackread.com Jump to article: hackread.com/the-hidden-security-risks-of-poor-software-testing/
-
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub has announced what it said are “breaking changes” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats.The changes aim to combat attack techniques that abuse the “npm install” command to trigger the execution of malicious code using npm lifecycle hooks. “Npm install” is…

