Tag: supply-chain
-
Trivy vulnerability scanner backdoored with credential stealer in supply chain attack
Tags: access, attack, breach, cloud, control, credentials, crypto, data, detection, docker, email, exploit, github, kubernetes, malicious, malware, network, risk, supply-chain, vulnerabilityAttackers look for development secrets: On GitHub Actions runners, the credential stealer reads the process memory to extract secrets and searches the filesystem for SSH keys, cloud provider credentials, Kubernetes tokens, Docker registry configurations, and cryptocurrency wallets.The stolen data is encrypted and sent to a typosquatted domain that mimics Aqua Security’s legitimate site. If this…
-
Trivy vulnerability scanner backdoored with credential stealer in supply chain attack
Tags: access, attack, breach, cloud, control, credentials, crypto, data, detection, docker, email, exploit, github, kubernetes, malicious, malware, network, risk, supply-chain, vulnerabilityAttackers look for development secrets: On GitHub Actions runners, the credential stealer reads the process memory to extract secrets and searches the filesystem for SSH keys, cloud provider credentials, Kubernetes tokens, Docker registry configurations, and cryptocurrency wallets.The stolen data is encrypted and sent to a typosquatted domain that mimics Aqua Security’s legitimate site. If this…
-
Widely used Trivy scanner compromised in ongoing supply-chain attack
Admins: Sorry to say, but it’s likely a rotate-your-secrets kind of weekend. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/
-
ISMG Editors: Stryker Attack Hits Healthcare Supply Chain
Also: CISA Protocol Concerns, AI Agents Push Past Cybersecurity Controls. In this week’s panel, four ISMG editors unpacked the cyber dimensions of the Stryker attack amid the escalating Iran-Israel-U.S. tensions, the growing controversy around CISA leadership and alleged protocol breaches, and a new set of concerns related to AI agents bypassing security controls. First seen…
-
SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft
Tags: ai, authentication, automation, breach, cloud, credentials, cybercrime, cybersecurity, dark-web, data, data-breach, government, identity, malware, monitoring, password, phishing, ransomware, supply-chain, theft, threat, tool67 / sixseven: 140.4Msweet / cookie / candy / cake / pie: 5.7Mchiefs / kansas city chiefs: 5M2025: 4.1Mapple / banana / orange / strawberry / fruit: 2.6MPassword reuse remains widespread, and the report also identified 1.1 million password manager master passwords circulating in underground sources, raising concerns about vault-level compromise when master credentials are…
-
SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft
Tags: ai, authentication, automation, breach, cloud, credentials, cybercrime, cybersecurity, dark-web, data, data-breach, government, identity, malware, monitoring, password, phishing, ransomware, supply-chain, theft, threat, tool67 / sixseven: 140.4Msweet / cookie / candy / cake / pie: 5.7Mchiefs / kansas city chiefs: 5M2025: 4.1Mapple / banana / orange / strawberry / fruit: 2.6MPassword reuse remains widespread, and the report also identified 1.1 million password manager master passwords circulating in underground sources, raising concerns about vault-level compromise when master credentials are…
-
Pentagon Warns Anthropic Could ‘Subvert’ Defense AI Systems
New Filing Frames Anthropic Dispute as Operational Control Issue – Not Free Speech. The Justice Department is arguing in a new court filing that Anthropic’s ability to update guardrails and behavior post-deployment creates unacceptable supply-chain risks, warning that vendor access to AI systems could enable manipulation or failure in mission-critical defense operations. First seen on…
-
Anton’s Security Blog Quarterly Q1 2026
Tags: ai, automation, breach, ciso, cloud, control, defense, detection, framework, google, governance, infrastructure, mandiant, metric, RedTeam, risk, service, siem, soc, software, supply-chain, threat, update, vulnerability, vulnerability-managementMy Anton’s Security Blog (And Podcast!) Quarterly this covers both Anton on Security and my posts from Google Cloud blog, Google Cloud community blog, and our Cloud Security Podcast (subscribe on Spotify, now with VIDEO). Gemini image for this Top 10 posts with the most lifetime views (excluding paper announcement blogs): Anton’s Alert Fatigue: The Study [A.C.”Š”,…
-
Anton’s Security Blog Quarterly Q1 2026
Tags: ai, automation, breach, ciso, cloud, control, defense, detection, framework, google, governance, infrastructure, mandiant, metric, RedTeam, risk, service, siem, soc, software, supply-chain, threat, update, vulnerability, vulnerability-managementMy Anton’s Security Blog (And Podcast!) Quarterly this covers both Anton on Security and my posts from Google Cloud blog, Google Cloud community blog, and our Cloud Security Podcast (subscribe on Spotify, now with VIDEO). Gemini image for this Top 10 posts with the most lifetime views (excluding paper announcement blogs): Anton’s Alert Fatigue: The Study [A.C.”Š”,…
-
Anton’s Security Blog Quarterly Q1 2026
Tags: ai, automation, breach, ciso, cloud, control, defense, detection, framework, google, governance, infrastructure, mandiant, metric, RedTeam, risk, service, siem, soc, software, supply-chain, threat, update, vulnerability, vulnerability-managementMy Anton’s Security Blog (And Podcast!) Quarterly this covers both Anton on Security and my posts from Google Cloud blog, Google Cloud community blog, and our Cloud Security Podcast (subscribe on Spotify, now with VIDEO). Gemini image for this Top 10 posts with the most lifetime views (excluding paper announcement blogs): Anton’s Alert Fatigue: The Study [A.C.”Š”,…
-
President Trump’s Cyber Strategy for America: Why Integrity Is the Foundation of Modern Cyber Defense
<div cla President Trump’s Cyber Strategy for America makes a few things very clear: the United States must detect adversaries earlier, secure critical infrastructure, strengthen technology supply chains, and ensure that systems can recover rapidly after cyber incidents. These goals appear throughout the strategy, but when viewed through a technical lens, they all depend on…
-
President Trump’s Cyber Strategy for America: Why Integrity Is the Foundation of Modern Cyber Defense
<div cla President Trump’s Cyber Strategy for America makes a few things very clear: the United States must detect adversaries earlier, secure critical infrastructure, strengthen technology supply chains, and ensure that systems can recover rapidly after cyber incidents. These goals appear throughout the strategy, but when viewed through a technical lens, they all depend on…
-
President Trump’s Cyber Strategy for America: Why Integrity Is the Foundation of Modern Cyber Defense
<div cla President Trump’s Cyber Strategy for America makes a few things very clear: the United States must detect adversaries earlier, secure critical infrastructure, strengthen technology supply chains, and ensure that systems can recover rapidly after cyber incidents. These goals appear throughout the strategy, but when viewed through a technical lens, they all depend on…
-
Neue MCP Registry von JFrog stärkt Sicherheit in der KI-gestützten Software Supply Chain
Die MCP Registry ist ein Schritt in genau diese Richtung: weg von unkontrollierter Experimentierfreude, hin zu einer verantwortungsvollen, skalierbaren Nutzung von KI. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/neue-mcp-registry-von-jfrog-staerkt-sicherheit-in-der-ki-gestuetzten-software-supply-chain/a44196/
-
The True Cost of Cyber Downtime: A UK Board-Level Briefing
Tags: attack, backup, business, cloud, communications, compliance, control, cyber, cyberattack, data, finance, GDPR, governance, healthcare, infrastructure, insurance, monitoring, resilience, saas, service, supply-chain, technologyWritten by Sean Tilley, Senior Sales Director EMEA at 11:11 Systems Cyber downtime carries measurable financial consequences, and those consequences are becoming clearer with each major incident. Research from 11:11 Systems shows that 78% of European organisations report losses of up to $500,000 per hour following a cyber-related outage, while 6% face costs exceeding £1 million per…
-
The Hidden Security Risks in Open-Source Dependencies Nobody Talks About
Open-source dependencies introduce hidden risks, from transitive vulnerabilities to supply chain attacks. Learn how to reduce exposure. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/the-hidden-security-risks-in-open-source-dependencies-nobody-talks-about/
-
The Hidden Security Risks in Open-Source Dependencies Nobody Talks About
Open-source dependencies introduce hidden risks, from transitive vulnerabilities to supply chain attacks. Learn how to reduce exposure. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/the-hidden-security-risks-in-open-source-dependencies-nobody-talks-about/
-
Anthropic ban heralds new era of supply chain risk, with no clear playbook
Tags: ai, business, ceo, cisco, ciso, compliance, control, data, defense, framework, government, group, infrastructure, intelligence, law, monitoring, network, RedTeam, risk, risk-management, sbom, software, strategy, supply-chain, technology, threat, toolCompliance pressure before policy clarity: For organizations that do business with the federal government, the implications extend beyond technical challenges into legal and contractual risk. Alex Major, co-chair of government contracts and global trade practice at law firm McCarter and English, tells CSO that supply chain designations like the Anthropic ban tend to move quickly…
-
Anthropic ban heralds new era of supply chain risk, with no clear playbook
Tags: ai, business, ceo, cisco, ciso, compliance, control, data, defense, framework, government, group, infrastructure, intelligence, law, monitoring, network, RedTeam, risk, risk-management, sbom, software, strategy, supply-chain, technology, threat, toolCompliance pressure before policy clarity: For organizations that do business with the federal government, the implications extend beyond technical challenges into legal and contractual risk. Alex Major, co-chair of government contracts and global trade practice at law firm McCarter and English, tells CSO that supply chain designations like the Anthropic ban tend to move quickly…
-
WaterPlum Unleashes “StoatWaffle” Malware in VSCode Supply Chain Attack
A North Korea-linked threat group known as WaterPlum has introduced a new malware strain called “StoatWaffle” as part of its ongoing Contagious Interview campaign. The activity has been attributed to Team 8, a subgroup within WaterPlum also tracked as the Moralis or Modilus cluster. This team was previously associated with the OtterCookie malware, but since…
-
Cybersecurity and privacy priorities for 2026: The legal risk map
Tags: attack, authentication, awareness, best-practice, breach, communications, country, cyber, cybersecurity, data, defense, finance, fraud, governance, government, incident, incident response, infrastructure, law, mfa, monitoring, privacy, ransomware, regulation, risk, risk-management, service, strategy, supply-chain, threat, usaContinued federal interest in cybersecurity and privacy, especially in connection with national security concerns: The evident connection between cybersecurity and privacy and national security have led to a number of federal initiatives in recent years. Most recently in March 2026, the White House announced the current administration’s Cyber Strategy for America, renewing a commitment to…
-
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/
-
Glassworm Malware Infects Popular React Native npm Packages
Tags: attack, country, credentials, cyber, international, malicious, malware, phone, supply-chain, windowsA new Glassworm-linked supply chain attack has briefly turned two popular React Native npm packages into delivery vehicles for Windows credential-stealing malware. On March 16, 2026, malicious versions of AstrOOnauta’s react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8 were published to npm, each embedding an identical staged loader that executes during a routine npm install. Together, these packages account for…
-
Glassworm Malware Infects Popular React Native npm Packages
Tags: attack, country, credentials, cyber, international, malicious, malware, phone, supply-chain, windowsA new Glassworm-linked supply chain attack has briefly turned two popular React Native npm packages into delivery vehicles for Windows credential-stealing malware. On March 16, 2026, malicious versions of AstrOOnauta’s react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8 were published to npm, each embedding an identical staged loader that executes during a routine npm install. Together, these packages account for…
-
Packagist Themes Deliver Trojanized jQuery in OphimCMS Supply Chain Attack
A new OphimCMS supply chain attack in which six Packagist themes ship trojanized jQuery and other JavaScript to compromise site visitors rather than servers.”‹ Researchers found six malicious Composer packages under the “ophimcms” namespace on Packagist that pretend to be legitimate themes for OphimCMS, a Vietnamese-language Laravel CMS used for movie streaming sites. These packages…
-
RSAC 2026 Innovation Sandbox – Crash Override: From Passive Scanning to Active Traceability, Reshaping the Software Supply Chain Security Foundation
Industry Macro Background and the Software Supply Chain Crisis By 2026, the deepening of global digital transformation, coupled with the proliferation of Generative AI and large models, is reshaping software development. The industry is shifting from being “efficiency-driven” to “governance-driven.” The root cause lies in the loss of visibility and engineering control within the modern…The…