Tag: supply-chain
-
The US NSA is using Anthropic’s Claude Mythos despite supply chain risk
Axios reports the National Security Agency uses Anthropic Mythos model despite Department of Defense concerns, blurring AI risk vs defense lines. The reported use of Anthropic’s Mythos model by the U.S. National Security Agency is a reminder that the line between AI as a defensive tool and AI as a security risk is getting harder…
-
GitHub Issue Alerts Exploited in OAuth Phishing Scam Targeting Developers
Hackers are abusing GitHub’s own issue-notification emails to phish developers and silently take over their repositories using malicious OAuth applications, effectively turning trusted DevOps tooling into a supply-chain attack vector. Developers are now prime targets because compromising their accounts gives attackers direct access to source code CI/CD pipelines, and production workflows, making this a textbook supply-chain attack…
-
CISA Warns Compromised Axios npm Package Fueled Major Supply Chain Attack
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a severe software supply chain compromise affecting the widely used Axios node package manager (npm). Axios is a highly popular JavaScript library that developers rely on to handle HTTP requests in both Node.js and browser environments. Because of its massive global adoption…
-
The MCP Disclosure Is the AI Era’s ‘Open Redirect’ Moment
The MCP flaw reveals a systemic AI security gap, exposing enterprise systems to supply chain attacks and forcing a shift toward data-layer governance. The post The MCP Disclosure Is the AI Era’s ‘Open Redirect’ Moment appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-mcp-ai-security-vulnerability-data-layer-governance/
-
Understanding Cybersecurity Maturity Model Certification: The New Standard for Doing Business with the Department of Defense
For anyone working with or hoping to work with the Department of Defense (DoD), cybersecurity compliance is no longer optional. It’s now a condition of doing business. The DoD created the Cybersecurity Maturity Model Certification (CMMC) to solve a growing problem within the defense supply chain: inconsistent protection of sensitive information and unreliable self-reporting of…
-
Why the Axios attack proves AI is mandatory for supply chain security
Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the blast radius: roughly 100 million weekly downloads spanning enterprises, startups, and government systems. But beyond the sheer scale, the attack’s speed was just as worrisome a stark […]…
-
Hackers exploit Vercel’s trust in AI integration
Allegedly breached by ShinyHunters: According to screenshots circulating on the internet, a threat actor has already claimed the breach on the dark web and is attempting to sell the spoils. “Greetings All, Today I am selling Access Key/ Source Code/ Database from Vercel company,” the actor said in one of such posts. “Give me a…
-
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Tags: access, ai, cybersecurity, flaw, intelligence, rce, remote-code-execution, supply-chain, vulnerabilityCybersecurity researchers have discovered a critical “by design” weakness in the Model Context Protocol’s (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain.”This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access…
-
White House moves to give federal agencies access to Anthropic’s Claude Mythos
Tags: access, ai, control, cyber, defense, framework, government, military, risk, supply-chain, update, vulnerabilityEnterprise implications: Those same assurance questions translate directly to enterprise procurement. The OMB move signals that federal cyber defense is pivoting toward frontier models that can find vulnerabilities faster than human teams can patch them, and the rift between the Pentagon and the White House carries a lesson for private-sector buyers, Shah said.”The rift between…
-
Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching
Tags: ai, business, cvss, cyberattack, data, exploit, LLM, mitigation, network, remote-code-execution, risk, strategy, supply-chain, threat, tool, update, vulnerability, vulnerability-managementSee how Tenable Hexa AI custom agents empower you to counter machine-speed threats by automating vulnerability remediation. Learn how the Model Context Protocol (MCP) automates execution of risk-driven patching workflows, shifting your strategy from reactive tracking to continuous exposure management. Key takeaways Even in previews, powerful AI models like Claude Mythos show us how quickly…
-
The need for a board-level definition of cyber resilience
Tags: awareness, business, cisa, compliance, control, crime, cyber, cybercrime, cybersecurity, detection, finance, framework, governance, law, metric, regulation, resilience, risk, risk-analysis, risk-management, service, supply-chain, technologyWhere the literature converges: Organizational outcomes vs. policy and controls It’s consistently agreed that cyber resilience should be tied to organizational outcomes rather than technical controls and policies. Rather than focusing on metrics such as mean time to detection or number of security controls, organizational cyber resilience needs to evaluate levels of business continuity, preservation…
-
Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites
More than 30 WordPress plugins were shut down after a supply-chain backdoor compromised thousands of sites through the Essential Plugin portfolio. The post Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-malicious-wordpress-plugins-backdoor-april-2026/
-
How the enterprise supply chain has created a global attack surface
For years, organisations have treated cyber security as something that happens within their own walls. Protect the network, secure the endpoints, monitor the environment. Job done. Security was architected like a moat and castle, but today the model is no longer effective. Today, the real exposure sits outside the organisation. It sits in third parties,…
-
How the enterprise supply chain has created a global attack surface
For years, organisations have treated cyber security as something that happens within their own walls. Protect the network, secure the endpoints, monitor the environment. Job done. Security was architected like a moat and castle, but today the model is no longer effective. Today, the real exposure sits outside the organisation. It sits in third parties,…
-
Navigating the Unique Security Risks of Asia’s Digital Supply Chain
Regulatory differences, interconnected digital ecosystems, and the rise of AI have created a complex supply chain Asian organizations must wrangle. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/navigating-unique-security-risks-asias-digital-supply-chain
-
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it’s just… a lot? Yeah. This week delivered. We’ve got hackers getting creative in ways that are almost impressive if you ignore the whole “crime” part, ancient vulnerabilities somehow still ruining people’s days, and enough supply chain drama to fill a…
-
Nordkoreanische Hacker – HTTP-Client Axios für Supply-Chain-Angriff missbraucht
First seen on security-insider.de Jump to article: www.security-insider.de/axios-supply-chain-angriff-npm-versionen-trojaner-a-099b0830aab8f8249c05b1ac71d6cad9/
-
Q1 2026 Open Source Malware Index: Adaptive Attacks, Familiar Weaknesses
Tags: access, ai, api, attack, automation, cloud, credentials, crypto, data, github, guide, intelligence, kubernetes, linux, macOS, malicious, malware, open-source, pypi, risk, software, supply-chain, tactics, theft, tool, update, windows, worm<div cla TL;DR Sonatype identified 21,764 open source malware packages in Q1 2026, bringing the total logged since 2017 to 1,346,867. npm accounted for 75% of malicious packages this quarter. Trojans dominated, with most activity focused on credential theft, host reconnaissance, and staged payload delivery. The quarter’s defining pattern was trust abuse: attackers succeeded by…
-
Rockstar’s GTA Game Hacked, 78.6 Million Records Published Online
Rockstar Games has suffered a significant data breach after the infamous threat group ShinyHunters leaked over 78.6 million internal records on April 14, 2026. The incident did not involve a direct attack on Rockstar’s primary network infrastructure. Instead, the hackers executed a supply-chain attack through a third-party analytics platform, highlighting the escalating risk of integrated…
-
NIS2 als Wettbewerbsvorteil: Von der Pflicht zur Proaktivität
Viele Unternehmen unterschätzen ihre Betroffenheit durch NIS2 und überschätzen zugleich ihre eigene Cyberabwehr, obwohl die Zahl erfolgreicher Angriffe steigt. Warum die Richtlinie weit mehr ist als eine Compliance”‘Pflicht und wie sie zum strategischen Hebel für stabile Produktion, klare Verantwortlichkeiten und mehr Vertrauen in der Lieferkette werden kann. Wer OT”‘Cybersicherheit proaktiv denkt, verschafft sich nicht… First…
-
Anthropic’s Mythos signals a structural cybersecurity shift
Tags: access, ai, attack, business, ciso, control, corporate, cyber, cybersecurity, defense, exploit, governance, network, offense, risk, supply-chain, technology, updateClaude Mythos Preview is a step up: A separate analysis from the UK’s AI Security Institute (AISI) evaluated Mythos Preview itself.The evaluations involved both capture-the-flag (CTF) challenges and more complex ranges designed to simulate multi-step attack scenarios, where the model outperformed other AI systems.Mythos Preview came out on top in a 32-step corporate network attack…
-
OpenAI Rotates macOS Certificates Following Axios Supply Chain Breach
OpenAI rotates macOS certificates after downloading a compromised Axios version, urging users to update apps before revoked certificates are blocked in May 2026. First seen on hackread.com Jump to article: hackread.com/openai-macos-certificates-axios-supply-chain-breach/
-
OpenAI rotates macOS certs after Axios attack hit code-signing workflow
OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/
-
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised.”Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,” OpenAI…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…