Tag: supply-chain

JFrog Uncovers Severe React Vulnerability Threat to Software Supply Chains

Nov 6, 2025 9:19 PM

Tags: software, supply-chain, threat, tool, vulnerability

The security research team at JFrog, a provider of a platform for building and deploying software, have discovered a critical vulnerability in a node package manager (npm) found in tools used by application developers that enable unauthenticated attackers to remotely trigger arbitrary operating system commands by sending a post request to a Metro server used..…
JFrog Uncovers Severe React Vulnerability Threat to Software Supply Chains

Nov 6, 2025 9:19 PM

Tags: software, supply-chain, threat, tool, vulnerability

The security research team at JFrog, a provider of a platform for building and deploying software, have discovered a critical vulnerability in a node package manager (npm) found in tools used by application developers that enable unauthenticated attackers to remotely trigger arbitrary operating system commands by sending a post request to a Metro server used..…
In financial sector, vendors lag behind customers on cybersecurity

Nov 6, 2025 6:19 PM

Tags: cybersecurity, finance, supply-chain

Financial firms should be performing regular oversight of their vendors to avoid supply chain compromises, according to a new report. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/financial-sector-vendors-cybersecurity-performance-bitsight/804873/
In financial sector, vendors lag behind customers on cybersecurity

Nov 6, 2025 6:19 PM

Tags: cybersecurity, finance, supply-chain

Financial firms should be performing regular oversight of their vendors to avoid supply chain compromises, according to a new report. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/financial-sector-vendors-cybersecurity-performance-bitsight/804873/
Airstalk Malware Exploits AirWatch MDM for Covert C2 Communication

Nov 6, 2025 1:19 PM

Tags: control, cyber, endpoint, exploit, malware, powershell, supply-chain, threat, vmware

Security researchers have identified a sophisticated new malware family, Airstalk, that exploits VMware’s AirWatch API”, now known as Workspace ONE Unified Endpoint Management”, to establish covert command-and-control channels. The discovery represents a significant threat to evolution, with both PowerShell and .NET variants discovered in what researchers assess with medium confidence was a nation-state-sponsored supply chain…
Airstalk Malware Exploits AirWatch MDM for Covert C2 Communication

Nov 6, 2025 1:19 PM

Tags: control, cyber, endpoint, exploit, malware, powershell, supply-chain, threat, vmware

Security researchers have identified a sophisticated new malware family, Airstalk, that exploits VMware’s AirWatch API”, now known as Workspace ONE Unified Endpoint Management”, to establish covert command-and-control channels. The discovery represents a significant threat to evolution, with both PowerShell and .NET variants discovered in what researchers assess with medium confidence was a nation-state-sponsored supply chain…
Congressional leaders want an executive branch strategy on China 6G, tech supply chain

Nov 5, 2025 9:20 PM

Tags: china, strategy, supply-chain

In an exclusive, Rep. Raja Krishnamoorthi, D-Ill., told CyberScoop that policymakers must learn from past mistakes around 5G. First seen on cyberscoop.com Jump to article: cyberscoop.com/exclusive-china-6g-letter-krishnamoorthi-congress-state-commerce-letters/
Congressional leaders want an executive branch strategy on China 6G, tech supply chain

Nov 5, 2025 9:20 PM

Tags: china, strategy, supply-chain

In an exclusive, Rep. Raja Krishnamoorthi, D-Ill., told CyberScoop that policymakers must learn from past mistakes around 5G. First seen on cyberscoop.com Jump to article: cyberscoop.com/exclusive-china-6g-letter-krishnamoorthi-congress-state-commerce-letters/
10 promising cybersecurity startups CISOs should know about

Nov 5, 2025 9:19 AM

Tags: access, ai, attack, automation, business, ceo, ciso, cloud, compliance, container, control, cybersecurity, data, deep-fake, defense, detection, endpoint, exploit, finance, gartner, google, governance, government, grc, ibm, identity, linux, malicious, microsoft, military, monitoring, network, open-source, ransomware, RedTeam, risk, saas, software, startup, supply-chain, technology, threat, tool, vulnerability, vulnerability-management, zero-trust

2. Chainguard: Category: Software supply chain securityWhy they’re here: Founded in 2021 by Dan Lorenc (formerly at Microsoft and Google), Chainguard offers a Linux-based platform for securely building applications. The company has raised more than $600M and is valued at $3.5B. In fiscal year 2025, Chainguard reached a $40M annual run rate and by the…
10 promising cybersecurity startups CISOs should know about

Nov 5, 2025 9:19 AM

Tags: access, ai, attack, automation, business, ceo, ciso, cloud, compliance, container, control, cybersecurity, data, deep-fake, defense, detection, endpoint, exploit, finance, gartner, google, governance, government, grc, ibm, identity, linux, malicious, microsoft, military, monitoring, network, open-source, ransomware, RedTeam, risk, saas, software, startup, supply-chain, technology, threat, tool, vulnerability, vulnerability-management, zero-trust

2. Chainguard: Category: Software supply chain securityWhy they’re here: Founded in 2021 by Dan Lorenc (formerly at Microsoft and Google), Chainguard offers a Linux-based platform for securely building applications. The company has raised more than $600M and is valued at $3.5B. In fiscal year 2025, Chainguard reached a $40M annual run rate and by the…
10 promising cybersecurity startups CISOs should know about

Nov 5, 2025 9:19 AM

Tags: access, ai, attack, automation, business, ceo, ciso, cloud, compliance, container, control, cybersecurity, data, deep-fake, defense, detection, endpoint, exploit, finance, gartner, google, governance, government, grc, ibm, identity, linux, malicious, microsoft, military, monitoring, network, open-source, ransomware, RedTeam, risk, saas, software, startup, supply-chain, technology, threat, tool, vulnerability, vulnerability-management, zero-trust

2. Chainguard: Category: Software supply chain securityWhy they’re here: Founded in 2021 by Dan Lorenc (formerly at Microsoft and Google), Chainguard offers a Linux-based platform for securely building applications. The company has raised more than $600M and is valued at $3.5B. In fiscal year 2025, Chainguard reached a $40M annual run rate and by the…
How crooks use IT to enable cargo theft

Nov 5, 2025 5:19 AM

Tags: access, ai, api, attack, authentication, awareness, breach, business, control, crime, cyber, cybersecurity, data, detection, email, endpoint, finance, fraud, government, group, incident response, infosec, infrastructure, insurance, Internet, jobs, law, login, mfa, network, password, phishing, privacy, risk, skills, smishing, social-engineering, supply-chain, technology, theft, threat, tool, training, vulnerability

Value of stolen shipments has doubled: It’s hard to determine the size of this IT-related cargo theft problem. The US National Insurance Crime Bureau estimates cargo theft losses from all sources increased 27% last year compared to 2023, to $35 billion.Versik CargoNet, a company that tracks physical supply chain crime for law enforcement agencies, insurance…
How crooks use IT to enable cargo theft

Nov 5, 2025 5:19 AM

Tags: access, ai, api, attack, authentication, awareness, breach, business, control, crime, cyber, cybersecurity, data, detection, email, endpoint, finance, fraud, government, group, incident response, infosec, infrastructure, insurance, Internet, jobs, law, login, mfa, network, password, phishing, privacy, risk, skills, smishing, social-engineering, supply-chain, technology, theft, threat, tool, training, vulnerability

Value of stolen shipments has doubled: It’s hard to determine the size of this IT-related cargo theft problem. The US National Insurance Crime Bureau estimates cargo theft losses from all sources increased 27% last year compared to 2023, to $35 billion.Versik CargoNet, a company that tracks physical supply chain crime for law enforcement agencies, insurance…
Cyber Physical Systems Face Rising Geopolitical Risks

Nov 5, 2025 12:20 AM

Tags: breach, cyber, risk, supply-chain, technology, threat

Global Conflicts and Tariff Wars Are Driving New OT Threats and Supply Chain Risks. Global conflicts and tariff wars provide new opportunities for cyber adversaries, especially those targeting operational technology systems. Now attackers are focusing on fragile supply chains. Claroty researchers predict attackers will breach at least one major cyber-physical system in the next year.…
Modern supply-chain attacks and their real-world impact

Nov 4, 2025 9:19 AM

Tags: access, ai, apache, attack, authentication, backdoor, breach, china, control, credentials, crowdstrike, crypto, cybersecurity, data, defense, email, espionage, exploit, github, group, infection, infosec, injection, intelligence, korea, lazarus, LLM, malicious, malware, marketplace, mfa, microsoft, network, north-korea, open-source, password, phishing, pypi, qr, risk, social-engineering, software, supply-chain, tactics, theft, threat, tool, worm, zero-day

This is what modern software supply-chain attacks look like. Since the industry-shaking SolarWinds compromise of 2020, the threat landscape has changed dramatically. Early high-profile incidents targeted build servers or tampered software updates. Today’s attackers prefer a softer entry point: the humans maintaining open-source projects.In the last two years, the majority of large-scale supply-chain intrusions have…
Modern supply-chain attacks and their real-world impact

Nov 4, 2025 9:19 AM

Tags: access, ai, apache, attack, authentication, backdoor, breach, china, control, credentials, crowdstrike, crypto, cybersecurity, data, defense, email, espionage, exploit, github, group, infection, infosec, injection, intelligence, korea, lazarus, LLM, malicious, malware, marketplace, mfa, microsoft, network, north-korea, open-source, password, phishing, pypi, qr, risk, social-engineering, software, supply-chain, tactics, theft, threat, tool, worm, zero-day

This is what modern software supply-chain attacks look like. Since the industry-shaking SolarWinds compromise of 2020, the threat landscape has changed dramatically. Early high-profile incidents targeted build servers or tampered software updates. Today’s attackers prefer a softer entry point: the humans maintaining open-source projects.In the last two years, the majority of large-scale supply-chain intrusions have…
Modern supply-chain attacks and their real-world impact

Nov 4, 2025 9:19 AM

Tags: access, ai, apache, attack, authentication, backdoor, breach, china, control, credentials, crowdstrike, crypto, cybersecurity, data, defense, email, espionage, exploit, github, group, infection, infosec, injection, intelligence, korea, lazarus, LLM, malicious, malware, marketplace, mfa, microsoft, network, north-korea, open-source, password, phishing, pypi, qr, risk, social-engineering, software, supply-chain, tactics, theft, threat, tool, worm, zero-day

This is what modern software supply-chain attacks look like. Since the industry-shaking SolarWinds compromise of 2020, the threat landscape has changed dramatically. Early high-profile incidents targeted build servers or tampered software updates. Today’s attackers prefer a softer entry point: the humans maintaining open-source projects.In the last two years, the majority of large-scale supply-chain intrusions have…
OpenAIs Aardvark soll Fehler im Code erkennen und beheben

Nov 3, 2025 5:20 PM

Tags: ai, ceo, chatgpt, cve, cyberattack, LLM, open-source, openai, risk, software, supply-chain, tool, update, vulnerability

KI soll das Thema Sicherheit frühzeitig in den Development-Prozess miteinbeziehen.OpenAI hat Aardvark vorgestellt, einen autonomen Agenten auf Basis von GPT-5. Er soll wie ein menschlicher Sicherheitsforscher in der Lage sein, Code zu scannen, zu verstehen und zu patchen.Im Gegensatz zu herkömmlichen Scannern, die verdächtigen Code mechanisch markieren, versucht Aardvark zu analysieren, wie und warum sich…
Airstalk Malware Turns MDM Tools into Covert Spy Channels

Nov 3, 2025 5:20 PM

Tags: exploit, hacker, malware, spy, supply-chain, tool

Airstalk discovery reveals nation-state hackers exploiting trusted tools to infiltrate supply chains undetected. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/airstalk-malware-turns-mdm-tools-into-covert-spy-channels/
Airstalk Malware Turns MDM Tools into Covert Spy Channels

Nov 3, 2025 5:20 PM

Tags: exploit, hacker, malware, spy, supply-chain, tool

Airstalk discovery reveals nation-state hackers exploiting trusted tools to infiltrate supply chains undetected. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/airstalk-malware-turns-mdm-tools-into-covert-spy-channels/
Heisenberg: Open-source software supply chain health check tool

Nov 3, 2025 8:19 AM

Tags: data, open-source, software, supply-chain, tool

Heisenberg is an open-source tool that checks the health of a software supply chain. It analyzes dependencies using data from deps.dev, Software Bills of Materials (SBOMs), … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/03/heisenberg-open-source-software-supply-chain-health-check-tool/
Heisenberg: Open-source software supply chain health check tool

Nov 3, 2025 8:19 AM

Tags: data, open-source, software, supply-chain, tool

Heisenberg is an open-source tool that checks the health of a software supply chain. It analyzes dependencies using data from deps.dev, Software Bills of Materials (SBOMs), … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/03/heisenberg-open-source-software-supply-chain-health-check-tool/
Open VSX rotates access tokens used in supply-chain malware attack

Nov 2, 2025 11:19 PM

Tags: access, attack, data-breach, malicious, malware, supply-chain, threat

The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in an attempted supply-chain attack. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/
New Email Security Technique Prevents Phishing Attacks Behind NPM Breach

Nov 1, 2025 12:19 PM

Tags: attack, breach, cyber, defense, email, malicious, phishing, supply-chain, threat

The discovery of a large-scale NPM ecosystem compromise in September 2025 has renewed focus on email security as the critical first line of defense against supply chain attacks. Threat actors successfully compromised multiple high-profile NPM developer accounts through a sophisticated phishing campaign, inserting malicious code into 20 popular packages that collectively received nearly 2.8 billion…
Nation-State Breach Hits Ribbon Communications

Oct 31, 2025 9:19 PM

Tags: access, attack, breach, communications, infrastructure, supply-chain, threat

SEC Filing Reveals Telecom Vendor Was Compromised for Nearly a Year. A nation-state threat actor carried out a supply chain attack targeting Ribbon Communications, a leading U.S. provider of telecom and networking infrastructure, and may have maintained access within its systems for nearly a year. Ribbon said it became aware of the activity in early…
Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

Oct 31, 2025 6:19 PM

Tags: api, attack, hacker, malware, mobile, network, supply-chain, threat

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.Palo Alto Networks Unit 42 said it’s tracking the cluster under the moniker CL-STA-1009, where “CL” stands for cluster and “STA” refers to state-backed motivation.”Airstalk misuses the AirWatch API for mobile…
OpenAI launches Aardvark to detect and patch hidden bugs in code

Oct 31, 2025 2:19 PM

Tags: ai, attack, cve, flaw, framework, LLM, open-source, openai, software, supply-chain, update, vulnerability

Securing open source and shifting security left: Aardvark’s role extends beyond enterprise environments. OpenAI has already deployed it across open-source repositories, where it claims to have discovered multiple real-world vulnerabilities, ten of which have received official CVE identifiers. The LLM giant said it plans to provide pro-bono scanning for selected non-commercial open-source projects, under a…
OpenAI launches Aardvark to detect and patch hidden bugs in code

Oct 31, 2025 2:19 PM

Tags: ai, attack, cve, flaw, framework, LLM, open-source, openai, software, supply-chain, update, vulnerability

Securing open source and shifting security left: Aardvark’s role extends beyond enterprise environments. OpenAI has already deployed it across open-source repositories, where it claims to have discovered multiple real-world vulnerabilities, ten of which have received official CVE identifiers. The LLM giant said it plans to provide pro-bono scanning for selected non-commercial open-source projects, under a…
The unified linkage model: A new lens for understanding cyber risk

Oct 31, 2025 12:19 PM

Tags: access, api, attack, breach, ciso, cloud, compliance, credentials, cve, cyber, cybersecurity, data, defense, exploit, flaw, framework, identity, incident response, infrastructure, intelligence, malicious, mitre, network, nist, okta, open-source, radius, resilience, risk, risk-analysis, saas, sbom, software, supply-chain, threat, update, vpn, vulnerability, zero-day, zero-trust

Missed systemic risk: Organizations secure individual components but miss how vulnerabilities propagate through dependencies (e.g., Log4j embedded in third-party apps).Ineffective prioritization: Without a linkage structure, teams patch high-severity CVEs on isolated systems while leaving lower-scored flaws on critical trust pathways.Slow incident response: When a zero-day emerges, teams scramble to locate vulnerable components. Without pre-existing linkage…
AI-powered bug hunting shakes up bounty industry, for better or worse

Oct 31, 2025 9:19 AM

Tags: access, ai, authentication, automation, bug-bounty, business, ciso, cloud, control, credentials, data, detection, exploit, flaw, guide, identity, infrastructure, injection, intelligence, risk, risk-management, sql, strategy, supply-chain, threat, tool, vulnerability

Firehose of ‘false positives’: Gunter Ollmann, CTO at Cobalt.io, warns that AI is exacerbating the existing problem that comes from vendors getting swamped with often low-quality bug submissions.Security researchers turning to AI is creating a “firehose of noise, false positives, and duplicates,” according to Ollmann.”The future of security testing isn’t about managing a crowd of…