Tag: supply-chain
-
Supply-chain attacks on open source software are getting out of hand
Attacks affected packages, including one with ~2.8 million weekly downloads. First seen on arstechnica.com Jump to article: arstechnica.com/security/2025/07/open-source-repositories-are-seeing-a-rash-of-supply-chain-attacks/
-
Supply chain attack compromises npm packages to spread backdoor malware
Tags: attack, authentication, backdoor, control, cybercrime, cybersecurity, data, defense, email, linux, macOS, malicious, malware, mfa, phishing, software, supply-chain, threat, tool, update, vulnerability, windowsis npm JavaScript type testing utility with malware that went unnoticed for six hours. The bad news was delivered by maintainer Jordan Harband in a post on Bluesky:”Heads up that v3.3.1 of npmjs.com/is has malware in it, due to another maintainer’s account being hijacked,” he wrote.The infected version was removed by npm admins and v3.3.0…
-
Singapore’s cybersecurity paradox: Top firms rated A, yet all breached
Tags: access, attack, china, cybersecurity, espionage, exploit, group, incident response, infrastructure, intelligence, malicious, metric, mfa, network, resilience, risk, router, service, supply-chain, threat, update, vulnerabilitySingapore faces targeted threats: Beyond statistical exposure, Singapore is also facing targeted campaigns against its critical infrastructure. One such operation involves China-linked threat group UNC3886, recently observed exploiting vulnerabilities in Juniper (Junos OS) routers to infiltrate telecom and service provider networks.Gilad Maizles, threat researcher at SecurityScorecard, said, “The campaign appears to be operated through a…
-
Singapore’s cybersecurity paradox: Top firms rated A, yet all breached
Tags: access, attack, china, cybersecurity, espionage, exploit, group, incident response, infrastructure, intelligence, malicious, metric, mfa, network, resilience, risk, router, service, supply-chain, threat, update, vulnerabilitySingapore faces targeted threats: Beyond statistical exposure, Singapore is also facing targeted campaigns against its critical infrastructure. One such operation involves China-linked threat group UNC3886, recently observed exploiting vulnerabilities in Juniper (Junos OS) routers to infiltrate telecom and service provider networks.Gilad Maizles, threat researcher at SecurityScorecard, said, “The campaign appears to be operated through a…
-
CISO Conversations: How IT and OT Security Worlds Are Converging
Dark Reading’s Kelly Jackson Higgins interviews Carmine Valente, Deputy CISO at Con Edison, about his role at the New York-based electric utility and the state of IT and OT security. Valente highlights current threats like ransomware and supply chain attacks, as well as the impact of AI on both defense and threats. First seen on…
-
NPM package ‘is’ with 2.8M weekly downloads infected devs with malware
The popular NPM package ‘is’ has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/npm-package-is-with-28m-weekly-downloads-infected-devs-with-malware/
-
Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages
Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks.”As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers,” Matthew Suozzo, Google Open Source…
-
Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack
Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub…
-
Prettier-ESLint npm packages hijacked in a sophisticated supply chain attack
Tags: attack, authentication, credentials, detection, github, malicious, mfa, phishing, rce, remote-code-execution, supply-chain, updateAutomated GitHub alarms triggered a quick response: Detection was swift once the updates bypassed GitHub’s usual commit-based alerts and raised red flags in registry logs. The maintainer revoked the compromised token, deprecated the malicious releases, and collaborated with npm to remove them.Socket noted that the attack is a textbook example of “multi-stage supply chain compromise,”…
-
Malware Injected into 5 npm Packages After Maintainer Tokens Stolen in Phishing Attack
Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub…
-
Malware Injected into 6 npm Packages After Maintainer Tokens Stolen in Phishing Attack
Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub…
-
Popular npm linter packages hijacked via phishing to drop malware
Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
-
Top US senator calls out supply-chain risk with DoD contractors
The Senate Intelligence Committee chairman questioned the security of Microsoft’s “digital escort” arrangement with its Chinese employees. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/microsoft-china-employees-us-military-senate-letter/753465/
-
Firmware Vulnerabilities Continue to Plague Supply Chain
Four flaws in the basic software for Gigabyte motherboards could allow persistent implants, underscoring problems in the ways firmware is developed and updated. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/firmware-vulnerabilities-plague-supply-chain
-
Building scalable secrets management in hybrid cloud environments: Lessons from enterprise adoption
Tags: access, backup, cloud, credentials, data, gitlab, group, iam, identity, infrastructure, jobs, kubernetes, leak, radius, service, supply-chain, toolLessons from integration: Identity, Kubernetes and CI/CD : Choosing a secrets management tool is the easy part. Integrating it across an enterprise is where the work begins. We started with identity. Manual user provisioning was not an option. We integrated Vault with our SSO platform using OIDC and mapped groups to Vault policies based on least privilege.…
-
JFrog bringt frischen Wind in Entwickler-Workflows mit neuem KI-Server
JFrog, bekannt für seine Software Supply Chain Plattform und führend im Bereich ‘Liquid Software”, stellt heute den neuen Model Context Protocol (MCP) Server vor. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/jfrog-bringt-frischen-wind-in-entwickler-workflows-mit-neuem-ki-server/a41433/
-
Chinese State-Sponsored Hackers Target Semiconductor Industry with Weaponized Cobalt Strike
Proofpoint Threat Research has identified a sophisticated multi-pronged cyberespionage campaign targeting Taiwan’s semiconductor industry between March and June 2025. Three distinct Chinese state-sponsored threat actors, designated as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, conducted coordinated phishing operations against organizations spanning semiconductor manufacturing, design, testing, supply chain entities, and financial investment analysts specializing in the Taiwanese semiconductor market.…
-
It’s Time to Include Geopolitical Risk in Defense Planning
CyXcel’s Megha Kumar on Aligning Enterprise Strategy With Geopolitical Realities. Geopolitical tensions are no longer limited to headlines or high-level diplomacy. They drive cyber risk, supply chain disruption and regulatory fragmentation. CyXcel’s Megha Kumar makes the case for why companies need to take notice and embed geopolitical risks in ongoing security planning. First seen on…
-
China-linked hackers target Taiwan chip firms in a coordinated espionage campaign
Tags: access, ai, attack, china, compliance, control, credentials, cyber, cybersecurity, detection, email, espionage, exploit, finance, framework, government, group, hacker, intelligence, international, login, monitoring, network, phishing, software, supply-chain, technology, threat, warfareInvestment banks in the crosshairs: A second group, UNK_DropPitch, targeted the financial ecosystem surrounding Taiwan’s semiconductor industry. This group conducted phishing campaigns against investment banks, focusing on individuals specializing in Taiwanese semiconductor analysis. The phishing emails purported to come from fictitious financial firms seeking collaboration opportunities.The third group, UNK_SparkyCarp, focused on credential harvesting through sophisticated…
-
Chinese Hackers Target Taiwan’s Semiconductor Sector with Cobalt Strike, Custom Backdoors
The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors.”Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment First seen on thehackernews.com…
-
North Korea Floods npm Registry with Malware
67 Malicious Packages, XORIndex Loader Target JavaScript Code-Sharing Platform. North Korean threat actors escalated their software supply chain attacks by uploading 67 new malicious packages to the npm Registry as part of the ongoing Contagious Interview campaign. The malware targets open-source JavaScript developers with malware loaders. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/north-korea-floods-npm-registry-malware-a-28990
-
North Korean Hackers Exploit 67 Malicious npm Packages to Spread XORIndex Malware
Tags: attack, cyber, exploit, hacker, malicious, malware, north-korea, software, supply-chain, threatThe Socket Threat Research Team has discovered a new software supply chain attack that uses a malware loader called XORIndex that had not been previously reported, marking a major uptick in North Korean cyber operations. This activity builds on the Contagious Interview campaign previously detailed in June 2025, which involved the HexEval Loader. The adversaries,…
-
North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
North Korea-linked hackers uploaded 67 malicious npm packages with XORIndex malware, hitting 17K+ downloads in ongoing supply chain attacks. North Korea-linked threat actors behind the Contagious Interview campaign have uploaded 67 malicious npm packages with XORIndex malware loader, hitting over 17,000 downloads in ongoing supply chain attacks. XORIndex was built to evade detection and deploy…
-
North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a…
-
GerriScary: Supply-Chain-Schwachstelle in Google OSS-Review-System
Sicherheitsforscher von Tenable haben eine GerriScary genannte Schwachstelle im Open-Source-Code-Review-System Gerrit von Google entdeckt. Die Schwachstelle ermöglichte das Einschleusen von Schadcode in mindestens 18 zentrale Google Projekte, darunter ChromiumOS (CVE-2025-1568), Chromium, Dart und Bazel. Über GerriScary hätten Angreifer bestehende Change … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/07/13/gerriscary-supply-chain-schwachstelle-in-google-oss-review-system/
-
UK’s CHERI Alliance Expands to Global Hardware Supply Chain
Program Director Mike Eftimakis on How to Fix 70% of Memory Safety Issues. A U.K. government-backed, hardware-based security initiative is tackling one of the biggest cybersecurity challenges – memory safety – and hopes to address about 70% of existing vulnerabilities, said Mike Eftimakis, founding director of Capability Hardware Enhanced RISC Instructions Alliance. First seen on…
-
MoD supply chain cyber scheme gets up and running
The Ministry of Defence and IASME have launched a certification scheme for organisations working in the UK defence supply chain, with construction firm Morgan Sindall the first business to achieve compliance. First seen on computerweekly.com Jump to article: www.computerweekly.com/news/366627637/MoD-supply-chain-cyber-scheme-gets-up-and-running
-
WordPress Gravity Forms developer hacked to push backdoored plugins
The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-gravity-forms-developer-hacked-to-push-backdoored-plugins/
-
The zero-day that could’ve compromised every Cursor and Windsurf user
Learn how one overlooked flaw in OpenVSX discovered by Koi Secureity could’ve let attackers hijack millions of dev machines via an extension supply chain attack. The zero-day threat’s been patched”, but the wake-up call is clear: extensions are a new, massive supply chain risk. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/the-zero-day-that-couldve-compromised-every-cursor-and-windsurf-user/