Tag: supply-chain
-
OWASP Top 10: Broken access control still tops app security list
Risk list highlights misconfigs, supply chain failures, and singles out prompt injection in AI apps First seen on theregister.com Jump to article: www.theregister.com/2025/11/11/new_owasp_top_ten_broken/
-
Fake NPM Package With 206K Downloads Targeted GitHub for Credentials
Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisation’s code. First seen on hackread.com Jump to article: hackread.com/fake-npm-package-downloads-github-credentials/
-
CISO’s Expert Guide To AI Supply Chain Attacks
AI-enabled supply chain attacks jumped 156% last year. Discover why traditional defenses are failing and what CISOs must do now to protect their organizations.Download the full CISO’s expert guide to AI Supply chain attacks here. TL;DRAI-enabled supply chain attacks are exploding in scale and sophistication – Malicious package uploads to open-source repositories jumped 156% in…
-
Hidden risks in the financial sector’s supply chain
When a cyber attack hits a major bank or trading platform, attention usually turns to the institution. But new research suggests the real danger may lie elsewhere. BitSight … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/11/hidden-financial-sector-cyber-risk/
-
OWASP Highlights Supply Chain Risks in New Top 10 List
Security misconfiguration jumped to second place while injection vulnerabilities dropped, as organizations improve defenses against traditional coding flaws. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10
-
OWASP Highlights Supply Chain Risks in New Top 10 List
Security misconfiguration jumped to second place while injection vulnerabilities dropped, as organizations improve defenses against traditional coding flaws. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10
-
How GlassWorm wormed its way back into developers’ code, and what it says about open source security
Tags: access, ai, attack, blockchain, ciso, control, credentials, crypto, cybersecurity, data, data-breach, endpoint, exploit, framework, github, google, infrastructure, law, malicious, malware, marketplace, monitoring, open-source, resilience, service, software, supply-chain, threat, tool, update, wormadhamu.history-in-sublime-merge (downloaded 4,000 times)ai-driven-dev.ai-driven-dev (downloaded 3,300 times)yasuyuky.transient-emacs (downloaded 2,400 times)All three GlassWorm extensions are “still literally invisible” in code editors, the researchers note. They are encoded in unprintable Unicode characters that look like blank space to the human eye, but execute as JavaScript.The attackers have posted new transactions to the Solana blockchain that outline updated…
-
How GlassWorm wormed its way back into developers’ code, and what it says about open source security
Tags: access, ai, attack, blockchain, ciso, control, credentials, crypto, cybersecurity, data, data-breach, endpoint, exploit, framework, github, google, infrastructure, law, malicious, malware, marketplace, monitoring, open-source, resilience, service, software, supply-chain, threat, tool, update, wormadhamu.history-in-sublime-merge (downloaded 4,000 times)ai-driven-dev.ai-driven-dev (downloaded 3,300 times)yasuyuky.transient-emacs (downloaded 2,400 times)All three GlassWorm extensions are “still literally invisible” in code editors, the researchers note. They are encoded in unprintable Unicode characters that look like blank space to the human eye, but execute as JavaScript.The attackers have posted new transactions to the Solana blockchain that outline updated…
-
CMMC: New Cyber Rules Hit Defense Supply Chain
Pentagon Formally Rolls Out Long-Awaited Cybersecurity Requirements for Vendors. The Department of Defense’s final Cybersecurity Maturity Model Certification rule went into effect Monday after years of industry debate, requiring all defense contractors and subcontractors to obtain cybersecurity certifications for any new contracts, contract renewals or extensions. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/cmmc-new-cyber-rules-hit-defense-supply-chain-a-29977
-
OWASP Highlights Supply Chain Risks in New Top 10
Security misconfiguration jumped to second place while injection vulnerabilities dropped, as organizations improve defenses against traditional coding flaws. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10
-
NuGet Supply-Chain Exploit Uses Timed Destructive Payloads Against ICS
A sophisticated supply chain attack has compromised critical industrial control systems through nine malicious NuGet packages designed to inject time-delayed destructive payloads into database operations and manufacturing environments. Socket’s Threat Research Team identified these weapons of code, published under the alias shanhai666 between 2023 and 2024, which have collectively accumulated 9,488 downloads before being reported…
-
NuGet Supply-Chain Exploit Uses Timed Destructive Payloads Against ICS
A sophisticated supply chain attack has compromised critical industrial control systems through nine malicious NuGet packages designed to inject time-delayed destructive payloads into database operations and manufacturing environments. Socket’s Threat Research Team identified these weapons of code, published under the alias shanhai666 between 2023 and 2024, which have collectively accumulated 9,488 downloads before being reported…
-
New Browser Security Report Reveals Emerging Threats for Enterprises
According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user’s browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low.What’s emerging isn’t just a blindspot. It’s a parallel threat surface: unmanaged extensions acting like…
-
New Browser Security Report Reveals Emerging Threats for Enterprises
According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user’s browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low.What’s emerging isn’t just a blindspot. It’s a parallel threat surface: unmanaged extensions acting like…
-
Ransomware Operators Exploit RMM Tools to Deploy Medusa and DragonForce
Tags: attack, breach, cyber, cybersecurity, data-breach, exploit, group, infrastructure, monitoring, ransomware, service, software, supply-chain, tool, vulnerabilityCybersecurity researchers at Zensec have exposed a sophisticated supply-chain attack campaign that weaponised trusted Remote Monitoring and Management (RMM) infrastructure to deploy ransomware across multiple UK organisations throughout early 2025. The investigation reveals how two prominent ransomware-as-a-service groups exploited critical vulnerabilities in SimpleHelp RMM software to breach downstream customers through their managed service providers. The…
-
Ransomware Operators Exploit RMM Tools to Deploy Medusa and DragonForce
Tags: attack, breach, cyber, cybersecurity, data-breach, exploit, group, infrastructure, monitoring, ransomware, service, software, supply-chain, tool, vulnerabilityCybersecurity researchers at Zensec have exposed a sophisticated supply-chain attack campaign that weaponised trusted Remote Monitoring and Management (RMM) infrastructure to deploy ransomware across multiple UK organisations throughout early 2025. The investigation reveals how two prominent ransomware-as-a-service groups exploited critical vulnerabilities in SimpleHelp RMM software to breach downstream customers through their managed service providers. The…
-
CISOs must prove the business value of cyber, the right metrics can help
Cybersecurity as a business function: “The challenge has been that security is put in the wrong organizational structure, with the CISO reporting to the CIO or CTO or chief digital officer,” Oberlaender says. “Security is not foremost a technology problem. Maybe ten or twenty percent is technology. But the rest is people, process and the…
-
CISOs must prove the business value of cyber, the right metrics can help
Cybersecurity as a business function: “The challenge has been that security is put in the wrong organizational structure, with the CISO reporting to the CIO or CTO or chief digital officer,” Oberlaender says. “Security is not foremost a technology problem. Maybe ten or twenty percent is technology. But the rest is people, process and the…
-
CISOs must prove the business value of cyber, the right metrics can help
Cybersecurity as a business function: “The challenge has been that security is put in the wrong organizational structure, with the CISO reporting to the CIO or CTO or chief digital officer,” Oberlaender says. “Security is not foremost a technology problem. Maybe ten or twenty percent is technology. But the rest is people, process and the…
-
Anchore Enterprise 5.23: CycloneDX VEX and VDR Support
Anchore Enterprise 5.23 adds CycloneDX VEX and VDR support, completing our vulnerability communication capabilities for software publishers who need to share accurate vulnerability context with customers. With OpenVEX support shipped in 5.22 and CycloneDX added now, teams can choose the format that fits their supply chain ecosystem while maintaining consistent vulnerability annotations across both standards….…
-
Anchore Enterprise 5.23: CycloneDX VEX and VDR Support
Anchore Enterprise 5.23 adds CycloneDX VEX and VDR support, completing our vulnerability communication capabilities for software publishers who need to share accurate vulnerability context with customers. With OpenVEX support shipped in 5.22 and CycloneDX added now, teams can choose the format that fits their supply chain ecosystem while maintaining consistent vulnerability annotations across both standards….…
-
Malicious npm packages contain Vidar infostealer
Typosquatting: One favorite tactic of threat actors trying to infect the open source software supply chain is typosquatting, the creation of packages with names similar to those of legitimate ones to trick unwitting developers searching for a particular library. For example, in 2018 a researcher found that threat actors had created phony libraries in the…
-
Malicious npm packages contain Vidar infostealer
Typosquatting: One favorite tactic of threat actors trying to infect the open source software supply chain is typosquatting, the creation of packages with names similar to those of legitimate ones to trick unwitting developers searching for a particular library. For example, in 2018 a researcher found that threat actors had created phony libraries in the…
-
Malicious npm packages contain Vidar infostealer
Typosquatting: One favorite tactic of threat actors trying to infect the open source software supply chain is typosquatting, the creation of packages with names similar to those of legitimate ones to trick unwitting developers searching for a particular library. For example, in 2018 a researcher found that threat actors had created phony libraries in the…
-
Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation
A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named “shanhai666” and are designed to run malicious code after specific trigger…
-
Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation
A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named “shanhai666” and are designed to run malicious code after specific trigger…
-
Over 15 Malicious npm Packages Exploiting Windows to Deploy Vidar Malware
Datadog Security Research has uncovered a sophisticated supply chain attack targeting the npm ecosystem, involving 17 malicious packages across 23 releases designed to deliver the Vidar infostealer malware to Windows systems. The campaign, attributed to a threat actor cluster tracked as MUT-4831, represents a significant escalation in npm-based threats and marks the first known public…
-
Over 15 Malicious npm Packages Exploiting Windows to Deploy Vidar Malware
Datadog Security Research has uncovered a sophisticated supply chain attack targeting the npm ecosystem, involving 17 malicious packages across 23 releases designed to deliver the Vidar infostealer malware to Windows systems. The campaign, attributed to a threat actor cluster tracked as MUT-4831, represents a significant escalation in npm-based threats and marks the first known public…