Tag: supply-chain
-
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it’s just… a lot? Yeah. This week delivered. We’ve got hackers getting creative in ways that are almost impressive if you ignore the whole “crime” part, ancient vulnerabilities somehow still ruining people’s days, and enough supply chain drama to fill a…
-
Nordkoreanische Hacker – HTTP-Client Axios für Supply-Chain-Angriff missbraucht
First seen on security-insider.de Jump to article: www.security-insider.de/axios-supply-chain-angriff-npm-versionen-trojaner-a-099b0830aab8f8249c05b1ac71d6cad9/
-
Q1 2026 Open Source Malware Index: Adaptive Attacks, Familiar Weaknesses
Tags: access, ai, api, attack, automation, cloud, credentials, crypto, data, github, guide, intelligence, kubernetes, linux, macOS, malicious, malware, open-source, pypi, risk, software, supply-chain, tactics, theft, tool, update, windows, worm<div cla TL;DR Sonatype identified 21,764 open source malware packages in Q1 2026, bringing the total logged since 2017 to 1,346,867. npm accounted for 75% of malicious packages this quarter. Trojans dominated, with most activity focused on credential theft, host reconnaissance, and staged payload delivery. The quarter’s defining pattern was trust abuse: attackers succeeded by…
-
Rockstar’s GTA Game Hacked, 78.6 Million Records Published Online
Rockstar Games has suffered a significant data breach after the infamous threat group ShinyHunters leaked over 78.6 million internal records on April 14, 2026. The incident did not involve a direct attack on Rockstar’s primary network infrastructure. Instead, the hackers executed a supply-chain attack through a third-party analytics platform, highlighting the escalating risk of integrated…
-
NIS2 als Wettbewerbsvorteil: Von der Pflicht zur Proaktivität
Viele Unternehmen unterschätzen ihre Betroffenheit durch NIS2 und überschätzen zugleich ihre eigene Cyberabwehr, obwohl die Zahl erfolgreicher Angriffe steigt. Warum die Richtlinie weit mehr ist als eine Compliance”‘Pflicht und wie sie zum strategischen Hebel für stabile Produktion, klare Verantwortlichkeiten und mehr Vertrauen in der Lieferkette werden kann. Wer OT”‘Cybersicherheit proaktiv denkt, verschafft sich nicht… First…
-
Anthropic’s Mythos signals a structural cybersecurity shift
Tags: access, ai, attack, business, ciso, control, corporate, cyber, cybersecurity, defense, exploit, governance, network, offense, risk, supply-chain, technology, updateClaude Mythos Preview is a step up: A separate analysis from the UK’s AI Security Institute (AISI) evaluated Mythos Preview itself.The evaluations involved both capture-the-flag (CTF) challenges and more complex ranges designed to simulate multi-step attack scenarios, where the model outperformed other AI systems.Mythos Preview came out on top in a 32-step corporate network attack…
-
OpenAI Rotates macOS Certificates Following Axios Supply Chain Breach
OpenAI rotates macOS certificates after downloading a compromised Axios version, urging users to update apps before revoked certificates are blocked in May 2026. First seen on hackread.com Jump to article: hackread.com/openai-macos-certificates-axios-supply-chain-breach/
-
OpenAI rotates macOS certs after Axios attack hit code-signing workflow
OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/
-
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised.”Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,” OpenAI…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…
-
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat…
-
TDL 019 – The Psychology Behind a Cyber Breach and the Leaders Who Survive It – Nim Nadarajah
Tags: access, ai, apple, automation, breach, business, cctv, ceo, cio, ciso, cloud, computing, conference, control, corporate, crowdstrike, cve, cyber, cyberattack, cybersecurity, data, dns, edr, email, finance, firewall, governance, group, healthcare, incident, incident response, infrastructure, injection, insurance, Internet, jobs, law, LLM, metric, microsoft, msp, network, office, powershell, privacy, programming, psychology, risk, saas, service, siem, soar, soc, software, startup, strategy, supply-chain, switch, technology, threat, tool, training, usa, vulnerability, windows, zero-trustLeading Through the Cyber Abyss In Episode 019 of The Defender’s Log, host David Redekop sits down with Nim Nadarajah, CISO and Managing Partner of Critical Matrix, to explore the evolving landscape of cybersecurity leadership. From the “annual pilgrimage” of RSAC 2026 to the front lines of incident response, the conversation shifts from technical bits…
-
TDL 019 – The Psychology Behind a Cyber Breach and the Leaders Who Survive It – Nim Nadarajah
Tags: access, ai, apple, automation, breach, business, cctv, ceo, cio, ciso, cloud, computing, conference, control, corporate, crowdstrike, cve, cyber, cyberattack, cybersecurity, data, dns, edr, email, finance, firewall, governance, group, healthcare, incident, incident response, infrastructure, injection, insurance, Internet, jobs, law, LLM, metric, microsoft, msp, network, office, powershell, privacy, programming, psychology, risk, saas, service, siem, soar, soc, software, startup, strategy, supply-chain, switch, technology, threat, tool, training, usa, vulnerability, windows, zero-trustLeading Through the Cyber Abyss In Episode 019 of The Defender’s Log, host David Redekop sits down with Nim Nadarajah, CISO and Managing Partner of Critical Matrix, to explore the evolving landscape of cybersecurity leadership. From the “annual pilgrimage” of RSAC 2026 to the front lines of incident response, the conversation shifts from technical bits…
-
Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI
Tags: ai, attack, business, credentials, crypto, cve, data, data-breach, malicious, moveIT, network, okta, radius, risk, software, supply-chain, threat, update, vulnerability, zero-daySee how you can use Tenable Hexa AI to determine in minutes if you’re impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable. Key takeaways: Tenable Hexa AI, the agentic engine of the Tenable…
-
Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI
Tags: ai, attack, business, credentials, crypto, cve, data, data-breach, malicious, moveIT, network, okta, radius, risk, software, supply-chain, threat, update, vulnerability, zero-daySee how you can use Tenable Hexa AI to determine in minutes if you’re impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable. Key takeaways: Tenable Hexa AI, the agentic engine of the Tenable…
-
Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitor
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/
-
Claude-Mythos-Preview und die Gefahr für die ITChain
Der Zugriff auf Code mit Hilfe von KI-Modellen hebelt herkömmliche Kontrollen und Zero-Trust aus. Ein Kommentar Martin Zugec, Technical Solutions Director bei Bitdefender, zu Claude Mythos Preview und zur Gefahr für die IT-Supply-Chain <<Ich denke, dass die Diskussionen rund um Mythos einen wichtigen Aspekt ausblenden: die Rolle aktueller Supply-Chain-Attacken. Mythos agierte mit einem vollen […]…
-
Renovate Dependabot: The New Malware Delivery System
Recent supply chain attacks stayed live for hours. Automation tools silently merged their malware in minutes. Read how upgrade bots and AI agents became the insider threat. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/renovate-dependabot-the-new-malware-delivery-system/
-
GlassWorm Trojan Hits VS Code, Cursor, Windsurf via OpenVSX Extension
A newly discovered supply chain attack is spreading the GlassWorm malware across multiple developer environments by abusing the OpenVSX extension marketplace. GlassWorm is not new. Researchers have tracked the campaign since March 2025, when attackers hid malicious payloads inside npm packages using invisible Unicode characters. Since then, the operation has expanded across GitHub repositories, npm…
-
TeamPCP griff EU und Cisco an – Massive Supply-Chain-Angriffe über Trivy-Tool und Telnyx-PyPI
First seen on security-insider.de Jump to article: www.security-insider.de/teampcp-supply-chain-angriffe-trivy-telnyx-a-ce4e1dc1ec2f5930ec814664eefd2541/
-
Court Backs Pentagon Anthropic Ban – But the Fight Continues
Ruling Keeps Claude Models Out of Defense Systems During Separate Legal Challenges. A federal appeals court allowed the Pentagon to enforce its supply-chain risk designation against Anthropic, keeping its AI models barred from defense contracts while parallel litigation continues to challenge the policy’s legality and constitutional limits. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/court-backs-pentagon-anthropic-ban-but-fight-continues-a-31383
-
Black Duck Names Dom Glavach as CISO to Bolster Supply Chain and AI Security Push
Application security firm Black Duck has appointed Dom Glavach as its new Chief Information Security Officer, bringing in a seasoned executive with more than two decades of experience spanning enterprise security, national defence, and SaaS environments. The hire comes at a turbulent time for software security. Dependency abuse, credential misuse, and compromised build pipelines have…
-
Sicherheitsrisiko Source Code: Was hinter dem Claude-Vorfall steckt
Der Claude-Code-Leak zeigt eindrücklich, wie schnell aus einem simplen Fehler ein globales Sicherheitsproblem entstehen kann – die gesamte Supply Chain gerät ins Wanken First seen on infopoint-security.de Jump to article: www.infopoint-security.de/sicherheitsrisiko-source-code-was-hinter-dem-claude-vorfall-steckt/a44548/
-
Securing the AI Supply Chain: What are the Risks and Where to Start?
AI supply chain security: Explore the risks of poisoned datasets, compromised open-source libraries, and AI-powered phishing. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/securing-the-ai-supply-chain-what-are-the-risks-and-where-to-start/
-
Weak at the seams
Tags: advisory, ai, attack, automation, business, cloud, compliance, control, crowdstrike, cybersecurity, data, data-breach, endpoint, exploit, finance, firewall, framework, healthcare, infrastructure, insurance, Internet, network, resilience, risk, service, supply-chain, technology, tool, update, vulnerability, windows, zero-dayThe normal choices are the dangerous ones: Consider the stack a typical large enterprise was running in 2024: One vendor for ERP and supply chain, another for perimeter enforcement, another for networking and another for endpoint protection. Standard choices, responsibly made. Within a twelve-month window, each of those categories experienced significant disruptions, from zero-day exploits…
-
Weak at the seams
Tags: advisory, ai, attack, automation, business, cloud, compliance, control, crowdstrike, cybersecurity, data, data-breach, endpoint, exploit, finance, firewall, framework, healthcare, infrastructure, insurance, Internet, network, resilience, risk, service, supply-chain, technology, tool, update, vulnerability, windows, zero-dayThe normal choices are the dangerous ones: Consider the stack a typical large enterprise was running in 2024: One vendor for ERP and supply chain, another for perimeter enforcement, another for networking and another for endpoint protection. Standard choices, responsibly made. Within a twelve-month window, each of those categories experienced significant disruptions, from zero-day exploits…
-
5 steps to strengthen supply chain security and improve cyber resilience
Tags: access, api, attack, authentication, automation, backup, breach, business, cloud, control, credentials, cyber, data, defense, detection, dns, edr, email, endpoint, exploit, framework, governance, identity, infrastructure, mfa, monitoring, msp, network, radius, resilience, risk, saas, service, siem, soc, software, strategy, supply-chain, threat, tool, update, vulnerability, zero-trustAll software vendors and SaaS platformsOpen”‘source components embedded in your applicationsMSP or IT service providersCloud infrastructure and authentication servicesAPI integrations and automation workflowsOnce documented, classify each supplier by the impact they would have if compromised. A remote monitoring tool or authentication platform represents far greater risk than a basic productivity app. This prioritization helps you…