Easily Exploitable Critical Vulnerabilities Found in Open Source AI/ML Tools

June 14, 2024 at 03:00AM A Protect AI report has revealed a dozen critical vulnerabilities in open-source AI/ML tools, including issues that could lead to information exposure, privilege escalation, and server takeover. The most severe is CVE-2024-22476 in Intel Neural Compressor, allowing remote privilege escalation. The report emphasizes timely reporting to maintainers for fixes. Various … Read more

Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

June 3, 2024 at 10:25AM Cybersecurity researchers found a suspicious package in the npm registry called glup-debugger-log, disguising as a toolkit logger. It has been downloaded 175 times and contains obfuscated files deploying a remote access trojan. The package uses a series of checks before launching a JavaScript file for persistence and executing arbitrary commands. … Read more

Take two APIs and call me in the morning: How healthcare research can cure cyber crime

May 28, 2024 at 04:38AM DARPA, known for creating groundbreaking technologies, inspired the birth of ARPA-H under President Joe Biden. This agency focuses on health science and technology, providing funding and support for innovative projects. UPGRADE, a new initiative, aims to develop automated security systems for health infrastructure, drawing parallels to the human immune system. … Read more

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

May 20, 2024 at 08:12AM Developers often rely on open-source components, which account for the majority of modern software. However, vulnerabilities often stem from these components. GitGuardian’s Software Composition Analysis (SCA) enables developers to scan for CVEs before committing code, ensuring early detection and prevention of known vulnerabilities. GitGuardian SCA is available for a 2-week … Read more

Bitwarden launches new MFA Authenticator app for iOS, Android

May 2, 2024 at 04:23PM Bitwarden has launched the Bitwarden Authenticator app offering time-based one-time passwords (TOTPs) for enhanced security, previously a premium feature. It’s now available for free to all users, with a promise of future enhancements. While currently lacking some advanced features, it supports MFA apps and offers settings for additional security steps … Read more

Millions of Malicious ‘Imageless’ Containers Planted on Docker Hub Over 5 Years

April 30, 2024 at 10:01AM Cybersecurity researchers have found malicious “imageless” containers in Docker Hub, creating a potential for supply chain attacks. The containers house documentation that leads users to phishing or malware websites. Over 4 million such repositories have been identified, used to redirect users to fraudulent sites in three distinct campaigns. This underscores … Read more

Apache Cordova App Harness Targeted in Dependency Confusion Attack

April 23, 2024 at 11:28AM Researchers have found a vulnerability in the archived Apache project Cordova App Harness, leading to dependency confusion attacks. Over 49% of organizations are vulnerable. Despite npm’s efforts to fix the issue, the Cordova App Harness project remains at risk. The discovery emphasizes the importance of addressing vulnerabilities in third-party projects … Read more

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

April 16, 2024 at 11:24AM Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation, resembling a recent incident aimed at the open-source XZ Utils project. The incident involved suspicious emails urging updates to JavaScript projects and calls to designate new maintainers. This highlights the risks of supply chain attacks and the need … Read more

Open sourcerers say suspected xz-style attacks continue to target maintainers

April 16, 2024 at 10:15AM Open source groups are cautioning about recent attacks targeting project maintainers, similar to the attempted backdoor incident in a core Linux library. The OpenJS Foundation and OpenSSF are observing suspicious emails aiming to manipulate project maintainers and have shared tactics to identify potential threats. They emphasize the need to support … Read more

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

April 16, 2024 at 07:27AM PuTTY SSH and Telnet client versions 0.68 through 0.80 are vulnerable to a flaw allowing recovery of private keys. The issue, designated CVE-2024-31497, was discovered by Fabian Bäumer and Marcus Brinkmann. The concern affects PuTTY and several other related products, mitigated in recent versions. Users are advised to update and … Read more