June 30, 2024 at 10:35AM The widely used ‘ip’ open-source project had its GitHub repository made “read-only” after developer Fedor Indutny received a dubious CVE report and experienced increased scrutiny due to a vulnerability in the ‘node-ip’ project, affecting JavaScript developers. This pattern of inflated CVE reports is causing frustration for developers and clouding the … Read more
June 28, 2024 at 05:03PM The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has released a report detailing the prevalence of memory-unsafe languages in critical open source projects, highlighting the risks of memory safety vulnerabilities. The report emphasizes the need for organizations to prioritize memory safety and consider using memory-safe languages like Rust or … Read more
June 26, 2024 at 01:59PM The Cybersecurity and Infrastructure Security Agency (CISA) has released a report exploring memory flaws in 172 key open-source projects. It reveals that over half of these projects contain memory-unsafe code, emphasizing the importance of memory-safe languages like Rust, Java, and Go. CISA recommends safe coding practices and continuous testing to … Read more
June 24, 2024 at 10:24AM Cybersecurity researchers disclosed a security flaw, CVE-2024-37032, affecting the Ollama open-source AI platform, enabling remote code execution. The issue was fixed in version 0.1.34. Exploiting the vulnerability involves manipulating HTTP requests. In default Linux installations, the risk is lowered, but Docker deployments are at high risk. Wiz identified over 1,000 … Read more
June 14, 2024 at 03:00AM A Protect AI report has revealed a dozen critical vulnerabilities in open-source AI/ML tools, including issues that could lead to information exposure, privilege escalation, and server takeover. The most severe is CVE-2024-22476 in Intel Neural Compressor, allowing remote privilege escalation. The report emphasizes timely reporting to maintainers for fixes. Various … Read more
June 3, 2024 at 10:25AM Cybersecurity researchers found a suspicious package in the npm registry called glup-debugger-log, disguising as a toolkit logger. It has been downloaded 175 times and contains obfuscated files deploying a remote access trojan. The package uses a series of checks before launching a JavaScript file for persistence and executing arbitrary commands. … Read more
May 28, 2024 at 04:38AM DARPA, known for creating groundbreaking technologies, inspired the birth of ARPA-H under President Joe Biden. This agency focuses on health science and technology, providing funding and support for innovative projects. UPGRADE, a new initiative, aims to develop automated security systems for health infrastructure, drawing parallels to the human immune system. … Read more
May 20, 2024 at 08:12AM Developers often rely on open-source components, which account for the majority of modern software. However, vulnerabilities often stem from these components. GitGuardian’s Software Composition Analysis (SCA) enables developers to scan for CVEs before committing code, ensuring early detection and prevention of known vulnerabilities. GitGuardian SCA is available for a 2-week … Read more
May 2, 2024 at 04:23PM Bitwarden has launched the Bitwarden Authenticator app offering time-based one-time passwords (TOTPs) for enhanced security, previously a premium feature. It’s now available for free to all users, with a promise of future enhancements. While currently lacking some advanced features, it supports MFA apps and offers settings for additional security steps … Read more
April 30, 2024 at 10:01AM Cybersecurity researchers have found malicious “imageless” containers in Docker Hub, creating a potential for supply chain attacks. The containers house documentation that leads users to phishing or malware websites. Over 4 million such repositories have been identified, used to redirect users to fraudulent sites in three distinct campaigns. This underscores … Read more