April 11, 2024 at 07:45AM GitGuardian’s 2024 report reveals over 12.8 million new exposed secrets in GitHub and highlighted potential threats in the PyPI repository. While Python developers widely use open-source packages, the report identifies the risks of exposing sensitive credentials. The article emphasizes the importance of proper secrets management and advises adopting automation tools … Read more
April 3, 2024 at 07:12AM An XZ Utils backdoor, reminiscent of a 2020 F-Droid attempt, highlighted the trend of targeting open source software. Jia Tan, posing as a legitimate developer, embedded a backdoor for remote code execution via Linux systems. Collin’s investigation promises more details, as experts predict further supply chain attacks in open source … Read more
April 2, 2024 at 09:39AM A supply chain compromise in the open-source library XZ Utils has led to a backdoor being inserted, facilitating remote code execution, with the perpetrator deliberately working to gain maintainership. The sophisticated attack, spanning years, has potentially compromised numerous systems. This discovery highlights the risks posed by reliance on open-source software … Read more
April 2, 2024 at 07:09AM The OWASP Foundation announced a data breach revealing personal information of aspiring members from over a decade ago. The breach exposed names, addresses, phone numbers, and emails of members, prompting the organization to take security measures, notify impacted individuals, and caution the public. While the exposed data is old, caution … Read more
March 29, 2024 at 06:50PM The Tech Tip outlines how to check for system impact from a newly discovered backdoor in the open source xz compression utility. It seems like the main takeaway from the meeting notes is to detail the process for checking if a system is affected by the newly discovered backdoor in … Read more
March 27, 2024 at 07:03AM Researchers warn that threat actors are actively exploiting an unpatched vulnerability in the open-source artificial intelligence platform Anyscale Ray to hijack computing power for illicit cryptocurrency mining, affecting various sectors. The vulnerability, CVE-2023-48022, allows remote attackers to execute arbitrary code, leading to the breach of sensitive data and potential long-term … Read more
March 22, 2024 at 09:53AM The NIST has drastically reduced the analysis of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database, posing challenges for IT security professionals. The organization’s budget cuts and workload are suspected reasons. The cybersecurity community is concerned about the impact, although alternative sources like Open Source Vulnerabilities are available. … Read more
March 21, 2024 at 10:52AM Researchers at JFrog have uncovered over 800 npm registry packages with discrepancies from their registry entries, 18 of which exploit a technique called manifest confusion. This technique can trick developers into running malicious code by supplying a different manifest with hidden dependencies during installation. They stress the importance of verifying … Read more
March 20, 2024 at 08:54AM Permiso’s open-source tool aids security teams in pinpointing threat actors within their AWS and Azure environments. Based on the meeting notes, the open-source tool from Permiso can be used by security teams to identify threat actors within their AWS and Azure environments. Full Article
March 18, 2024 at 06:15PM Machine-learning model platforms, such as Hugging Face, are vulnerable to attacks similar to those experienced by npm, PyPI, and other open source repositories. These attacks have been successfully executed by threat actors for years. It seems from the meeting notes that the discussion highlighted the susceptibility of machine-learning model platforms … Read more