July 26, 2024 at 04:55PM Researchers discovered a Python package called “lr-utils-lib” on PyPi, designed to target specific macOS machines and steal Google Cloud Platform credentials. The package conceals malicious code in its setup, posing as a legitimate package, and uses social engineering tactics. The campaign is unique due to its highly targeted nature, posing … Read more
July 11, 2024 at 10:04AM A threat actor known as “Crystalray” has been utilizing open source software (OSS) to expand its operations in credential stealing and cryptomining. Researchers observed Crystalray utilizing a range of OSS tools to carry out various stages of its attack chain. Despite its efficiency, the use of OSS opens the attacker … Read more
June 28, 2024 at 01:28PM A new study reveals the widespread and concerning use of memory-unsafe code in major open source software projects, leading to common security issues. Despite this insight, immediate changes are unlikely due to the complexity and cost of rewriting code entirely in memory-safe languages. The report’s findings align with previous studies, … Read more
June 4, 2024 at 02:52PM The Pentagon is increasing its investment in Microsoft despite cybersecurity concerns. Senators Wyden and Schmitt urge the Department of Defense to reconsider this single-vendor approach, pushing for a multi-vendor strategy. They question the use of expensive E5 software licenses, advocate for open-source software, and seek clarification on Microsoft’s promise of … Read more
May 21, 2024 at 08:08AM The Open Source Security Foundation has announced the launch of an email mailing list called Siren, which aims to share real-time security threat intelligence and create a community-driven knowledge base. The list will allow members to exchange information on tactics, techniques, and procedures related to attacks on open source software. … Read more
April 2, 2024 at 09:39AM A supply chain compromise in the open-source library XZ Utils has led to a backdoor being inserted, facilitating remote code execution, with the perpetrator deliberately working to gain maintainership. The sophisticated attack, spanning years, has potentially compromised numerous systems. This discovery highlights the risks posed by reliance on open-source software … Read more
April 1, 2024 at 11:42AM Report by Lasso Security warns of AI chatbots leading software developers to use nonexistent packages, potentially exploited by threat actors. Bar Lanyado demonstrated large language model (LLM) chatbots’ susceptibility to spreading and recommending hallucinated packages. The research emphasizes the importance of cross-verifying uncertain LLM answers and exercising caution when integrating … Read more
November 10, 2023 at 07:00AM The US cybersecurity agency CISA, the NSA, and the ODNI have issued new guidance to help software vendors secure the software supply chain. The guidance focuses on assessing security measures throughout the software lifecycle, managing open source software and software bills of materials, and making recommendations for different phases of … Read more
November 1, 2023 at 11:46AM Chainguard, a supply chain security startup founded by former Google engineers, has secured $61 million in Series B financing led by Spark Capital. This brings their total venture capital investments to $116 million. Their flagship product, Chainguard Images, has gained traction among Fortune 500 companies and technology providers. Chainguard aims … Read more