Open Source Package Entry Points May Lead to Supply Chain Attacks

October 15, 2024 at 06:06AM Entry points in open-source packages across various programming languages are vulnerable to exploitation, posing risks for supply chain attacks. This highlights the need for enhanced security measures to protect against such vulnerabilities. The article is based on a post from SecurityWeek. **Meeting Takeaways:** 1. **Vulnerability Highlighted**: Entry points in software … Read more

Apache Cordova App Harness Targeted in Dependency Confusion Attack

April 23, 2024 at 11:28AM Researchers have found a vulnerability in the archived Apache project Cordova App Harness, leading to dependency confusion attacks. Over 49% of organizations are vulnerable. Despite npm’s efforts to fix the issue, the Cordova App Harness project remains at risk. The discovery emphasizes the importance of addressing vulnerabilities in third-party projects … Read more

‘everything’ blocks devs from removing their own npm packages

January 4, 2024 at 04:56AM The npm package registry was flooded with over 3,000 packages during the holidays, leading to the creation of the “everything” package. Installing “everything” results in the download of every npm package, causing storage and performance issues. Authors are unable to remove their packages due to its dependency chain, which has … Read more