July 4, 2024 at 09:10AM Conceptworld Corporation, an India-based software company, was found to be distributing information-stealing malware with its software products. Researchers from Rapid7 discovered that the installation packages of their tools, Notezilla, RecentX, and Copywhiz, had been Trojanized. Despite replacing the malicious installers, users were unknowingly exposed to the dllFake malware, capable of … Read more
July 1, 2024 at 01:18PM Security flaws in CocoaPods were discovered, allowing attackers to hijack and insert malicious code into popular iOS and macOS applications, posing serious supply chain risks. The vulnerabilities were patched in October 2023, but the issues stemmed from a 2014 migration, leading to unclaimed pods and flawed verification processes. Downstream customers … Read more
June 28, 2024 at 10:43AM GitLab released updates addressing 14 security flaws, including a critical vulnerability allowing unauthorized execution of CI/CD pipelines. The most severe flaw, CVE-2024-5655 (CVSS score: 9.6), impacts versions 15.8 to 17.1, with 17.1.1, 17.0.3, and 16.11.5 providing fixes. While there’s no active exploitation, users are urged to apply patches. Key takeaways … Read more
June 26, 2024 at 06:57AM Software-producing organizations are facing increasing regulatory and legal pressure to secure their supply chains and protect their software integrity. The software supply chain has become a prime target for attackers, as seen in the Log4j breach. To address these security challenges, organizations should consider various measures, including governing the software … Read more
June 21, 2024 at 04:28PM VicOne, an automotive cybersecurity solutions leader, announced the availability of its xNexus and xZETA solutions in AWS Marketplace. These solutions, designed to secure the automotive software supply chain, offer zero-day threat intelligence and actionable insights. VicOne’s CEO, Max Cheng, noted the significance of the listing and the benefits it brings … Read more
June 21, 2024 at 01:18AM The U.S. Department of Commerce’s Bureau of Industry and Security imposed a ban on Kaspersky Lab’s U.S. subsidiary and affiliates from offering security software due to national security risks posed by its ties to the Russian government. Kaspersky will be barred from selling to U.S. consumers and businesses starting July … Read more
June 3, 2024 at 10:25AM Cybersecurity researchers found a suspicious package in the npm registry called glup-debugger-log, disguising as a toolkit logger. It has been downloaded 175 times and contains obfuscated files deploying a remote access trojan. The package uses a series of checks before launching a JavaScript file for persistence and executing arbitrary commands. … Read more
May 29, 2024 at 01:51PM Cybersecurity researchers have discovered a malicious Python package, “pytoileur,” in the Python Package Index repository, aiming to enable cryptocurrency theft. The package’s code executes a Base64-encoded payload to retrieve a Windows binary from an external server, establishing persistence and dropping spyware and data-stealing malware. This method signifies an unprecedented abuse … Read more
May 29, 2024 at 10:03AM The book “Freakonomics” applies economic principles to social phenomena, emphasizing the impact of incentives on decision-making. The rising number of reported software vulnerabilities (CVEs) raises concerns about the cybersecurity ecosystem and the incentive structure influencing vulnerability reporting. Issues include gaming the system for recognition, lack of accountability in submissions, and … Read more
May 21, 2024 at 08:06AM The text discusses the challenge of making modern applications more secure without disrupting the high-velocity DevOps processes. It emphasizes the critical importance of building and running a DevSecOps practice, highlighting five guiding principles: establishing a security-minded culture, shifting security left, maintaining governance and guardrails, securing the software supply chain, and … Read more