January 17, 2024 at 03:15AM GitHub has responded to a security vulnerability by rotating some keys, including the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys. The vulnerability, CVE-2024-0200, has not been exploited in the wild, but GitHub has addressed it with patches. Another bug, CVE-2024-0507, has also been resolved … Read more
January 12, 2024 at 10:42PM GitLab released security updates to address two critical vulnerabilities, CVE-2023-7028 and CVE-2023-5356. CVE-2023-7028 allows account takeover without user interaction, affecting versions 16.1 to 16.7. CVE-2023-5356 enables execution of slash commands as another user through Slack/Mattermost integrations. Users are advised to upgrade instances and enable 2FA for elevated privileges. Key takeaways … Read more
January 11, 2024 at 10:53AM GitHub’s widespread usage in IT has made it an attractive option for threat actors to host and deliver malicious content, acting as dead drop resolvers, command-and-control, and data exfiltration points. The platform is used for various malicious activities, including payload delivery and phishing, presenting challenges for traditional security defenses. Recorded … Read more
January 5, 2024 at 05:30AM Vigilant Ops, a cybersecurity startup based in Pittsburgh, Pennsylvania, recently secured a $2 million seed investment from DataTribe. The investment aims to aid organizations in managing software bills of materials through Vigilant Ops’ automated platform. The platform caters to regulated organizations, offering vulnerability monitoring and security patch notifications to ensure … Read more
January 4, 2024 at 04:56AM The npm package registry was flooded with over 3,000 packages during the holidays, leading to the creation of the “everything” package. Installing “everything” results in the download of every npm package, causing storage and performance issues. Authors are unable to remove their packages due to its dependency chain, which has … Read more
December 18, 2023 at 01:24AM The U.S. CISA stresses eliminating default passwords on internet-exposed systems due to severe risks exploited by Iranian threat actors. Mitigation measures include utilizing unique setup passwords or enabling multi-factor authentication. CISA advises strong passwords, network segregation, and encryption to enhance security. Additionally, recommendations for hardening software supply chains have been … Read more
December 15, 2023 at 03:03PM Xeol, a New York City-based cybersecurity company, raised $3.2 million in Seed funding led by Shield Capital. With a focus on securing software supply chains, Xeol emphasizes foundational standards like Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA). The company has already signed its first Fortune … Read more
December 13, 2023 at 10:07AM After the Log4j incident, there is increased scrutiny on the security of software supply chains. Key stakeholders including the US government, CISA, the EU Commission, the UK’s NCSC, and Japan are collaborating to enhance the utility of software bills of materials (SBOMs). However, challenges lie in implementation, responsibility allocation, and … Read more
December 12, 2023 at 01:00AM Apache has issued a critical security advisory for a flaw in Struts 2, a Java web application framework, potentially allowing remote code execution. Tracked as CVE-2023-50164, the flaw affects various versions, with patches available for some. No workarounds exist, and upgrades to versions 2.5.33 and 6.3.0.2 or higher are highly … Read more
December 10, 2023 at 10:39AM Around 38% of Apache Log4j applications are still vulnerable to security issues, including the critical Log4Shell flaw (CVE-2021-44228) allowing unauthenticated remote code execution. Despite available patches for over two years, many organizations continue to use insecure versions. It’s recommended that companies scan their environment and develop an emergency upgrade plan … Read more