December 6, 2024 at 10:07AM The latest “Census of Free and Open Source Software” highlights the rising significance of open source components, especially in Python and cloud connectivity. The report emphasizes the need for better funding and maintenance to enhance software security, as reliance on aging, unpaid developers poses sustainability challenges for critical software ecosystems. … Read more
November 28, 2024 at 06:08AM Researchers found a year-long software supply chain attack on the npm package registry involving the malicious package @0xengine/xmlrpc, which harvested sensitive data and mined cryptocurrency. Discovered by Checkmarx, it exploited trust in dependencies. Additionally, ongoing malicious campaigns using counterfeit packages target multiple platforms, including Roblox developers. ### Meeting Takeaways – … Read more
November 25, 2024 at 10:00AM The Python Package Index (PyPI) has quarantined the malicious “aiocpa” package, which was updated to exfiltrate private keys via Telegram. Originally released in September 2024 and downloaded 12,100 times, the malicious code was hidden in an obfuscated script. This incident underscores the need for thorough source code scanning. **Meeting Takeaways: … Read more
November 22, 2024 at 12:39PM In June 2017, A.P. Møller – Maersk suffered a severe software attack, attributed to the NotPetya malware from a Ukraine-Russia conflict, causing $10 billion in damages. CISA’s recent Secure by Demand guidance urges buyers to ensure software safety through independent validation and comprehensive analysis, beyond just questionnaires and SBOMs. ### … Read more
November 21, 2024 at 06:27PM The 2024 Common Weakness Enumeration (CWE) list revealed significant software flaws, emphasizing persistent threats like cross-site scripting and SQL injection. The new ranking methodology considered both severity and frequency. Organizations are urged to prioritize these weaknesses for better software security and to enhance their software supply chains. ### Meeting Takeaways … Read more
November 11, 2024 at 05:39AM Cybersecurity researchers have identified nearly 24 vulnerabilities in 15 machine learning open-source projects, including Weave and ZenML. These flaws could allow unauthorized access, remote code execution, and escalation of privileges, posing significant risks to ML infrastructure. This discovery follows previous vulnerabilities and the introduction of a new defense framework, Mantis. … Read more
October 28, 2024 at 11:36AM In September 2024, three malicious npm packages were discovered containing BeaverTail malware, linked to North Korean campaigns targeting developers. The packages, now removed, included backdoored versions of popular libraries. Ongoing threats exploit the open-source ecosystem, highlighting developers as valuable targets in cyberattacks. ### Meeting Takeaways: Malware / Threat Intelligence – … Read more
October 23, 2024 at 06:36AM Cybersecurity researchers have identified a new technique, “Deceptive Delight,” which exploits large language models (LLMs) during conversations to generate unsafe content. Achieving a 64.6% success rate, it utilizes the model’s limited attention span. To mitigate these risks, effective content filtering and prompt engineering strategies are recommended. ### Meeting Takeaways from … Read more
October 2, 2024 at 02:00PM The breach at Rackspace highlights software supply chain vulnerability, causing a blame game among vendors over an exploited zero-day. This underscores the importance of supply chain security. Based on the meeting notes, the key takeaway is that a breach at Rackspace has highlighted the vulnerability of the software supply chain, … Read more
September 26, 2024 at 10:45AM Combining software development, operations, and deployment into DevOps teams promises greater efficiency, but also increases the attack surface. Organizations face challenges in securing the entire pipeline, software components, and infrastructure, requiring continuous monitoring and attention to areas such as code quality, open source components, and container security. AI and automation … Read more