September 12, 2024 at 10:08AM Software supply chain attacks have become a major concern, with a 180% surge in vulnerability-based breaches in 2023. High-profile attacks like SolarWinds and Okta highlight the significant impact and lingering liabilities. Understanding and mitigating these attacks is crucial, involving processes such as SSCS and continuous code scanning to secure software … Read more
September 6, 2024 at 11:45AM Threat actors use typosquatting to deceive users into accessing malicious sites or downloading compromised software. They exploit typing errors in open-source repositories like PyPI, npm, and GitHub Actions to introduce supply chain attacks. Cloud security firm Orca’s findings reveal the vulnerability of even trusted platforms like GitHub Actions. Users are … Read more
September 4, 2024 at 09:18AM A new supply chain attack technique, Revival Hijack, targets the Python Package Index (PyPI), allowing for hijacking of over 22,000 existing PyPI packages. Attackers can publish malicious packages under the same name and a higher version, posing a significant risk to developers. The attack has already been exploited, emphasizing the … Read more
July 30, 2024 at 10:00AM Lineaje, a software supply chain security management provider, has raised $20 million in a Series A funding round, totaling $27 million in investments. The funding, led by various ventures and investors, will support Lineaje’s global expansion and technological advancement. The Saratoga-based company offers comprehensive governance platforms for software supply chain … Read more
July 23, 2024 at 10:07AM The SBOM, originally created by NTIA, has transitioned from niche to mandatory for federal agencies and security teams due to the rise in supply chain attacks. However, the current fragmented implementation is hindering its effectiveness. The need for a unified, comprehensive format is crucial to enhance software supply chain security … Read more
July 16, 2024 at 06:19AM Cybersecurity researchers discovered two malicious packages on the npm registry containing backdoor code for executing commands from a remote server. The packages, disguised as legitimate libraries, were taken down after being downloaded 190 and 48 times. The code was designed to execute disguised command and control functionality hidden in image … Read more
July 12, 2024 at 05:26PM Lineaje’s SBOM360 selected for U.S. Air Force STTR Phase 1 contract, aiming to automate detection and remediation of software supply chain challenges and enhance cybersecurity. SBOM360 supports full life-cycle management of software, enabling the Air Force to identify and remediate threats, comply with security policies, and reduce discovery time for … Read more
July 1, 2024 at 10:23AM A popular dependency manager for Apple apps, CocoaPods, has been exposed to serious vulnerabilities for years. This poses a significant risk to the security of over three million apps, including major ones like Instagram and Uber. The platform’s flaws, discovered by E.V.A Information Security, include critical remote code execution opportunities … Read more
June 25, 2024 at 12:03AM Several WordPress plugins have been compromised and backdoored to inject malicious code, allowing creation of rogue administrator accounts and unauthorized actions on affected websites. The injected malware aims to create new admin accounts and inject malicious JavaScript for SEO spam. Users are advised to check for suspicious accounts and malicious … Read more
June 24, 2024 at 04:38AM The IT world’s diverse issues converge on the importance of software and services supply chain integrity. Despite its critical role, end-of-life database software receives inadequate attention, contrasting with the prominent AI and cybercrime coverage. Parallels are drawn with the food standards regulatory system, advocating for a similar approach to software … Read more