October 24, 2024 at 06:09AM AI models from Hugging Face may harbor hidden issues similar to open-source software from platforms like GitHub. A new scoring system has been introduced to enhance the security of the open-source AI model supply chain. This aims to address potential vulnerabilities in AI models. **Meeting Takeaways:** 1. **Similarity in Issues**: … Read more
September 23, 2024 at 03:30AM Threat actors linked to North Korea have been using poisoned Python packages to distribute a new malware called PondRAT, part of an ongoing campaign. The attacks are part of an operation known as Operation Dream Job and aim to compromise supply chain vendors and their customers. The attackers have been … Read more
July 25, 2024 at 12:45PM Chainguard, a software supply chain security startup, raised $140 million in a new financing round, reaching a valuation in excess of $1 billion. The company, founded by ex-Google engineers, has raised a total of $256 million since its launch in late 2021. The funding will be used to expand into … Read more
July 19, 2024 at 05:30PM The SEC lawsuit against SolarWinds and CISO Timothy Brown, accused of concealing security issues pre and post SUNBURST breach, has been dismissed by a judge. This outcome signifies a significant development in the legal proceedings. (49 words) Based on the meeting notes, it seems that there has been a development … Read more
July 17, 2024 at 04:35AM Hackers with ties to the Chinese government have gained access to US critical infrastructure, transitioning from espionage to potentially compromising or destroying infrastructure via operational technology. Recent attacks on maritime and water systems signal the need for increased OT security. Three key steps include converging IT and OT security, developing … Read more
July 1, 2024 at 01:18PM Security flaws in CocoaPods were discovered, allowing attackers to hijack and insert malicious code into popular iOS and macOS applications, posing serious supply chain risks. The vulnerabilities were patched in October 2023, but the issues stemmed from a 2014 migration, leading to unclaimed pods and flawed verification processes. Downstream customers … Read more
June 27, 2024 at 11:56PM After its website shutdown, Polyfill.io’s owner battles accusations of distributing suspicious code on various websites. Anger-fueled social media posts target CDN titan Cloudflare and media for “malicious defamation.” Experts and a domain registrar warn of supply chain risks. The site has relocated to polyfill[.]com. Cloudflare also launches a JavaScript URL … Read more
June 5, 2024 at 07:54AM Wing Security’s 2024 SaaS Security Report identified emergent threats and best practices for SaaS security. The report’s predictions have already manifested halfway through the year. Breach frequency is rising, demanding timelier threat alerts. Notably, Shadow AI, Supply Chain, Credential Access, and MFA Bypassing threats were outlined, all combatable with Automated … Read more
June 3, 2024 at 10:25AM Cybersecurity researchers found a suspicious package in the npm registry called glup-debugger-log, disguising as a toolkit logger. It has been downloaded 175 times and contains obfuscated files deploying a remote access trojan. The package uses a series of checks before launching a JavaScript file for persistence and executing arbitrary commands. … Read more
May 1, 2024 at 12:02AM The 2024 Data Breach Investigations Report by Verizon Business reveals that 14% of data breaches in 2023 stemmed from security bugs, demonstrating a 180% increase in exploitation. The MOVEit software breach contributed significantly to this trend, impacting various industries. The report emphasizes the urgent need for organizations to strengthen their … Read more