October 31, 2024 at 08:05AM LottieFiles faced a security breach after a developer account was compromised, leading to malicious code being pushed to users, potentially draining their crypto wallets. The company released a safe version (2.0.8) and assured users that their other services were unaffected. Outside security experts were involved in resolving the incident. **Meeting … Read more
October 31, 2024 at 05:05AM LottieFiles reported malicious code in npm package versions 2.0.5, 2.0.6, and 2.0.7, prompting users to connect cryptocurrency wallets. They released version 2.0.8 to remedy the issue, advising users to upgrade. The malicious activity affected no other services or repositories, while investigations continue into the breach’s impact. ### Meeting Takeaways: 1. … Read more
October 15, 2024 at 01:00AM Jetpack has released a security update to fix a critical vulnerability allowing logged-in users to access submitted forms on WordPress sites. The flaw, identified in an internal audit, affects versions since 2016. Jetpack collaborated with WordPress.org to ensure automatic updates. Meanwhile, WP Engine disputes WordPress’s control over its plugins. ### … Read more
October 8, 2024 at 08:36AM A popular WordPress plug-in, LiteSpeed Cache, containing a cross-site scripting flaw (CVE-2024-47374), has been exploited by attackers, potentially enabling privilege escalation and malicious code installation on affected websites. A simple patch has been issued by Patchstack, allowing administrators to update to the fixed version 6.5.1 immediately to prevent vulnerabilities. After … Read more
June 25, 2024 at 07:58PM The polyfill.io domain, previously used to add JavaScript polyfills to websites, has been found serving malicious code, infecting over 100,000 sites. Security firms warn website owners to remove any embedded code from the domain. Google is blocking affected websites’ ads, and affected site owners are being notified. The domain’s sale … Read more
June 25, 2024 at 02:12PM The Polyfill.io service, used by over 100,000 sites, was compromised in a supply chain attack after being acquired by a Chinese company, leading to injection of malicious code. Cloudflare and Fastly set up mirrors to mitigate the risk, and Google warned advertisers of the issue impacting landing pages and causing … Read more
June 12, 2024 at 11:50AM TellYouThePass, a ransomware group, is targeting businesses and individuals using open source Web development languages, exploiting a critical PHP vulnerability (CVE-2024-4577) for remote code execution. This allows them to execute arbitrary code on vulnerable servers, posing significant risks. They also use various attack techniques and exploit known vulnerabilities such as … Read more
May 6, 2024 at 05:49PM Google is introducing a new “Video Chapter” feature to Google Chrome, allowing publishers to add video chapters to embedded videos on websites. This feature, utilizing the MediaMetadata interface for the Media Session API, enables viewers to easily navigate and rewatch specific parts of a video. It will be included in … Read more
March 18, 2024 at 09:15AM Researchers from Graz University of Technology in Austria and the University of Rennes in France discovered a new graphics processing unit (GPU) attack on popular browsers and graphics cards. By using the WebGPU API, they demonstrated an attack from within a web browser using JavaScript, showing potential risks and implications … Read more
February 3, 2024 at 02:18PM Google is testing the reduction of third-party cookies on Chrome, affecting 1% of users. This change aims to enhance privacy while allowing personalized ads. Users can check if they’re part of the test by looking for an “eye” icon, accessing Tracking Protection dialog, Chrome DevTools alerts, or by checking for … Read more