CVE-2024-3094 The targeted backdoor supply chain attack against XZ and libzma
As sure as long weekends arrive in the western world, so too does news of new supply chain attacks. The easter bank holidays were no exception, with the discovery of a targeted attack against the popular XZ compression utility seen in many linux distributions such as fedora, debian to name ... Read More
CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma
As sure as long weekends arrive in the western world, so too does news of new supply chain attacks. The easter bank holidays were no exception, with the discovery of a targeted attack against the popular XZ compression utility seen in many linux distributions such as fedora, debian to name ... Read More
Secure Software Development Attestation Form: Sonatype helps you comply
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) unveiled the final version of the Secure Software Development Attestation Form. This pivotal document, two years in the making, is set to transform the enforcement of minimum security standards for software ... Read More
Struts2 CVE-2023-50164 by the numbers
Over the past few years, a not-so-great holiday season tradition has been critical security vulnerabilities that come out at the last minute, prompting action and fast responses at a time when resources at the defending side are low ... Read More
Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack
Earlier today, Ledger, a maker of hardware wallets for storing crypto, announced that they had identified malicious software embedded in one of their open source packages called @ledgerhq/connect-kit. This package is widely used as a connector between distributed blockchain applications and crypto wallets that back them up. This analysis delves ... Read More
A New OpenSSL Vulnerability Is Coming – Get Ready to Patch
On Tuesday 1st of November, between 1-5pm UTC a new version of the widely adopted OpenSSL 3.x series will be released for general consumption. The OpenSSL project announced this in their mailing list and through twitter, also revealing the existence of a new CRITICAL security vulnerability this patch fixes ... Read More
Weaponizing Open Source Through Job Recruiting
Over the last week, troubling new reports have arisen about state-sponsored threat actors leveraging modified open source applications to compromise employees' machines at technology companies, governments, and non-profit organizations. Microsoft, Mandiant, and Ars Technica all covered the technicalities of the attack type, where bad actors pose as recruiters who target ... Read More
Spring4Shell – by the numbers
Over the last few months, following the scramble that was Log4j, I have been asking folks I meet “what if another critical vulnerability was announced tomorrow? What would you do differently?” Well, last Wednesday, we got a reminder that new security vulnerabilities can and do appear ... Read More
New Spring Framework RCE Vulnerability Confirmed – What to do?
Early Wednesday morning (GMT), allegations began to appear on the internet about a new remote code execution flaw that affects Spring Core. This vulnerability, dubbed by some as "Springshell" in the community, is a new, previously unknown security vulnerability. Exclamation Circle icon NOTE: A separate Spring vulnerability CVE-2021-22963 (High) disclosed a few ... Read More
