XZ Trojan highlights software supply chain risk posed by ‘sock puppets’
The high-profile compromise of the XZ Utils open-source compression library, disclosed last week, highlights an under-reported threat: social engineering attacks that target open-source package maintainers and other developers to stage software supply chain attacks. ... Read More
A software supply chain meltdown: What we know about the XZ Trojan
Security experts are sounding alarms about what some are calling the most sophisticated supply chain attack ever carried out on an open source project: a malicious backdoor planted in xz/liblzma (part of the xz-utils package), a popular open source compression tool ... Read More
How CISA’s secure software development attestation form falls short
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the White House’s Office of Management and Budget (OMB) have released their Secure Software Development Attestation Form, a long-anticipated worksheet that asks organizations that sell software and services to the federal government to attest to the security of their wares. ... Read More
The Cloudflare source code breach: Lessons learned
The high-profile web hosting company Cloudflare said last week that a sophisticated attacker gained access to code repositories used by the company, and made off with sensitive internal code. This was just the latest such attack targeting the firm. ... Read More
Lessons from the Mercedes-Benz GitHub source code leak
The German automotive giant Mercedes-Benz found itself on the wrong end of a software supply chain incident after RedHunt Labs found a leaked GitHub token belonging to an employee of the carmaker that granted "'unrestricted’ and 'unmonitored'" access to the entirety of source code hosted on Mercedes’ internal GitHub Enterprise ... Read More
HPE, Microsoft breach disclosures mark new era of CISO accountability
Disclosures about cybersecurity breaches by Microsoft and Hewlett Packard Enterprise (HPE) underscore the influence of two entities that are reshaping the cybersecurity landscape: the SVR and the SEC: Russia’s Foreign Intelligence Service and the U.S. Securities and Exchange Commission. ... Read More
A (partial) history of software supply chain attacks
The widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the ... Read More
Protestware taps npm to call out wars in Ukraine, Gaza
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed, according to research conducted by ReversingLabs. The packages are just the latest examples of so-called “protestware,” a recurrent issue in ... Read More
The art of security chaos engineering
One truism of the cybersecurity world is that attackers have a much easier job than defenders. Malicious cyber actors only need to find a single weak point in the IT armor defending their desired target to gain their foothold. Defenders, on the other hand, need to be perfect: Blocking any ... Read More
6 things you may have missed at Hacker Summer Camp
Tens of thousands of the world’s top cybersecurity pros descended on Las Vegas last week for the annual Hacker Summer Camp, with hundreds of sessions spread over three events. Taking it all in is an impossible task ... Read More
