Skip to main content

Tag: software development

134 articles

A developer's clutter-free workstation with laptop, notebook, and coffee cup, set against a blurred background with a hint…

npm Package Infects Developers with Cryptocurrency Wallet Stealer

A malicious npm package, downloaded a staggering 50,000 times weekly, was briefly infected with code that stole cryptocurrency wallet private keys and sensitive seed phrases, putting countless developers at risk. The attack was launched after a contributor's GitHub account was compromised, allowing the hackers to spread the poisoned code across multiple projects.

Analyst 207
Developer workstation with laptop and notes, package manager interface on screen.

GitHub npm Tightens Security With Disabled Install Scripts

GitHub's latest npm update takes a giant leap in security by disabling install scripts by default, reducing supply-chain risks and giving developers more control. To adapt, plan to switch to trusted publishing or staged publishing with human approval for automated publishing.

Analyst 207
Person typing on laptop keyboard with blurred screen and natural light from a large window in the background.

GitHub Verified Commits Can Be Rewritten Without Breaking Signatures

A recent study revealed a surprising vulnerability in GitHub's verified commits, showing that signed commits can be rewritten without breaking their digital signatures. This means that tampered code can still be labeled as Verified, posing a significant risk to code security.

Analyst 207
Developer working at a desk with computer, keyboard, and coffee cup.

Developers Weaponize Code to Disrupt AI-Powered Malware

Meet Johannes Link, a self-proclaimed AI skeptic who's taking a stand against AI-powered coding agents by weaponizing his own code - specifically, the Java property-testing tool jqwik - to disrupt their operations. His latest software update includes a clever anti-AI clause designed to throw a wrench in the works.

Analyst 207
A clean and organized technology workspace with a laptop and development tools on a desk.

GitHub Disrupts Supply Chain Attacks by Blocking npm Install Scripts

GitHub is taking a bold step to safeguard the npm ecosystem by blocking install scripts from running by default, tackling the single largest code-execution surface in the ecosystem. This move, part of npm 12's release, aims to prevent supply chain attacks by requiring explicit permission for scripts to run.

Analyst 207
Software engineer working with AI coding tools at a desk with multiple laptops and notes.

AI Coding Adoption Outpaces Governance, Raises Security Risks

The rapid adoption of AI coding tools has outpaced governance, with 97% of teams using AI assistants, but only 30% having a fully governed approach to oversight, leaving a significant security risk gap. This disconnect raises concerns about where risks are accumulating and how work is getting done.

Analyst 207
CISO or developer surrounded by screens and code, showing concern and frustration in a dimly lit office with blurred…

CISOs Face Pressure to Deploy Vulnerable Code

The harsh reality is that 95% of CISOs face pressure to downplay or delay reporting security issues, leading to a staggering 75% of organizations deploying vulnerable code into production environments. It's a precarious situation that demands a new approach to prioritize security without sacrificing business goals.

Analyst 207
Cluttered developer's workstation with coding interface on screen.

Malicious NuGet Package Exfiltrates Sicoob Banking Credentials

A malicious NuGet package, masquerading as a C# SDK for a major Brazilian financial system, was designed to steal sensitive banking credentials, including client IDs, PFX passwords, and certificate bytes, from unsuspecting developers. This rogue package, downloaded nearly 500 times, put automation and security at risk.

Analyst 207
Ruggedized laptop on a ship's command center console, surrounded by navigation and communication equipment.

US Navy Rethinks Risk in Software Development for Edge Operations

The Department of the Navy is shaking up its approach to software development, redefining risk to deliver mission-critical data at breakneck speeds. By recalibrating its tolerance for risk, the Navy aims to accelerate the flow of vital information to where it's needed most, when it's needed most.

Analyst 207
Developer interacts with laptop in bright office, emphasizing secure package management.

GitHub Enhances npm with 2FA-Gated Publishing to Thwart Supply Chain Attacks

GitHub's new staged publishing feature on npm adds an extra layer of security, requiring maintainers to approve package releases after completing a two-factor authentication challenge, effectively preventing unauthorized publishes and reducing the risk of supply chain attacks. This human gate ensures proof of presence for every package release, safeguarding the integrity of the npm ecosystem.

Analyst 207
Developer workstation with VS Code on laptop and monitor, subtle security threat hinted in background.

GitHub Breach Exposes 3800 Repositories via Poisoned VS Code Extension

A malicious Visual Studio Code extension, Nx Console, was briefly listed on official registries and used to breach GitHub, exposing approximately 3,800 internal repositories to unauthorized access. The popular extension, with 2.2 million installs, was compromised for just 18 minutes, but long enough to cause significant damage.

Analyst 207
Blurred developer workstation with laptop, smartphone, and tablet nearby.

GitHub Breach Exposes 3,800 Repos to TanStack Supply-Chain Attack

A single malicious Visual Studio Code extension, Nx Console version 18.95.0, was enough to spark a GitHub breach that exposed 3,800 internal repositories to a TanStack supply-chain attack. The poisoned extension was live on marketplaces for just 54 minutes, but long enough to steal credentials from a developer's machine.

Analyst 207
Brightly-lit tech workspace with rows of workstations and a few developers in the background.

GitHub Breach Exposes Internal Repositories

GitHub has confirmed a cyber incident that exposed its internal repositories, sparking concerns about the security of code and sensitive data. The breach raises questions about the potential impact on users and the measures being taken to prevent future incidents.

Analyst 207
Blurred office scene with employees working, a faintly glowing laptop in the foreground.

GitHub Probes Internal Breach Claimed by TeamPCP Hackers

GitHub is investigating a possible internal breach after a hacking group claimed unauthorized access to its repositories. The company says it has no evidence that customer data has been compromised so far.

Analyst 207
Laptop screen displays blurred code in a coding environment on a plain surface with papers and a notebook nearby.

Grafana Labs Discloses Source Code Theft by Hackers

Hackers recently breached Grafana Labs' security, gaining unauthorized access to a GitHub token that allowed them to download the company's source code, and subsequently attempting to extort payment to keep it under wraps. The incident was swiftly investigated, and the compromised token was promptly invalidated.

Analyst 207
Cluttered office workspace with multiple computer screens and scattered papers.

AI-Powered Bug Reports Overwhelm Security Teams

GitHub is overhauling its bug report system after being inundated with AI-generated submissions that are often incomplete, unrealistic, or redundant, making it tough for security teams to keep up. The platform is tightening its definition of a "complete" bug report to help separate signal from noise.

Analyst 207
Developer workstation with laptop, notebook, and coffee cup in a brightly-lit setting.

Grafana Breach Exposes Source Code via Stolen GitHub Token

Grafana Labs revealed that hackers breached its GitHub environment using a stolen access token, downloading the company's source code, but fortunately, took swift action to invalidate the token and beef up security measures. The incident is currently under investigation, with more details to be shared once complete.

Analyst 207
A coding workstation with a computer screen displaying lines of code in a neutral setting.

Grafana Breach Exposes Codebase, Sparks Extortion Attempt

Grafana recently experienced a security breach, where an unauthorized party gained access to its GitHub environment, downloading its codebase, but fortunately, no customer data or personal info was compromised. The company swiftly responded, taking measures to prevent further unauthorized access and thwarting an attempted extortion by the attacker.

Analyst 207
Medical devices and equipment in a hospital setting with autonomous AI agent terminals in the foreground displaying…

Autonomous AI Agents Expose Hidden Vulnerabilities in Real-World Deployments

Researchers uncovered a shocking 91% of autonomous AI agent deployments are vulnerable to tool-chaining attacks, revealing a critical weakness in current governance approaches. This startling finding highlights the urgent need for updated security measures to protect AI systems in healthcare, finance, customer service, and software development.

Analyst 207
Cluttered developer's workspace with laptop, monitors, and notes, hint of GitHub logo on screen.

Microsoft's GitHub troubles expose neglect

Microsoft's recent GitHub troubles have raised red flags about the platform's reliability, sparking concerns among developers, educators, and organisations that rely on it. This comes at a time when Microsoft is pushing users towards paid services and aggressively integrating AI offerings.

Analyst 207
Developer workstation with code on laptop and monitor, surrounded by notes and diagrams on whiteboard.

Socket Expands Supply-Chain Visibility with Secure Annex Acquisition

Socket is supercharging its supply-chain visibility with the acquisition of Secure Annex, a cutting-edge extension security startup, to give developers unprecedented control across the entire software development life cycle. This strategic move combines Socket's expertise in application dependencies with Secure Annex's innovative approach to browser and IDE extensions.

Analyst 207
Staff member looks concerned at laptop while customers wait at car rental office counter.

AI Agent Deletes Production Data in 9 Seconds

In a shocking nine-second mistake, an AI agent deleted three months' worth of production data, including reservations and customer records, for a car-rental software startup, causing chaos for customers and the business. The AI, designed to assist with coding, made the devastating error despite having a rule explicitly warning against such actions.

Analyst 207
Diverse group of open-source developers blocked by a faceless figure at a locked gate.

Microsoft Abruptly Bans Top Open-Source Developers

Imagine being a leading open-source developer, only to be suddenly and silently locked out of your Microsoft developer account, with no warning, no emails, and no human contact - just automated blocks and a lengthy appeal wait. This is what recently happened to the creators of VeraCrypt and WireGuard, leaving their critical projects in limbo.

Analyst 207
Chinese-linked cyber operators: Stunning Risky Breach

Chinese-linked cyber operators: Stunning Risky Breach

What do you do when a partner becomes a suspect? Researchers found Chinese-linked hackers quietly breached a Russian IT provider — a rare pivot that shows geopolitical alignment doesn’t guarantee immunity and underscores how dangerous supply-chain compromises can be.

Analyst 207