Tag: software development
134 articles

npm Package Infects Developers with Cryptocurrency Wallet Stealer
A malicious npm package, downloaded a staggering 50,000 times weekly, was briefly infected with code that stole cryptocurrency wallet private keys and sensitive seed phrases, putting countless developers at risk. The attack was launched after a contributor's GitHub account was compromised, allowing the hackers to spread the poisoned code across multiple projects.

GitHub npm Tightens Security With Disabled Install Scripts
GitHub's latest npm update takes a giant leap in security by disabling install scripts by default, reducing supply-chain risks and giving developers more control. To adapt, plan to switch to trusted publishing or staged publishing with human approval for automated publishing.

GitHub Verified Commits Can Be Rewritten Without Breaking Signatures
A recent study revealed a surprising vulnerability in GitHub's verified commits, showing that signed commits can be rewritten without breaking their digital signatures. This means that tampered code can still be labeled as Verified, posing a significant risk to code security.

Developers Weaponize Code to Disrupt AI-Powered Malware
Meet Johannes Link, a self-proclaimed AI skeptic who's taking a stand against AI-powered coding agents by weaponizing his own code - specifically, the Java property-testing tool jqwik - to disrupt their operations. His latest software update includes a clever anti-AI clause designed to throw a wrench in the works.

GitHub Disrupts Supply Chain Attacks by Blocking npm Install Scripts
GitHub is taking a bold step to safeguard the npm ecosystem by blocking install scripts from running by default, tackling the single largest code-execution surface in the ecosystem. This move, part of npm 12's release, aims to prevent supply chain attacks by requiring explicit permission for scripts to run.

AI Coding Adoption Outpaces Governance, Raises Security Risks
The rapid adoption of AI coding tools has outpaced governance, with 97% of teams using AI assistants, but only 30% having a fully governed approach to oversight, leaving a significant security risk gap. This disconnect raises concerns about where risks are accumulating and how work is getting done.

CISOs Face Pressure to Deploy Vulnerable Code
The harsh reality is that 95% of CISOs face pressure to downplay or delay reporting security issues, leading to a staggering 75% of organizations deploying vulnerable code into production environments. It's a precarious situation that demands a new approach to prioritize security without sacrificing business goals.

Malicious NuGet Package Exfiltrates Sicoob Banking Credentials
A malicious NuGet package, masquerading as a C# SDK for a major Brazilian financial system, was designed to steal sensitive banking credentials, including client IDs, PFX passwords, and certificate bytes, from unsuspecting developers. This rogue package, downloaded nearly 500 times, put automation and security at risk.

US Navy Rethinks Risk in Software Development for Edge Operations
The Department of the Navy is shaking up its approach to software development, redefining risk to deliver mission-critical data at breakneck speeds. By recalibrating its tolerance for risk, the Navy aims to accelerate the flow of vital information to where it's needed most, when it's needed most.

GitHub Enhances npm with 2FA-Gated Publishing to Thwart Supply Chain Attacks
GitHub's new staged publishing feature on npm adds an extra layer of security, requiring maintainers to approve package releases after completing a two-factor authentication challenge, effectively preventing unauthorized publishes and reducing the risk of supply chain attacks. This human gate ensures proof of presence for every package release, safeguarding the integrity of the npm ecosystem.

GitHub Breach Exposes 3800 Repositories via Poisoned VS Code Extension
A malicious Visual Studio Code extension, Nx Console, was briefly listed on official registries and used to breach GitHub, exposing approximately 3,800 internal repositories to unauthorized access. The popular extension, with 2.2 million installs, was compromised for just 18 minutes, but long enough to cause significant damage.

GitHub Breach Exposes 3,800 Repos to TanStack Supply-Chain Attack
A single malicious Visual Studio Code extension, Nx Console version 18.95.0, was enough to spark a GitHub breach that exposed 3,800 internal repositories to a TanStack supply-chain attack. The poisoned extension was live on marketplaces for just 54 minutes, but long enough to steal credentials from a developer's machine.

GitHub Breach Exposes Internal Repositories
GitHub has confirmed a cyber incident that exposed its internal repositories, sparking concerns about the security of code and sensitive data. The breach raises questions about the potential impact on users and the measures being taken to prevent future incidents.

GitHub Probes Internal Breach Claimed by TeamPCP Hackers
GitHub is investigating a possible internal breach after a hacking group claimed unauthorized access to its repositories. The company says it has no evidence that customer data has been compromised so far.

Grafana Labs Discloses Source Code Theft by Hackers
Hackers recently breached Grafana Labs' security, gaining unauthorized access to a GitHub token that allowed them to download the company's source code, and subsequently attempting to extort payment to keep it under wraps. The incident was swiftly investigated, and the compromised token was promptly invalidated.

AI-Powered Bug Reports Overwhelm Security Teams
GitHub is overhauling its bug report system after being inundated with AI-generated submissions that are often incomplete, unrealistic, or redundant, making it tough for security teams to keep up. The platform is tightening its definition of a "complete" bug report to help separate signal from noise.

Grafana Breach Exposes Source Code via Stolen GitHub Token
Grafana Labs revealed that hackers breached its GitHub environment using a stolen access token, downloading the company's source code, but fortunately, took swift action to invalidate the token and beef up security measures. The incident is currently under investigation, with more details to be shared once complete.

Grafana Breach Exposes Codebase, Sparks Extortion Attempt
Grafana recently experienced a security breach, where an unauthorized party gained access to its GitHub environment, downloading its codebase, but fortunately, no customer data or personal info was compromised. The company swiftly responded, taking measures to prevent further unauthorized access and thwarting an attempted extortion by the attacker.

Autonomous AI Agents Expose Hidden Vulnerabilities in Real-World Deployments
Researchers uncovered a shocking 91% of autonomous AI agent deployments are vulnerable to tool-chaining attacks, revealing a critical weakness in current governance approaches. This startling finding highlights the urgent need for updated security measures to protect AI systems in healthcare, finance, customer service, and software development.

Microsoft's GitHub troubles expose neglect
Microsoft's recent GitHub troubles have raised red flags about the platform's reliability, sparking concerns among developers, educators, and organisations that rely on it. This comes at a time when Microsoft is pushing users towards paid services and aggressively integrating AI offerings.

Socket Expands Supply-Chain Visibility with Secure Annex Acquisition
Socket is supercharging its supply-chain visibility with the acquisition of Secure Annex, a cutting-edge extension security startup, to give developers unprecedented control across the entire software development life cycle. This strategic move combines Socket's expertise in application dependencies with Secure Annex's innovative approach to browser and IDE extensions.

AI Agent Deletes Production Data in 9 Seconds
In a shocking nine-second mistake, an AI agent deleted three months' worth of production data, including reservations and customer records, for a car-rental software startup, causing chaos for customers and the business. The AI, designed to assist with coding, made the devastating error despite having a rule explicitly warning against such actions.

Microsoft Abruptly Bans Top Open-Source Developers
Imagine being a leading open-source developer, only to be suddenly and silently locked out of your Microsoft developer account, with no warning, no emails, and no human contact - just automated blocks and a lengthy appeal wait. This is what recently happened to the creators of VeraCrypt and WireGuard, leaving their critical projects in limbo.

Chinese-linked cyber operators: Stunning Risky Breach
What do you do when a partner becomes a suspect? Researchers found Chinese-linked hackers quietly breached a Russian IT provider — a rare pivot that shows geopolitical alignment doesn’t guarantee immunity and underscores how dangerous supply-chain compromises can be.