Tag: software supply chain
74 articles

Google Links Axios npm Breach to North Korea's UNC1069 Group
Google's threat intelligence team has linked a recent breach of the Axios npm package to UNC1069, a North Korean hacking group motivated by financial gain. This alarming discovery highlights the vulnerability of the software supply chain to state-linked cybercrime.

Axios Hit by Critical Supply Chain Attack
A critical supply chain attack has hit Axios, a popular HTTP client, compromising the integrity of its npm package and raising fresh concerns about the security of our digital infrastructure. Malicious versions of the Axios package were published, injecting a fake dependency that put users at risk.

PyPI Breach: TeamPCP's Alarming Software Supply Chain Attack Uncovered
A shocking new software supply chain attack has been uncovered, putting developers and users on high alert: a malicious package on PyPI, disguised as a legitimate tool, has been delivering credential-stealing malware. Can you trust the software you download?

Malicious PyPI Packages Spread Devastating Malware
Malicious actors have struck again, this time infiltrating the Python Package Index (PyPI) with tainted versions of popular packages Telnyx and LiteLLM, putting developers' sensitive credentials at risk. Can we trust the software supply chain when even seemingly secure systems can be breached?

React2Shell Exclusive: Severe Flaw Added to CISA KEV
CISA just added CVE-2025-55182 — a 10.0 remote-code-execution flaw in React Server Components — to its Known Exploited Vulnerabilities list after reports of active attacks. If your stack uses React Server Components, treat this as an emergency: prioritize patches, mitigations, and threat hunting now.

RSC Bugs: Exclusive Critical RCE Affects React and Next.js
Heads-up: a maximum-severity decoding flaw in React Server Components (CVE-2025-55182, CVSS 10.0) can let unauthenticated attackers execute arbitrary code on servers handling Server Function endpoints. If you use RSCs or Next.js, treat this as critical and patch immediately to protect secrets and access.

Malware Stunningly Evades AI in Critical npm Breach
Think your npm packages are safe? Researchers found a malicious npm package that talks to a remote AI-like controller, adapting at runtime to dodge scanners and quietly steal valuable data.

UK Report: Stunning liability rules could be costly
What if the software that runs hospitals, banks and supply chains could be held legally liable for every flaw? A new UK report urges clearer legal liability to force better security and faster fixes — but warns those protections could be costly, reshape markets and squeeze smaller vendors.

Chrome Extension Exclusive: Malicious Raydium Solana Fees
Think your trading extension has your back? Researchers uncovered Crypto Copilot — a Chrome add-on that stealthily skimmed tiny fees off Raydium Solana swaps to an attacker-controlled wallet, a stark reminder to vet permissions before installing extensions.

North Korean Hackers Exclusive: Dangerous JSON Channels
What if your next dependency quietly pulled a malicious payload from an innocent-looking JSON? North Korean-linked actors are exploiting public JSON storage services like JSON Keeper, JSONsilo, and npoint.io to seed stealthy backdoors into developer supply chains and swap payloads on the fly to evade detection.

Cybercrims Exclusive: Critical .NET Time-Bomb Threat
Imagine a slow-burning digital time bomb hidden in trusted .NET NuGet packages—discovered in 2023, these malicious libraries can stay dormant for years before detonating, forcing a hard rethink of how we trust and protect the software supply chain.

Trojanized ESET Installers Expose Stunning Harmful Backdoor
Think twice before hitting Install — a May 2025 campaign used trojanized ESET installers, convincing fake vendor pages, and targeted spear‑phishing to slip a stealthy backdoor into Ukrainian victims. This attack is a stark reminder that even trusted updates and familiar brands can be weaponized for espionage.

Actively Exploited WSUS Bug: Exclusive Critical KEV Alert
CISA has added the WSUS bug CVE‑2025‑59287 to its KEV Catalog and ordered immediate remediation — federal agencies must patch by Nov 14. If you manage updates, treat this like a flashing red light and fix it now before attackers turn your update server into a backdoor.

Critical WordPress Plugin Bugs Cause Stunning Damage
Three critical WordPress plugin vulnerabilities disclosed in 2024 are already being weaponized in the wild, forcing site owners to weigh immediate patching (and potential downtime) against the very real risk of rapid, widespread compromise. If your site uses plugins, now’s not the time to procrastinate—automated scanners and exploit kits can turn one unpatched flaw into a mass breach within hours.

Vulnerable Rust crate Exclusive: Critical uv Python Flaw
If you use uv Python, take note: a critical flaw in the Rust crate async‑tar was patched in one fork, but the most widely distributed uv build still ships the vulnerable copy. It’s a clear reminder that fixing one fork doesn’t secure an ecosystem built on cloning and convenience.

Self-Replicating Worm Hits 180+ Packages: Exclusive Danger
A fast-spreading self-replicating worm has already infected 180+ packages—our exclusive breakdown reveals how it spreads, who’s at risk, and the quick steps you can take to protect your projects.

18 Popular Code Packages Hacked: Stunning Crypto Theft Risk
Imagine one convincing phishing email letting attackers slip crypto‑stealing code into 18 popular JavaScript packages — collectively downloaded billions of times each week. The breach lays bare how fragile the software supply chain is: a single compromised maintainer can push malicious updates into countless projects and developer environments.

GlassWorm Exclusive: Dangerous VS Code Supply-Chain Attack
Meet GlassWorm: a self‑propagating supply‑chain worm hiding in VS Code extensions (Open VSX and the Microsoft Marketplace) that uses install‑time scripts and stolen CI tokens to publish more malicious packages, turning developer convenience into a fast‑moving attack vector.

self-replicating worm: Shocking, Devastating NPM Breach
Imagine your everyday npm install quietly stealing your keys — researchers traced a self‑replicating worm to at least 187 NPM packages that exfiltrates developer credentials to GitHub each time an infected package is installed. This outbreak shows how fragile the software supply chain is and why immediate credential rotation, strict dependency hygiene, and better package vetting are essential.

malicious npm packages: Stunning Critical Threat Revealed
Researchers uncovered Beamglea — 175 malicious npm packages downloaded about 26,000 times — that quietly hosted credential‑harvesting phishing campaigns against 135+ organizations, a stark reminder that the convenience of open-source packages can become a gateway for large‑scale theft.

consulting GitLab instance: Must-Have Risky Breach Fixes
Red Hat confirmed that an unauthorized party accessed a consulting GitLab instance and exfiltrated data, spotlighting how even non-core environments can expose customers to serious risk. Act now: audit access logs, rotate credentials and secrets, isolate consulting projects, and enforce least-privilege and stronger identity controls to stop lateral attacks.

software supply chain Must-Have Fix for Risky Systems
The OpenSSF warns that the critical infrastructure powering npm, PyPI and other registries is underfunded and increasingly vulnerable—if we don’t invest now, supply‑chain attacks and outages will be far costlier later. It’s time for governments, companies, and the community to share the bill and make the software plumbing resilient.

npm registry Must-Have Fixes Make It Safer
A recent wave of phishing and malware-laced npm packages has pushed GitHub to tighten registry security—introducing mandatory 2FA for popular maintainers, trusted publishing rules, and sweeping takedowns—to stop attackers from slipping malicious updates into countless JavaScript projects. These changes aim to make the ecosystem safer without losing the openness that powers modern development.

cybersecurity executive order: Must-Have Best Guide
The June 6, 2025 cybersecurity executive order sets a clear — and urgent — blueprint for federal CISOs to accelerate zero‑trust, strengthen software supply chains, and tighten incident reporting while juggling legacy systems, budgets and mission continuity. Tune into our podcast briefing for practical steps, expert perspectives, and real-world playbooks to turn the EO from mandate into measurable security.