Tag: software supply chain
74 articles

Cursor Visual Studio extension: Stunning Risky Flaw
A newly disclosed autorun flaw in the Cursor Visual Studio extension can let a repo run arbitrary code just by opening it—audit your extensions, open untrusted projects in isolated VMs or containers, and update or disable Cursor until it’s patched.

fast-glob Risky Threat: Must-Have Utility Exposed
A tiny but widely used Node.js utility, fast-glob, turns up in dozens of DoD projects and thousands of codebases — and questions about its sole maintainer’s ties to Russia have reignited urgent supply‑chain concerns. Experts urge practical fixes—better governance, inventories, and runtime safeguards—so one small package can’t become a systemic risk.

SBOM minimums Must-Have Best Practices
CISA is revisiting its 2021 SBOM minimums and asking stakeholders for input to strike the right balance between useful, machine-readable inventories that speed vulnerability response and safeguards that prevent sensitive detail from aiding attackers. The update could nudge industry toward interoperable, automatable SBOMs while building practical options for protecting proprietary or security-sensitive information.

Trojanized Go module: Stunning Risky Credential Stealer
A trojanized Go module posing as an SSH testing tool was found quietly exfiltrating successful login IPs, usernames and passwords to a hard‑coded Telegram bot—proof that convenience in open‑source can hide dangerous supply‑chain risks. Audit and pin dependencies, verify modules, and monitor outbound traffic to stop silent credential leaks before they become breaches.

Amazon Q Developer Must-Have Fix for Risky RCE
Amazon quietly patched serious flaws in its Q Developer VS Code extension that could let attackers inject prompts to steal local secrets like API keys or even run remote code. It’s a wake-up call to treat AI-powered IDE tools as high‑risk and lock down privileges.

Kaseya ransomware: Stunning Risky State-Linked Claims
Was the July 2021 Kaseya REvil attack just criminal profit-seeking or something far more dangerous—potentially state-enabled? New evidence presented at DEF CON 33 suggests probable Russian government involvement, a claim that would radically change how governments, businesses, and MSPs respond to future supply-chain cyberattacks.

Secure Software Development: Must-Have Best Practices
Worried about the security of the software we all depend on? Join NIST NCCoE’s interactive DevSecOps virtual event on August 27, 2025, to hear experts, learn practical secure development practices, and help turn security from an afterthought into a foundation for every project.

npm package malware: Must-Have Best Defenses
Think a routine dependency update is harmless? The recent npm malware attack—where phishers stole maintainer tokens to publish malicious versions of five popular packages—proves supply-chain trust can be shattered and why maintainers, consumers, and registries must act now to enforce 2FA, rotate tokens, and verify publish provenance.

npm package security: Must-Have Guide to Risky Breaches
A targeted phishing attack that slipped malicious code into five npm packages shows how easily supply chains can be weaponized. Treat publish tokens like private keys—enable 2FA, rotate credentials, and demand package signing and provenance to stop the next breach.

ZuRu Critical Threat: Exclusive Must-Have Defense
A new ZuRu malware strain is quietly targeting macOS developer machines and toolchains, putting builds, secrets, and the entire software supply chain at risk. Harden workstations, isolate builds, and secure credentials now to prevent a single compromised device from triggering a widespread breach.

North Korean Hackers Spread Malware Loader in Expanding Campaign
North Korean hackers are stealthily spreading a new malware loader through popular npm packages, putting thousands of developers and organizations at risk in a chilling reminder that our digital supply chains are only as secure as their weakest link.

North Korean Hackers Target npm Registry with XORIndex Malware
North Korean hackers have unleashed a new wave of malware on the npm registry, cleverly hiding malicious code in popular JavaScript packages and putting millions of developers at risk—can we still trust the tools that power our software?

Unveiling a Multi-Stage Malware Attack Targeting the Python Package Index
Explore the intricate details of a multi-stage malware attack targeting the Python Package Index, revealing its impact and security implications.

GitLab Resolves Critical Account Takeover and Authentication Vulnerabilities
GitLab patches critical account takeover and authentication vulnerabilities with robust fixes to enhance platform security and user protection.

NCCoE Unveils New Tech Partners for Software Supply Chain and DevOps Security Initiative
NCCoE reveals new tech partners to boost software supply chain security and enhance DevOps defenses, driving industry innovation.

Dangerous npm Packages Disguised as Utilities That Delete Project Directories
Dangerous npm packages masquerade as utilities, but can delete your project directories. Learn how to spot and avoid these risky modules.

Malicious RubyGems pose as Fastlane to steal Telegram API data
Malicious RubyGems masquerading as Fastlane target Telegram API data—stay alert to protect your systems from these deceptive packages.

Reconnaissance Campaign Active on NPM Repository
A reconnaissance campaign on the NPM repository exposes vulnerabilities and drives urgent calls for stronger security protocols.

Trojanized RVTools Fuels SEO Poisoning Campaign with Bumblebee Malware
Trojanized RVTools fuels a malicious SEO poisoning campaign as Bumblebee malware compromises systems and skews search results.

New Malware on PyPI Poses Threat to Open-Source Developers
New malware on PyPI threatens open-source developers by injecting malicious code. Immediate vigilance and security measures are essential.

Deceptive PyPI Package Masquerading as a Solana Tool Pilfers Source Code in 761 Downloads
Deceptive PyPI package masquerading as a Solana tool pilfers source code in 761 downloads, exposing critical vulnerabilities for unsuspecting developers.

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
Malicious npm packages compromise 3,200+ Cursor users with backdoors that steal credentials, revealing critical security vulnerabilities.

Open source text editor poisoned with malware to target Uyghur users
Open-source text editor infected with malware allegedly targets Uyghur users, raising serious security and privacy concerns.

Major Supply Chain Attack: Ripple’s xrpl.js npm Package Compromised to Steal Private Keys
Ripple’s xrpl.js npm package was compromised in a major supply chain attack, leading to the theft of private keys from unsuspecting users.