Skip to main content

Tag: software supply chain

74 articles

Cursor Visual Studio extension: Stunning Risky Flaw

Cursor Visual Studio extension: Stunning Risky Flaw

A newly disclosed autorun flaw in the Cursor Visual Studio extension can let a repo run arbitrary code just by opening it—audit your extensions, open untrusted projects in isolated VMs or containers, and update or disable Cursor until it’s patched.

Analyst 207
fast-glob Risky Threat: Must-Have Utility Exposed

fast-glob Risky Threat: Must-Have Utility Exposed

A tiny but widely used Node.js utility, fast-glob, turns up in dozens of DoD projects and thousands of codebases — and questions about its sole maintainer’s ties to Russia have reignited urgent supply‑chain concerns. Experts urge practical fixes—better governance, inventories, and runtime safeguards—so one small package can’t become a systemic risk.

Analyst 207
SBOM minimums Must-Have Best Practices

SBOM minimums Must-Have Best Practices

CISA is revisiting its 2021 SBOM minimums and asking stakeholders for input to strike the right balance between useful, machine-readable inventories that speed vulnerability response and safeguards that prevent sensitive detail from aiding attackers. The update could nudge industry toward interoperable, automatable SBOMs while building practical options for protecting proprietary or security-sensitive information.

Analyst 207
Trojanized Go module: Stunning Risky Credential Stealer

Trojanized Go module: Stunning Risky Credential Stealer

A trojanized Go module posing as an SSH testing tool was found quietly exfiltrating successful login IPs, usernames and passwords to a hard‑coded Telegram bot—proof that convenience in open‑source can hide dangerous supply‑chain risks. Audit and pin dependencies, verify modules, and monitor outbound traffic to stop silent credential leaks before they become breaches.

Analyst 207
Amazon Q Developer Must-Have Fix for Risky RCE

Amazon Q Developer Must-Have Fix for Risky RCE

Amazon quietly patched serious flaws in its Q Developer VS Code extension that could let attackers inject prompts to steal local secrets like API keys or even run remote code. It’s a wake-up call to treat AI-powered IDE tools as high‑risk and lock down privileges.

Analyst 207
Kaseya ransomware: Stunning Risky State-Linked Claims

Kaseya ransomware: Stunning Risky State-Linked Claims

Was the July 2021 Kaseya REvil attack just criminal profit-seeking or something far more dangerous—potentially state-enabled? New evidence presented at DEF CON 33 suggests probable Russian government involvement, a claim that would radically change how governments, businesses, and MSPs respond to future supply-chain cyberattacks.

Analyst 207
Secure Software Development: Must-Have Best Practices

Secure Software Development: Must-Have Best Practices

Worried about the security of the software we all depend on? Join NIST NCCoE’s interactive DevSecOps virtual event on August 27, 2025, to hear experts, learn practical secure development practices, and help turn security from an afterthought into a foundation for every project.

Analyst 207
npm package malware: Must-Have Best Defenses

npm package malware: Must-Have Best Defenses

Think a routine dependency update is harmless? The recent npm malware attack—where phishers stole maintainer tokens to publish malicious versions of five popular packages—proves supply-chain trust can be shattered and why maintainers, consumers, and registries must act now to enforce 2FA, rotate tokens, and verify publish provenance.

Analyst 207
npm package security: Must-Have Guide to Risky Breaches

npm package security: Must-Have Guide to Risky Breaches

A targeted phishing attack that slipped malicious code into five npm packages shows how easily supply chains can be weaponized. Treat publish tokens like private keys—enable 2FA, rotate credentials, and demand package signing and provenance to stop the next breach.

Analyst 207
ZuRu Critical Threat: Exclusive Must-Have Defense

ZuRu Critical Threat: Exclusive Must-Have Defense

A new ZuRu malware strain is quietly targeting macOS developer machines and toolchains, putting builds, secrets, and the entire software supply chain at risk. Harden workstations, isolate builds, and secure credentials now to prevent a single compromised device from triggering a widespread breach.

Analyst 207
North Korean Hackers Spread Malware Loader in Expanding Campaign

North Korean Hackers Spread Malware Loader in Expanding Campaign

North Korean hackers are stealthily spreading a new malware loader through popular npm packages, putting thousands of developers and organizations at risk in a chilling reminder that our digital supply chains are only as secure as their weakest link.

Analyst 207
North Korean Hackers Target npm Registry with XORIndex Malware

North Korean Hackers Target npm Registry with XORIndex Malware

North Korean hackers have unleashed a new wave of malware on the npm registry, cleverly hiding malicious code in popular JavaScript packages and putting millions of developers at risk—can we still trust the tools that power our software?

Analyst 207
Unveiling a Multi-Stage Malware Attack Targeting the Python Package Index

Unveiling a Multi-Stage Malware Attack Targeting the Python Package Index

Explore the intricate details of a multi-stage malware attack targeting the Python Package Index, revealing its impact and security implications.

Analyst 207
GitLab Resolves Critical Account Takeover and Authentication Vulnerabilities

GitLab Resolves Critical Account Takeover and Authentication Vulnerabilities

GitLab patches critical account takeover and authentication vulnerabilities with robust fixes to enhance platform security and user protection.

Analyst 207
NCCoE Unveils New Tech Partners for Software Supply Chain and DevOps Security Initiative

NCCoE Unveils New Tech Partners for Software Supply Chain and DevOps Security Initiative

NCCoE reveals new tech partners to boost software supply chain security and enhance DevOps defenses, driving industry innovation.

Analyst 207
Dangerous npm Packages Disguised as Utilities That Delete Project Directories

Dangerous npm Packages Disguised as Utilities That Delete Project Directories

Dangerous npm packages masquerade as utilities, but can delete your project directories. Learn how to spot and avoid these risky modules.

Analyst 207
Malicious RubyGems pose as Fastlane to steal Telegram API data

Malicious RubyGems pose as Fastlane to steal Telegram API data

Malicious RubyGems masquerading as Fastlane target Telegram API data—stay alert to protect your systems from these deceptive packages.

Analyst 207
Reconnaissance Campaign Active on NPM Repository

Reconnaissance Campaign Active on NPM Repository

A reconnaissance campaign on the NPM repository exposes vulnerabilities and drives urgent calls for stronger security protocols.

Analyst 207
Trojanized RVTools Fuels SEO Poisoning Campaign with Bumblebee Malware

Trojanized RVTools Fuels SEO Poisoning Campaign with Bumblebee Malware

Trojanized RVTools fuels a malicious SEO poisoning campaign as Bumblebee malware compromises systems and skews search results.

Analyst 207
New Malware on PyPI Poses Threat to Open-Source Developers

New Malware on PyPI Poses Threat to Open-Source Developers

New malware on PyPI threatens open-source developers by injecting malicious code. Immediate vigilance and security measures are essential.

Analyst 207
Deceptive PyPI Package Masquerading as a Solana Tool Pilfers Source Code in 761 Downloads

Deceptive PyPI Package Masquerading as a Solana Tool Pilfers Source Code in 761 Downloads

Deceptive PyPI package masquerading as a Solana tool pilfers source code in 761 downloads, exposing critical vulnerabilities for unsuspecting developers.

Analyst 207
Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

Malicious npm packages compromise 3,200+ Cursor users with backdoors that steal credentials, revealing critical security vulnerabilities.

Analyst 207
Open source text editor poisoned with malware to target Uyghur users

Open source text editor poisoned with malware to target Uyghur users

Open-source text editor infected with malware allegedly targets Uyghur users, raising serious security and privacy concerns.

Analyst 207
Major Supply Chain Attack: Ripple’s xrpl.js npm Package Compromised to Steal Private Keys

Major Supply Chain Attack: Ripple’s xrpl.js npm Package Compromised to Steal Private Keys

Ripple’s xrpl.js npm package was compromised in a major supply chain attack, leading to the theft of private keys from unsuspecting users.

Analyst 207