Tag: supply chain
500 articles
AI-Assisted Bug Hunt Exposes High-Severity GitHub Flaw
In a thrilling example of AI-powered detective work, a team of researchers uncovered a high-severity flaw in GitHub's infrastructure, dubbed CVE-2026-3854, which could have allowed hackers to access private repositories with just one command. The researchers cracked the code in under 48 hours, and GitHub swiftly patched the issue within six hours of disclosure.
GitHub swiftly patches flaw exposing millions of private repos
GitHub quickly squashed a massive security flaw, CVE-2026-3854, that could have let hackers access millions of private repositories with just one sneaky git push. The vulnerability allowed attackers to inject malicious code by exploiting how GitHub handled user-supplied options during git push operations.
GoDaddy Domain Transfer Exposes Non-Profit to Security Risks
A shocking security breach occurred when a 27-year-old domain was transferred from a GoDaddy account to another customer without any authentication checks, putting a non-profit at risk. The alarming transfer was completed in just four minutes, raising serious concerns about GoDaddy's domain transfer process.
Healthcare Sector Grapples with Rising Medical Device Cyberattacks
A staggering one in four healthcare organizations have fallen victim to cyberattacks that compromised their medical devices in the past year, posing a significant threat to patient care. This alarming trend highlights a pressing need for robust medical device cybersecurity measures to prevent delayed treatments and critical care interruptions.
ClawHub Skills Co-opt AI Agents in Secret Crypto Mining Operation
Meet ClawSwarm, a mysterious crypto mining operation that masquerades as a collection of harmless OpenClaw skills, with 9,800 downloads and counting. Researchers uncovered thirty suspicious skills published by a single user, "imaflytok", on ClawHub, a registry and marketplace for OpenClaw skills.
LiteLLM SQL Flaw Exploited 36 Hours After Disclosure
A critical SQL injection flaw, CVE-2026-42208, was exploited just 36 hours after its disclosure, putting vulnerable LiteLLM versions at risk of unauthorized database access. The bug, with a CVSS score of 9.3, allows unauthenticated callers to reach a vulnerable database query through the proxy's error-handling path.
Australia Urged to Establish Northern Hybrid Zone to Bolster Economic Security
Australia can supercharge its economic security by creating a Northern Hybrid Zone, turning its abundant resources into a powerful engine for growth. By following the US-Philippines' 4,000-acre precedent, Australia can anchor its supply chains, concentrate infrastructure, and embed resilience.
Navy Seeks New Entrants to Bolster Munitions, Shipbuilding
The Navy is calling on industry partners to join forces and develop cutting-edge solutions for munitions and shipbuilding, with Acting Secretary Hung Cao making a passionate appeal for collaboration that can literally save lives. By working together, these new partnerships can bring innovative ideas to the table and make a life-or-death difference for our service members and their families.
Hackers Exploit LiteLLM SQL Flaw for Sensitive Data Access
Within just 36 hours of being publicly disclosed, a critical SQL injection flaw in LiteLLM, known as CVE-2026-42208, was actively exploited by hackers, allowing them to access sensitive data without authentication. This alarming vulnerability highlights the importance of swift patching, with LiteLLM version 1.83.7 now available to fix the issue.
Russia Targets Signal Users in Germany with Social Engineering Hacks
Stay vigilant, especially when it comes to trusted messaging apps like Signal - a recent wave of social-engineering attacks in Germany targeted government officials, exploiting user trust rather than any technical flaw. Signal has assured users that its encryption and infrastructure remain secure, but warns that these types of attacks can still compromise user safety.
Vect Ransomware Exposed as Data Wiper, Not Recovery Tool
Meet Vect, a so-called ransomware that's actually a data wiper, making full recovery impossible - even for the attackers themselves. This destructive malware permanently destroys files larger than 128KB, rendering it useless for data recovery and a serious threat to enterprise assets.
GitHub Flaw Exposes Remote Code Execution to Authenticated Users
A single git push command was all it took to exploit a flaw in GitHub's internal protocol, allowing authenticated users to execute code on backend infrastructure. This shocking vulnerability, tracked as CVE-2026-3854, highlights the potential for devastating remote code execution attacks.
Vimeo Breach Exposes User Data After Anodot Hack
Vimeo users, be aware: a recent data breach at analytics company Anodot exposed some of your personal info, including video titles, metadata, and in some cases, email addresses. Fortunately, uploaded video content, account credentials, and payment card info remain safe.
UK lawmakers warn AUKUS submarine program faces delays over investment shortcomings
UK lawmakers are sounding the alarm that the AUKUS submarine program is at risk of delays due to insufficient investment in upgrading the BAE Systems shipyard in Barrow, England, where the submarines will be built. If upgrades continue to slip, it could have serious consequences for UK national security and damage credibility with AUKUS partners.
US Urged to Block AI Chip Exports to China Amid Distillation Threats
To stay ahead of adversaries, the US must restrict their access to advanced AI chips - a crucial step in preventing them from replicating the capabilities of American AI models. Blocking exports of these chips to China is a vital move, experts warn.
Checkmarx GitHub Data Leaked by LAPSUS$ Hackers
Checkmarx confirmed that hackers from the LAPSUS$ group breached its GitHub repository on March 23, 2026, and published stolen data on April 22, after a series of supply-chain and credential-theft events. The attackers used the access to publish malicious code to certain artifacts, compromising the integrity of Checkmarx's software development process.
China's Silk Typhoon Hacker Extradited to US Over COVID Cyberattacks
A Chinese hacker, Xu Zewei, has been extradited to the US from Italy for masterminding a series of devastating cyberattacks on US universities, immunologists, and virologists working on COVID-19 vaccines, treatments, and testing between 2020 and 2021. He faces charges of wire fraud and conspiracy for his role in the attacks.
US Charges Chinese National in Silk Typhoon Cyber Attacks
A Chinese national, Xu Zewei, has been extradited to the US from Italy to face charges for his alleged role in the notorious HAFNIUM cyber attacks, a vast intrusion campaign that compromised over 12,700 US organizations. Xu's arrival in US court marks a significant step in holding him accountable for his actions.
Supply-Chain Attack Targets Security, Dev Tools with Credential Theft
Malicious hackers are exploiting the very tools developers rely on, including security scanners and password managers, to steal sensitive credentials and gain unauthorized access. This latest supply-chain attack has already hit major players like Checkmarx, compromising their GitHub repository and potentially putting customer data at risk.
Ex-DOD Leaders Challenge Pentagon's Anthropic Designation as Illegal
Former national security officials are challenging the Pentagon's designation of Anthropic as a supply-chain risk, calling it a politically motivated move that's legally flawed and actually undermines national security. They argue that the designation was a misuse of authorities meant to address genuine threats, rather than a legitimate national security concern.
GlassWorm Malware Resurfaces Through 73 OpenVSX Extensions
Researchers at Socket have uncovered a sneaky new wave of GlassWorm malware, this time hiding in 73 OpenVSX extensions that behave like sleepers - seemingly harmless at first, but turning malicious after a stealthy update. Six of these extensions have already been activated, unleashing malware on unsuspecting developers.
North Korean Hackers Exploit Fake Zoom Meetings to Target Crypto Executives
North Korean hackers are using a sneaky tactic to target crypto executives: they pose as legitimate meeting attendees, harvesting video and audio to make future scams more convincing. They start by sending Calendly invites for fake catch-up meetings, then swap the link with a fake Zoom or Teams URL to gain their victim's trust.
Medtronic, Itron Disclose Breaches by Digital Intruders
Itron sprang into action after detecting an unauthorized break-in on April 13, swiftly notifying law enforcement, and working with cybersecurity experts to investigate and remediate the breach. The company has since confirmed that it has prevented any further unauthorized activity within its corporate systems.
Checkmarx Breach Exposes GitHub Repository Data on Dark Web
Checkmarx revealed that a security breach, linked to a March 23 supply chain attack, exposed sensitive GitHub repository data, which has now surfaced on the dark web. The incident has been contained, with no customer data compromised, as the affected repository was separate from Checkmarx's customer production environment.