Tag: supply chain
823 articles

U-Boot Flaws Expose Devices to Code Execution, Crashes
Six newly discovered flaws in U-Boot, a widely used bootloader, leave devices from home routers to data-center servers vulnerable to code execution and crashes, posing a significant risk to everything that loads after it. These vulnerabilities can be exploited before the operating system even starts, undermining the entire security chain.

GitHub Compromise Injects Malicious npm Packages with Wallet-Key-Stealing Code
A malicious actor hijacked a trusted GitHub account and used it to inject wallet-key-stealing code into 18 npm packages, including Injective Labs' SDK, by exploiting the project's pipeline. This sneaky move allowed the attacker to spread the backdoor through a series of seemingly legitimate updates.

AI Agents Expose Identity Security Gap
The alarming truth is that security systems, designed with people in mind, are failing to protect against AI agents - and the consequences are stark. A single compromised machine identity can become a gateway to a vast array of sensitive information, as a recent breach involving an OAuth token and hundreds of organizations painfully illustrates.

Hackers Exploit Microsoft Entra Passkey Enrollment in Voice Phishing Attacks
Hackers are using voice phishing attacks to trick Microsoft 365 users into enrolling a new Entra passkey, targeting multiple sectors including food and beverage, technology, and healthcare. They're registering domains with the word "passkey" to convincingly pose as legitimate Microsoft representatives.

Ex-Con Ransomware Negotiator Sentenced for BlackCat Attacks
A former ransomware negotiator, Angelo Martino, has been sentenced to 70 months in prison for his role in a string of BlackCat ransomware attacks that targeted multiple victims between 2023 and 2025. Martino's guilty plea brings to justice a key player in the notorious ALPHV ransomware gang.

Australia Urged to Cultivate Domestic Critical Minerals Workforce
Australia's mining sector is facing a critical shortage of skilled workers, with a 63% skills gap in 2022, and recent university closures are exacerbating the problem, threatening to leave valuable mines and processing plants idle. The country lags far behind China, which churns out 3,000 mining engineering graduates annually from 45 programs.

Australia's Strategic Focus Shifts to Endurance Over Efficiency in Infrastructure Investment
Imagine a 2,700 km corridor that connects Darwin to Port Augusta, but it's more than just a highway - it's a complex system that supports defence, freight, and community needs across northern Australia. This critical infrastructure, known as the Stuart corridor, is a lifeline that weaves together highways, railways, fuel storage, telecommunications, and industrial supply chains.

OpenMandriva Linux Project Hit by Sabotage Attempt
Davide Beatrici, a leading developer of the Mumble app, has denied allegations of sabotage against the OpenMandriva Linux Project, claiming his actions were deliberate but not malicious. He admitted to deleting key repositories and pushing a package, but insists his moves were targeted, not hurtful.

npm Package Infects Developers with Cryptocurrency Wallet Stealer
A malicious npm package, downloaded a staggering 50,000 times weekly, was briefly infected with code that stole cryptocurrency wallet private keys and sensitive seed phrases, putting countless developers at risk. The attack was launched after a contributor's GitHub account was compromised, allowing the hackers to spread the poisoned code across multiple projects.

Turkey's TEI Advances Domestic Turbofan to Break Ukraine Engine Chokepoint
Turkey's TEI is making significant strides in developing its domestic turbofan engine, with plans to deliver the TF6000 to Baykar and Turkish Aerospace Industries by early 2027 for pre-integration testing. This milestone marks a crucial step towards breaking Ukraine's engine chokepoint and advancing Turkey's aerospace capabilities.

GitHub Accounts Used to Map Corporate Orgs in Stealthy Campaigns
Cyber attackers are using sneaky tactics, leveraging old or compromised GitHub accounts, to secretly map out corporate organizations and steal sensitive data. They're exploiting loopholes with automated tools and stolen tokens to quietly gather intel from GitHub APIs.

GitHub npm Tightens Security With Disabled Install Scripts
GitHub's latest npm update takes a giant leap in security by disabling install scripts by default, reducing supply-chain risks and giving developers more control. To adapt, plan to switch to trusted publishing or staged publishing with human approval for automated publishing.

Clearinghouses Race to Remediate Pre-Disclosure Vulnerabilities
Chainguard's Athena clearinghouse has been quietly remediating vulnerabilities for months, converting findings into fixes at an incredible pace, with a one-day SLA on actively exploited vulnerabilities and over 100,000 issues resolved so far. This swift action comes as the threat landscape accelerates, with the mean time to exploit now estimated at just -7 days.

AI Coding Assistants Expose Flaw in Approval Process
Researchers have uncovered a shocking flaw, dubbed GhostApproval, that affects six major AI coding assistants, allowing malicious code to bypass approval prompts and wreak havoc on a developer's machine. This vulnerability can be exploited through a clever use of symbolic links, posing a significant risk to developers who rely on these tools.

Beijing Intensifies Campaign to Isolate Taiwan
Beijing's campaign to isolate Taiwan has taken a more sinister turn, with everyday obstruction and procedural meddling making it increasingly costly for Taipei to engage with the world. From botched visas to high-profile exclusions, China's tactics are raising the stakes and making Taiwan's isolation a harsh reality.

China's Military AI Logistics Expose New Vulnerabilities in War
China's military is betting big on artificial intelligence to supercharge its logistics, but this bold move may backfire in the chaos of war, creating vulnerable chokepoints that could leave its operations crippled. Mike Tyson's famous words - "everybody has a plan until they get punched in the face" - are particularly apt for Beijing's high-stakes gamble.

Ukraine's Patriot Missile Production Hinges on Complex Supply Chain
In a surprise move, President Trump offered Ukraine a license to produce Patriot missile interceptors, a deal that could bolster the country's defenses, with the US also pledging to provide additional interceptors from its existing stockpile. The unexpected agreement was reached during a meeting between Trump and Ukrainian President Zelensky at the NATO Summit in Ankara, Turkey.

Venus Aerospace Secures $91 Million for Rocket Engine Production Scale-Up
Venus Aerospace is poised to supercharge its rocket engine production with a whopping $91 million in new funding, led by Mercury Fund and backed by Lockheed Martin Ventures. This major investment will help the Houston startup scale up to meet soaring demand from commercial and government clients.

AssuranceAmerica Breach Exposes 6.9 Million Driver Records
On March 17, 2026, AssuranceAmerica detected a security breach that put 6.9 million driver records at risk, allegedly caused by a malicious attack on one of its employees on March 16, 2026. The company has begun notifying affected individuals about the breach.

Red Teamer Exploits Trust to Steal Priceless Trophy
Imagine walking onto a secure campus with equipment in plain sight and a convincing story, and having employees roll out the red carpet - literally. A professional red teamer and his colleagues did just that, effortlessly gaining access to a Fortune 500 company's high-security site by exploiting one simple vulnerability: trust.

AI Coding Assistants Exposed to Symlink Flaw
Researchers uncovered a major vulnerability, dubbed GhostApproval, that affects six popular AI coding assistants, allowing attackers to manipulate the code and write malicious data into sensitive files. This flaw uses a clever trick involving deceptively named files and symbolic links to catch AI assistants off guard.

Chinese Spies Exploit Roundcube Flaw to Breach University Servers
A recent series of university server breaches, attributed to a group called UNK_MassTraction, has exposed vulnerabilities in North American higher-education institutions, with potentially dozens more affected. The breach, linked to a flaw in Roundcube, is believed to be an ongoing campaign.

Paris Peace Forum Launches Global Hub to Track AI Cyber Threats
The Paris Peace Forum is tackling the growing threat of AI-driven cyber attacks by launching INTAiC, a groundbreaking global hub that unites experts from two previously separate spheres: network defense and AI security. By bridging this gap, INTAiC aims to provide a unified front against the evolving risks to global internet infrastructure.

Hackers Exploit Roundcube Flaw to Target Academic Researchers
A new wave of cyber attacks linked to China is targeting academic researchers in the US and Canada, specifically those in physics, engineering, and national security-related fields, by exploiting a vulnerability in Roundcube webmail servers. The campaign, tracked as 'UNK_MassTraction', has been ongoing since May and has already hit several universities.