Tag: supply chain
500 articles
CISA Launches Framework to Fortify Critical Infrastructure Against Cyber-Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has launched CI Fortify, a vital planning framework designed to shield critical infrastructure sectors like water, energy, and transportation from devastating cyber-attacks. This timely guidance helps organizations safeguard their networks and essential services from threat actors seeking to disrupt and degrade infrastructure.
Google Bolsters Android App Security with Public Verification Ledger
Google is stepping up its game to keep your Android apps safe with a new public verification ledger that ensures the Google apps on your device are genuine and exactly as intended. This move builds on its Pixel Binary Transparency feature, now expanding it to all Android production apps.
Palo Alto Networks Firewalls Targeted in Zero-Day Exploits
Palo Alto Networks firewalls are under attack by zero-day exploits targeting a vulnerability in the User-ID Authentication Portal, allowing hackers to execute malicious code with root privileges. This buffer overflow flaw, tracked as CVE-2026-0300, poses a significant risk to organizations with Internet-exposed firewalls.
US Navy to Test At-Sea Rearming of Warships on Unused Sea Base Ship
The US Navy is set to revolutionize its naval operations with a game-changing at-sea rearming test on the USNS Montford Point, aiming to develop a cost-effective solution for replenishing warships at sea. This ambitious project, funded with $177.7 million, could transform the way the Navy operates, making its vessels more agile and self-sufficient.
Quasar Linux Malware Targets Developers with Stealthy Implant
Meet Quasar Linux, a sneaky new malware targeting developers with a potent blend of stealth, persistence, and credential theft capabilities that can compromise software supply chains. This Linux implant is quietly infiltrating dev and DevOps environments, putting cloud toolchains at risk.
ScarCruft APT Exploits Yanbian Gaming Platform for Intelligence Gathering
Meet ScarCruft, a notorious North Korea-aligned espionage group that's been caught exploiting a popular gaming platform in China to gather intel on its users. The group trojanized a site serving traditional Yanbian-themed games, compromising both Windows and Android software.
Phishing Campaign Exploits Signed RMM Software to Plant Persistent Backdoors
A long-running phishing campaign has compromised over 80 US organizations by using legitimately signed remote monitoring software to install silent, persistent backdoors, according to Securonix research. The attack begins with a clever email impersonating the US Social Security Administration, tricking victims into downloading malicious payloads.
Vimeo Breach Exposes 119,000 in Data Heist by ShinyHunters Gang
A recent data breach at Vimeo exposed the email addresses and names of over 119,000 users, thanks to a hack by the notorious ShinyHunters extortion gang, which gained access through a vulnerability at data anomaly detection company Anodot. The breach highlights the importance of securing third-party integrations to protect sensitive user data.
Vimeo Breach Exposes 119,000 Email Addresses
A data breach at Vimeo has compromised the email addresses of over 119,000 users, with hackers also accessing some metadata and technical data from a third-party analytics vendor. Fortunately, no video content, login credentials, or payment card information was stolen.
NHS Moves to Close-Source GitHub Repos Citing AI Security Risks
The NHS is taking steps to boost security by moving its public GitHub repositories to private access by May 11, amid concerns that AI-powered code analysis could be exploited to uncover sensitive information. This temporary measure aims to prevent unintended disclosure of source code and other critical details.
ScarCruft Expands Malware Arsenal with Multi-Platform BirdCall Backdoor
ScarCruft hackers have launched a sneaky attack on a popular video game platform, infecting both Windows and Android users with a new backdoor called BirdCall. The multi-platform threat has been targeting ethnic Koreans in China since late 2024, allowing hackers to gain unauthorized access.
North Korean Hackers Infiltrate Android Games to Spy on Defectors
Security researchers at Eset stumbled upon a sneaky plot by North Korean hackers, who infiltrated popular Android games to spy on defectors by hiding a backdoor called BirdCall in the apps. The malicious code was cleverly disguised in game files available for download on a regional gaming platform's official website.
ScarCruft hackers deploy BirdCall malware via gaming platform.
North Korean hackers APT37, also known as ScarCruft, have cleverly expanded their BirdCall malware to target Android devices, adapting their Windows backdoor to spy on mobile users. They even used a popular gaming platform to sneak the malware onto unsuspecting devices.
Weaver E-cology Flaw Exploited Through Debug API Endpoint
A critical bug in Weaver E-cology, known as CVE-2026-22679, is being actively exploited - allowing hackers to take full control of your system with a CVSS score of 9.8. This severe vulnerability lets attackers execute commands without needing login credentials, putting your entire system at risk.
Australia's Northern Economies Require Security-Focused Boost
With a severe shortage of workers in the Northern Territory, where only 7% of employers feel adequately staffed, the region is crying out for a security-focused boost to attract and retain the 14,000 extra workers it desperately needs over the next five years. Labour shortages are already crippling key industries like mining, construction, and hospitality, with flow-on effects that threaten the region's economic growth.
Nation-State Hackers Target Small Defense Firms' Network Gaps
Small defense firms are leaving themselves exposed to nation-state hackers, who exploited over 14 zero-day vulnerabilities in edge devices like routers and firewalls in 2025 to gain a foothold in the US defense industrial base. These stealthy cyber espionage groups are investing heavily in reconnaissance and pre-positioning operations to infiltrate and linger in their targets' networks.
Hackers Exploit Weaver E-cology Bug in Targeted Attacks
Hackers are taking advantage of a critical bug in Weaver E-cology, using an exposed debug API endpoint to execute system commands on vulnerable servers without needing login credentials. This security flaw, tracked as CVE-2026-22679, affects Weaver E-cology 10.0 builds prior to March 12.
New York Fines Delta Dental $2.25M for MOVEit Hack Violations
Delta Dental of New York has been fined $2.25 million by the New York Department of Financial Services for its handling of a massive data breach involving hackers stealing around 60,000 files from its MOVEit servers in 2023. The hefty penalty highlights the importance of robust cybersecurity measures to protect sensitive information.
Ransomware Breach Exposes Sensitive Data at Sandhills Medical Foundation
Sandhills Medical Foundation suffered a devastating ransomware attack on May 8, 2025, putting sensitive data at risk. It took nearly 11 months for affected individuals to be notified in April 2026, sparking an investigation into the breach.
EU Curbs Chinese Solar Inverter Funding Over Cybersecurity Fears
The European Commission has pulled the plug on EU funding for solar projects using Chinese-made inverters, citing serious cybersecurity threats that could lead to countrywide blackouts and unauthorized access to sensitive operational data. This move comes after risk assessments confirmed the potential for manipulation of electricity production and disruption of generation.
Malicious PyTorch Lightning Package Exploits Supply Chain to Steal Credentials
A malicious version of the popular PyTorch Lightning package, downloaded over 11 million times, was found to contain a stealthy backdoor that steals credentials by silently executing a heavily obfuscated JavaScript payload. The compromised package, version 2.6.3, triggers the malicious routine automatically when imported, putting users at risk.
AI-BOMs Tackle Shadow AI Risks in Enterprise Supply Chains
Imagine biting into a cake without knowing the recipe, ingredients, or who's behind the baking - it's a risk you wouldn't take, right? Similarly, without AI-BOMs, enterprises are left in the dark about the AI components powering their supply chains, leaving them vulnerable to shadow AI risks.
Progress Warns of MOVEit Automation Authentication Bypass Flaw
Progress Software has patched a critical authentication-bypass flaw in its MOVEit Automation product, and is strongly urging users to upgrade to the latest version to avoid low-complexity attacks by remote threat actors. Upgrading to version 2025.1.5, 2025.0.9, or 2024.1.8 and above will fix the vulnerability.
Silver Fox Targets India, Russia with ABCDoor Malware via Tax Phishing
Meet Silver Fox, a China-based cybercrime group that's using tax phishing scams to deliver a sneaky new malware called ABCDoor, targeting India and Russia with cleverly crafted emails that masquerade as official tax notices. The group's tactics involve PDFs with links to infected archives, tricking victims into downloading the malware.