CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign

Supply Chain Security

80 материалов

  • Mercor Hit by LiteLLM Supply Chain Attack

    Supply Chain Security

    The AI recruiting firm is investigating the incident as Lapsus$ claimed the theft of 4TB of Mercor data. The post Mercor Hit by LiteLLM Supply Chain Attack appeared first on SecurityWeek.

  • Axios NPM Package Breached in North Korean Supply Chain Attack

    Supply Chain Security · Application Security

    A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions. The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek.

  • Telnyx Targeted in Growing TeamPCP Supply Chain Attack

    Supply Chain Security · Malware & Threats

    Two malicious versions of the popular SDK were uploaded to the PyPI registry, targeting Windows, macOS, and Linux. The post Telnyx Targeted in Growing TeamPCP Supply Chain Attack appeared first on SecurityWeek.

  • Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

    Supply Chain Security

    Hackers published a malicious scanner release and replaced tags to point to information-stealer malware. The post Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack appeared first on SecurityWeek.

  • Virtual Summit Today: Supply Chain & Third-Party Risk Summit

    Supply Chain Security

    Cyber risk doesn’t stop at your perimeter. Today’s most dangerous threats could be hiding in your software supply chain. The post Virtual Summit Today: Supply Chain & Third-Party Risk Summit appeared first on SecurityWeek.

  • Autonomous AI Agents Provide New Class of Supply Chain Attack

    Artificial Intelligence · Supply Chain Security

    While this campaign targets crypto wallets and steals money, the methodology has far wider potential that could be used by other attackers. The post Autonomous AI Agents Provide New Class of Supply Chain Attack appeared first on SecurityWeek.

  • Open VSX Publisher Account Hijacked in Fresh GlassWorm Attack

    Supply Chain Security · Malware & Threats

    A hacker published malicious versions of four established VS Code extensions to distribute a GlassWorm malware loader. The post Open VSX Publisher Account Hijacked in Fresh GlassWorm Attack appeared first on SecurityWeek.

  • Notepad++ Supply Chain Hack Conducted by China via Hosting Provider

    Supply Chain Security

    The likely state-sponsored threat actor had access to the hosting provider for months and targeted only certain Notepad++ customers. The post Notepad++ Supply Chain Hack Conducted by China via Hosting Provider appeared first on SecurityWeek.

  • eScan Antivirus Delivers Malware in Supply Chain Attack

    Supply Chain Security · Malware & Threats

    Hackers compromised a MicroWorld Technologies update server and fed a malicious file to eScan customers. The post eScan Antivirus Delivers Malware in Supply Chain Attack appeared first on SecurityWeek.

  • ‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

    Supply Chain Security

    The protections against NPM supply chain attacks could be bypassed, leading to arbitrary code execution. The post ‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks appeared first on SecurityWeek.

  • Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist

    Supply Chain Security · Application Security

    The worm exposed Trust Wallet’s Developer GitHub secrets, allowing attackers to publish a backdoor extension and steal funds from 2,520 wallets. The post Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist appeared first on SecurityWeek.

  • Infostealer Malware Delivered in EmEditor Supply Chain Attack

    Supply Chain Security · Malware & Threats

    The ‘download’ button on the official EmEditor website served a malicious installer. The post Infostealer Malware Delivered in EmEditor Supply Chain Attack appeared first on SecurityWeek.

  • From Open Source to OpenAI: The Evolution of Third-Party Risk

    Vulnerabilities · Supply Chain Security

    From open source libraries to AI-powered coding assistants, speed-driven development is introducing new third-party risks that threat actors are increasingly exploiting. The post From Open Source to OpenAI: The Evolution of Third-Party Risk appeared first on SecurityWeek.

  • 640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack

    Supply Chain Security

    The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. The post 640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack appeared first on SecurityWeek.

  • Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks

    Supply Chain Security

    PowerShell and .NET variants of the malware abuse AirWatch’s MDM API to establish a C&C communication channel. The post Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks appeared first on SecurityWeek.

  • SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility

    Supply Chain Security

    NetRise appointed the former CISA Senior Advisor and Strategist as a Strategic Advisor. The post SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility appeared first on SecurityWeek.

  • Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware

    Supply Chain Security · Malware & Threats

    The malware uses invisible Unicode characters to hide its code and blockchain-based infrastructure to prevent takedowns. The post Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware appeared first on SecurityWeek.

  • GitHub Boosting Security in Response to NPM Supply Chain Attacks

    Supply Chain Security · Application Security

    GitHub will implement local publishing with mandatory 2FA, granular tokens that expire after seven days, and trusted publishing. The post GitHub Boosting Security in Response to NPM Supply Chain Attacks appeared first on SecurityWeek.

  • Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit

    Supply Chain Security · Application Security

    The packages were injected with malicious code to harvest secrets, dump them to a public repository, and make private repositories public. The post Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit appeared first on SecurityWeek.

  • Highly Popular NPM Packages Poisoned in New Supply Chain Attack

    Supply Chain Security · Application Security

    Designed to intercept cryptocurrency transactions, the malicious code reached 10% of cloud environments. The post Highly Popular NPM Packages Poisoned in New Supply Chain Attack appeared first on SecurityWeek.

  • GitHub Workflows Attack Affects Hundreds of Repos, Thousands of Secrets

    Supply Chain Security · Application Security

    A supply chain attack called GhostAction has enabled threat actors to steal secrets and exploit them. The post GitHub Workflows Attack Affects Hundreds of Repos, Thousands of Secrets appeared first on SecurityWeek.

  • Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack

    Supply Chain Security

    The private repositories of hundreds of organizations were published publicly in the second phase of the Nx supply chain attack. The post Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack appeared first on SecurityWeek.

  • Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack

    Supply Chain Security · Vulnerabilities

    With more than 4 million weekly downloads, the Nx build platform became the first known supply chain breach where hackers weaponized AI assistants for data theft. The post Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack appeared first on SecurityWeek.

  • CISA Requests Public Feedback on Updated SBOM Guidance

    Supply Chain Security · Application Security

    CISA has updated the Minimum Elements for a Software Bill of Materials (SBOM) guidance and is seeking public comment. The post CISA Requests Public Feedback on Updated SBOM Guidance appeared first on SecurityWeek.

  • High-Value NPM Developers Compromised in New Phishing Campaign

    Supply Chain Security

    Hackers have injected malware into popular NPM packages after compromising several developer accounts in a fresh phishing campaign. The post High-Value NPM Developers Compromised in New Phishing Campaign appeared first on SecurityWeek.

  • React Native Aria Packages Backdoored in Supply Chain Attack

    Supply Chain Security · Malware & Threats

    A threat actor published backdoored versions of 17 NPM packages from GlueStack in a fresh supply chain attack. The post React Native Aria Packages Backdoored in Supply Chain Attack appeared first on SecurityWeek.

  • Ongoing Campaign Uses 60 NPM Packages to Steal Data

    Supply Chain Security · Malware & Threats

    Security firm Socket warns flags a campaign targeting NPM users with tens of malicious packages that can hijack system information. The post Ongoing Campaign Uses 60 NPM Packages to Steal Data appeared first on SecurityWeek.

  • Chinese Hackers Hit Drone Sector in Supply Chain Attacks

    Nation-State · Supply Chain Security

    The China-linked hacking group Earth Ammit has launched multi-wave attacks in Taiwan and South Korea to disrupt the drone sector. The post Chinese Hackers Hit Drone Sector in Supply Chain Attacks appeared first on SecurityWeek.

  • China’s Secret Weapon? How EV Batteries Could Be Weaponized to Disrupt America

    Supply Chain Security · Cyberwarfare

    As Xi Jinping advances his vision for China’s dominance by 2049, cybersecurity experts warn that connected technologies—like EV batteries—may quietly serve as tools of influence, espionage, and disruption. The post China’s Secret Weapon? How EV Batteries Could Be Weaponized to Disrupt America appeared first on SecurityWeek.

  • Chainguard Raises Hefty $356M Series D at $3.5 Billion Valuation

    Supply Chain Security

    The cash infusion brings Chainguard’s total funding to about $612 million since launching in 2021 and prices the company at $3.5 billion. The post Chainguard Raises Hefty $356M Series D at $3.5 Billion Valuation appeared first on SecurityWeek.

  • NetRise Raises $10 Million to Grow Software Supply Chain Security Platform

    Supply Chain Security · Cybersecurity Funding

    The funding round brings the total amount raised by the NetRise to roughly $25 million. The post NetRise Raises $10 Million to Grow Software Supply Chain Security Platform appeared first on SecurityWeek.

  • Huntress Documents In-The-Wild Exploitation of Critical Gladinet Vulnerabilities

    Supply Chain Security · Malware & Threats

    The flaw, tagged as CVE-2025-30406, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in early April. The post Huntress Documents In-The-Wild Exploitation of Critical Gladinet Vulnerabilities appeared first on SecurityWeek.

  • AI Hallucinations Create a New Software Supply Chain Threat

    Supply Chain Security

    Researchers uncover new software supply chain threat from LLM-generated package hallucinations. The post AI Hallucinations Create a New Software Supply Chain Threat appeared first on SecurityWeek.

  • Malicious NPM Packages Target Cryptocurrency, PayPal Users

    Supply Chain Security · Cybercrime

    Threat actors are publishing malicious NPM packages to steal PayPal credentials and hijack cryptocurrency transfers. The post Malicious NPM Packages Target Cryptocurrency, PayPal Users appeared first on SecurityWeek.

  • Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack

    Supply Chain Security · Application Security

    Evidence shows a SpotBugs token compromised in December 2024 was used in the March 2025 GitHub Actions supply chain attack. The post Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack appeared first on SecurityWeek.

  • Watch on Demand: Supply Chain & Third-Party Risk Security Summit

    Supply Chain Security

    Join the virtual event as we explore of the critical nature of software and vendor supply chain security issues. The post Watch on Demand: Supply Chain & Third-Party Risk Security Summit appeared first on SecurityWeek.

  • Impact, Root Cause of GitHub Actions Supply Chain Hack Revealed

    Supply Chain Security

    More details have come to light on the recent supply chain attack targeting GitHub Actions, including its root cause. The post Impact, Root Cause of GitHub Actions Supply Chain Hack Revealed appeared first on SecurityWeek.

  • 100 Car Dealerships Hit by Supply Chain Attack

    Supply Chain Security · Malware & Threats

    The websites of over 100 auto dealerships were found serving malicious ClickFix code in a supply chain compromise. The post 100 Car Dealerships Hit by Supply Chain Attack appeared first on SecurityWeek.

  • Popular GitHub Action Targeted in Supply Chain Attack

    Supply Chain Security · Application Security

    The tj-actions/changed-files GitHub Action, which is used in 23,000 repositories, has been targeted in a supply chain attack. The post Popular GitHub Action Targeted in Supply Chain Attack appeared first on SecurityWeek.

  • UK Government Report Calls for Stronger Open Source Supply Chain Security Practices

    Supply Chain Security

    Report from the Department for Science, Innovation & Technology (DSIT) finds weaknesses in current practices. The post UK Government Report Calls for Stronger Open Source Supply Chain Security Practices appeared first on SecurityWeek.

  • Endor Labs and Allies Launch Opengrep, Reviving True OSS for SAST

    Supply Chain Security · Application Security

    Opengrep is a new consortium-backed fork of Semgrep, intended to be and remain a true genuine OSS SAST tool. The post Endor Labs and Allies Launch Opengrep, Reviving True OSS for SAST appeared first on SecurityWeek.

  • Call for Presentations Open for SecurityWeek’s 2025 Supply Chain Security & Third-Party Risk Summit

    Supply Chain Security

    Join Us in Shaping the Future of Supply Chain Security - Don’t miss this chance to be part of the conversation addressing one of the most pressing cybersecurity challenges . The post Call for Presentations Open for SecurityWeek’s 2025 Supply Chain Security & Third-Party Risk Summit appeared first on SecurityWeek.

  • Cyber Insights 2025: Open Source and Software Supply Chain Security

    Supply Chain Security

    Open source software (OSS) is a prime target for supply chain cyberattacks and protecting it remains a major challenge. The post Cyber Insights 2025: Open Source and Software Supply Chain Security appeared first on SecurityWeek.

  • Veracode Targets Malicious Code Threats With Phylum Acquisition

    Supply Chain Security

    The deal includes certain Phylum assets, including its malicious package analysis, detection, and mitigation technology. The post Veracode Targets Malicious Code Threats With Phylum Acquisition appeared first on SecurityWeek.

  • Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign

    Supply Chain Security

    The recent compromise of Cyberhaven’s Chrome extension appears to be part of a broad campaign that started over a year ago. The post Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign appeared first on SecurityWeek.

  • Several Chrome Extensions Compromised in Supply Chain Attack

    Supply Chain Security

    Cyberhaven and other Chrome extensions were compromised in a supply chain attack targeting Facebook advertising users. The post Several Chrome Extensions Compromised in Supply Chain Attack appeared first on SecurityWeek.

  • Solana Web3.js Library Backdoored in Supply Chain Attack

    Supply Chain Security

    Supply chain attack leads to decentralized application developers downloading backdoored versions of the Solana Web3.js library. The post Solana Web3.js Library Backdoored in Supply Chain Attack appeared first on SecurityWeek.

  • ESET Flags Prototype UEFI Bootkit Targeting Linux

    Supply Chain Security · Vulnerabilities

    ESET warns of a new reality: “UEFI bootkits are no longer confined to Windows systems alone.” The post ESET Flags Prototype UEFI Bootkit Targeting Linux appeared first on SecurityWeek.

  • Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack

    Supply Chain Security · Ransomware

    Supply chain management software provider Blue Yonder has been targeted in a ransomware attack that caused significant disruptions for some customers. The post Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack appeared first on SecurityWeek.

  • Lottie-Player Supply Chain Attack Targets Cryptocurrency Wallets

    Supply Chain Security

    LottieFiles has confirmed that Lottie-Player has been compromised in a supply chain attack whose goal is cryptocurrency theft. The post Lottie-Player Supply Chain Attack Targets Cryptocurrency Wallets appeared first on SecurityWeek.

  • Socket Raises $40 Million for Supply Chain Security Tech

    Supply Chain Security

    Socket has raised $40 million in a Series B funding round to work on open source software supply chain security technology. The post Socket Raises $40 Million for Supply Chain Security Tech appeared first on SecurityWeek.

  • SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack

    Supply Chain Security

    The SEC announces penalties against Unisys, Avaya, Check Point and Mimecast for downplaying the impact of the SolarWinds Orion hack. The post SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack appeared first on SecurityWeek.

  • North Korean APT Exploited IE Zero-Day in Supply Chain Attack

    Supply Chain Security

    A Pyongyang-aligned APT was caught exploiting a recent zero-day in Internet Explorer in a supply chain attack. The post North Korean APT Exploited IE Zero-Day in Supply Chain Attack appeared first on SecurityWeek.

  • Open Source Package Entry Points May Lead to Supply Chain Attacks

    Supply Chain Security

    Entry points in packages across multiple programming languages are susceptible to exploitation in supply chain attacks. The post Open Source Package Entry Points May Lead to Supply Chain Attacks appeared first on SecurityWeek.

  • Zero-Day Breach at Rackspace Sparks Vendor Blame Game

    Supply Chain Security · Data Breaches

    A breach at Rackspace exposes the fragility of the software supply chain, triggering a blame game among vendors over an exploited zero-day. The post Zero-Day Breach at Rackspace Sparks Vendor Blame Game appeared first on SecurityWeek.

  • Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks

    Supply Chain Security · Risk Management

    As organizations have fortified their defenses against direct network attacks, hackers have shifted their focus to exploiting vulnerabilities in the supply chain to gain backdoor access to systems. The post Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks appeared first on SecurityWeek.

  • Software Supply Chain Security Firm Lineaje Raises $20M in Series A Funding

    Supply Chain Security · Cybersecurity Funding

    Software supply chain security startup Lineaje has raised $20 million in a Series A funding round that brings the total to $27 million. The post Software Supply Chain Security Firm Lineaje Raises $20M in Series A Funding appeared first on SecurityWeek.

  • Chainguard Raises $140 Million, Expands Tech to Secure AI Workloads

    Supply Chain Security

    Software supply chain security startup Chainguard raises a $140 million Series C round that values the company at $1.2 billion. The post Chainguard Raises $140 Million, Expands Tech to Secure AI Workloads appeared first on SecurityWeek.

  • Judge Dismisses Major SEC Charges Against SolarWinds and CISO

    Supply Chain Security · CISO Strategy

    Judge dismissed SEC lawsuit charging SolarWinds and CISO Timothy Brown with hiding security problems before and after the SUNBURST supply chain compromise. The post Judge Dismisses Major SEC Charges Against SolarWinds and CISO appeared first on SecurityWeek.

  • GitLab Ships Update for Critical Pipeline Execution Vulnerability

    Supply Chain Security · Vulnerabilities

    GitLab issues an advisory for a critical-severity vulnerability that allows an attacker to trigger a pipeline as another user. The post GitLab Ships Update for Critical Pipeline Execution Vulnerability appeared first on SecurityWeek.

  • Polyfill Domain Shut Down as Owner Disputes Accusations of Malicious Activity

    Supply Chain Security · Malware & Threats

    Namecheap shut down polyfill.io amid reports of malicious activity, but the Chinese owner claims it has good intentions. The post Polyfill Domain Shut Down as Owner Disputes Accusations of Malicious Activity appeared first on SecurityWeek.

  • Polyfill Supply Chain Attack Hits Over 100k Websites

    Supply Chain Security

    More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain. The post Polyfill Supply Chain Attack Hits Over 100k Websites appeared first on SecurityWeek.

  • Several Plugins Compromised in WordPress Supply Chain Attack

    Supply Chain Security

    Five WordPress plugins were injected with malicious code that creates a new administrative account. The post Several Plugins Compromised in WordPress Supply Chain Attack appeared first on SecurityWeek.

  • Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report

    Threat Intelligence · Supply Chain Security

    Attackers are getting more sophisticated, better armed, and faster. Nothing in Rapid7's 2024 Attack Intelligence Report suggests that this will change. The post Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report appeared first on SecurityWeek.

  • XZ Utils Backdoor Attack Brings Another Similar Incident to Light

    Supply Chain Security

    The discovery of the XZ Utils backdoor reminds an F-Droid developer of a similar incident that occurred a few years ago. The post XZ Utils Backdoor Attack Brings Another Similar Incident to Light appeared first on SecurityWeek.

  • Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor

    Supply Chain Security · Vulnerabilities

    Urgent security alerts issued as malicious code was found embedded in the XZ Utils data compression library used in many Linux distributions. The post Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor appeared first on SecurityWeek.

  • Malware Upload Attack Hits PyPI Repository

    Supply Chain Security · Malware & Threats

    Maintainers of the Python Package Index (PyPI) repository were forced to suspend new project creation and new user registration to mitigate a malware upload campaign. The post Malware Upload Attack Hits PyPI Repository appeared first on SecurityWeek.

  • Binarly Attracts $10.5M to Tackle Software Supply Chain Security

    Supply Chain Security

    Los Angeles firmware and software supply chain firm banks $10.5 million in seed-stage funding led by Two Bear Capital. The post Binarly Attracts $10.5M to Tackle Software Supply Chain Security appeared first on SecurityWeek.

  • Watch Now: Supply Chain & Third-Party Risk Summit 2024

    Supply Chain Security

    Join the fully immersive virtual event us as we explore the critical nature of software and vendor supply chain security issues. (Login Now) The post Watch Now: Supply Chain & Third-Party Risk Summit 2024 appeared first on SecurityWeek.

  • Cyber Insights 2024: Supply Chain

    Supply Chain Security

    Supply chain security insights: A successful attack against a supplier can lead to multiple opportunities against the supplier’s downstream customers. The post Cyber Insights 2024: Supply Chain appeared first on SecurityWeek.

  • AnyDesk Hacked: Revokes Passwords, Certificates in Response

    Supply Chain Security

    AnyDesk is revoking certificates and passwords in response to a significant security breach impacting production systems. The post AnyDesk Hacked: Revokes Passwords, Certificates in Response appeared first on SecurityWeek.

  • New Offerings From Protect AI, Venafi Tackle Software Supply Chain Security

    Supply Chain Security · Vulnerabilities

    Two new products aim to secure the traditional OSS supply chain, and the new AI model software supply chain. The post New Offerings From Protect AI, Venafi Tackle Software Supply Chain Security appeared first on SecurityWeek.

  • Software Supply Chain Security Startup Kusari Raises $8 Million

    Supply Chain Security · Cybersecurity Funding

    Kusari has raised $8 million to help organizations gain visibility into and secure their software supply chain. The post Software Supply Chain Security Startup Kusari Raises $8 Million appeared first on SecurityWeek.

  • Remotely Exploitable ‘PixieFail’ Flaws Found in Tianocore EDK II PXE Implementation

    Supply Chain Security · Network Security

    Quarkslab finds serious, remotely exploitable vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI spec. The post Remotely Exploitable ‘PixieFail’ Flaws Found in Tianocore EDK II PXE Implementation appeared first on SecurityWeek.

  • New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise

    Supply Chain Security · Application Security

    Researchers detail a CI/CD attack leading to PyTorch releases compromise via GitHub Actions self-hosted runners. The post New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise appeared first on SecurityWeek.

  • Major IT, Crypto Firms Exposed to Supply Chain Compromise via New Class of CI/CD Attack

    Supply Chain Security

    Self-hosted GitHub Actions runners could allow attackers to inject malicious code into repositories, leading to supply chain attacks. The post Major IT, Crypto Firms Exposed to Supply Chain Compromise via New Class of CI/CD Attack appeared first on SecurityWeek.

  • NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity

    Supply Chain Security · Application Security

    NSA has published guidance to help organizations incorporate SBOM to mitigate supply chain risks. The post NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity appeared first on SecurityWeek.

  • Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

    Supply Chain Security · Malware & Threats

    US, UK, and Poland warn of Russia-linked cyberespionage group’s broad exploitation of recent TeamCity vulnerability. The post Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies appeared first on SecurityWeek.

  • North Korean Software Supply Chain Attack Hits North America, Asia

    Supply Chain Security

    North Korean hackers breached a Taiwanese company and used its systems to deliver malware to the US, Canada, Japan and Taiwan in a supply chain attack. The post North Korean Software Supply Chain Attack Hits North America, Asia appeared first on SecurityWeek.

  • Researchers Discover Dangerous Exposure of Sensitive Kubernetes Secrets

    Supply Chain Security · Cloud Security

    Researchers at Aqua call urgent attention to the public exposure of Kubernetes configuration secrets, warning that hundreds of organizations are vulnerable to this “ticking supply chain attack bomb.” The post Researchers Discover Dangerous Exposure of Sensitive Kubernetes Secrets appeared first on SecurityWeek.