Is Dynamic Testing the Missing Piece of Application Security? - The importance of application security cannot be overstated, as software applicati... - https://readwrite.com/is-dynamic-testing-the-missing-piece-of-application-security/ #dynamicapplicationsecuritytesting #codeinjectionattacks #supplychainattacks #ddosattacks #readwrite

Die Firma Applied Materials schätzt, dass ein Ransomware-Angriff auf eine Zulieferfirma - vermutlich MKS Instruments - sie 233 Millionen Euro (250 Mio USD) kosten wird. Applied Materials ist eine Multimilliarden Firma, die Technologie für die Halbleiterinustrie bereitstellt. Der Angriff wird Auswirkungen auf die Lieferkette haben, die zu starken Verzögerungen führen.

#itsecurity #supplychainattacks
https://therecord.media/applied-materials-supply-chain-mks-ransomware-attack/

The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services

https://www.legitsecurity.com/blog/dos-via-software-supply-chain-innumerable-projects-exposed-to-a-markdown-library-vulnerability

#infosec #supplychain #supplychainattacks #github #gitlab

On January 11th 2023, #gradle was contacted by MinecraftOnline about two unusual and suspicious Gradle wrapper JARs found in some of their repositories.

Read about the story here
https://blog.gradle.org/wrapper-attack-report

Read about how to protect yourself against such #supplychainattacks here
https://blog.gradle.org/project-integrity

Protect your business from supply chain attacks! Learn how to spot suspicious activity and guard against malicious actors. #SecurityAwareness #SupplyChainAttacks #ProtectYourBusiness

https://redbeardsec.com/spotting-supply-chain-attacks-how-to-protect-your-business/

✨ PyTorch discloses malicious dependency chain compromise over holidays

👉 Malicious dependency with the same name as the framework's 'torchtriton' library

👉 Users who installed PyTorch-nightly over the holidays => Uninstall the framework and the counterfeit 'torchtriton' dependency

https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/

#infosec #supplychain #supplychainattacks #supplychainsecurity #python #machinelearning #pytorch #datascience #artificialintelligence

Malicious PyPI package posed as SentinelOne SDK to serve info-stealing malware https://securityaffairs.co/wordpress/139831/cyber-crime/malicious-pypi-package-sentinelone-sdk.html #informationsecuritynews #ITInformationSecurity #supplychainattacks #PierluigiPaganini #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #SentinelOne #CyberCrime #Cybercrime #Malware #pypi

Automated Cybercampaign Creates Masses of Bogus Software Building Blocks

"Harush explains the attackers likely invested in automation to poison the NuGet, PyPI, and npm ecosystems because it allows them to create a high volume of packages and user accounts in a short amount of time." #trojan #supplychainattacks #phishing #malware

https://www.darkreading.com/attacks-breaches/automated-cybercampaign-attacks-bogus-software-building-blocks

New insights for defending the software supply chain:
https://blog.google/technology/safety-security/new-insights-for-defending-the-software-supply-chain/

#supplychain #supplychainattacks #supplychainsecurity #infosec #cybersecurity #supplychainattack

Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable:

Vulnerability in the “rust-lang/rustc_codegen_gcc” repository, and could allow any user to execute code in a privileged pipeline

https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust

@LegitSecurity1 #infosec #Rust #rustlang #pentest #vulnerability #supplychainattacks #supplychainsecurity

Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

FTA: An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest version of a component to compile updates with malicious code... Legit Security simulated an attack on the project that manages Rust.

https://www.darkreading.com/application-security/artifact-poisoning-github-actions-malware-software-pipelines

#malware #github #supplychainattacks

#TIL you can just arbitrarily upload new builds to existing #pypi package versions and clients will just download the latest one, malware or otherwise: https://stackoverflow.com/a/63944201. Chalk up another reason to use integrity hashes!

#appsec #supplychainattacks

Hot out of the oven:
#supplychainattacks #owasp #cicd

https://www.linkedin.com/posts/activity-7003074605766586368-lfcp

A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States.
#supplychainattacks
https://krebsonsecurity.com/2022/11/u-s-govt-apps-bundled-russian-code-with-ties-to-mobile-malware-developer/

#Microsoft warnt vor Supply-Chain-Attacken am Boa-Web-Server-Beispiel | heise online https://www.heise.de/news/Microsoft-warnt-vor-Supply-Chain-Attacken-am-Boa-Web-Server-Beispiel-7351727.html #SupplyChainAttacks #BoaWebServer

Great article on software supply chain and the Supply chain Levels for Software Artifacts (SLSA) model in depth by François Proulx.

Red Team, Blue Team, insider threat, external threats. All PoV's on how to commit malicious code and release, or how to mitigate such attacks.

Brilliantly written.

#infosec #appsec #supplychainattacks

https://medium.com/boostsecurity/slsa-dip-source-of-the-problem-a1dac46a976

Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack #supplychainattacks #infosec #python #pypi

https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack

Well, this doesn't exactly sound good now does it? Socgolish combined with Emotet would be bad combo.

https://www.scmagazine.com/analysis/third-party-risk/more-than-250-us-news-sites-inject-malware-in-possible-supply-chain-attack

#malware #supplychainattacks

Breach of software maker used to backdoor as many as 200,000 servers

https://arstechnica.com/?p=1881102

#supplychainattacks #backdoors #Biz&IT

Breach of software maker used to backdoor as many as 200,000 servers - Enlarge (credit: Getty Images)

Fishpig, a UK-based maker of e-... - https://arstechnica.com/?p=1881102 #supplychainattacks #backdoors #biz&it