About

Latest software supply chain attack news

A software supply chain attack occurs when malicious hackers compromise third-party software dependencies used in multiple ‘downstream’ applications.

By compromising a single open source package or library, attackers can potentially steal confidential data from, cause a denial of service, or breach networks at hundreds – or even thousands – of organizations.

Small wonder this attack vector has become increasingly commonplace, with the ‘Sunburst’ attack in 2020, which gave attackers access to 18,000 SolarWinds customers, a watershed moment.

Catch up with the latest supply chain attack news and analysis here.


NIST plots biggest ever reform of Cybersecurity Framework

23 February 2023NIST plots biggest ever reform of Cybersecurity FrameworkCSF 2.0 blueprint offered up for public review

Git security audit reveals critical overflow bugs

20 January 2023Git security audit reveals critical overflow bugsUncovered vulnerabilities include several high, medium, and low-security issues

All Day DevOps

Third of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks14 November 2022All Day DevOpsThird of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks

Supply chain attack surge

Researchers find 633% rise in assaults on open source repositories18 October 2022Supply chain attack surgeResearchers find 633% rise in assaults on open source repositories

Consent problem

Dex patches authentication bug that enabled unauthorized access to client applications06 October 2022Consent problemDex patches authentication bug that enabled unauthorized access to client applications

Webhook, line, and sinker

CI/CD servers can be breached through SCM webhooks23 September 2022Webhook, line, and sinkerCI/CD servers can be breached through SCM webhooks

Persistent Python problem

Tarfile path traversal bug from 2007 still present in 350k open source repos22 September 2022Persistent Python problemTarfile path traversal bug from 2007 still present in 350k open source repos

NETGEAR resolves router bugs in bundled gaming component

16 September 2022NETGEAR resolves router bugs in bundled gaming componentSilicon Valley vendor tackles command injection and MitM-to-RCE issues

Stop, press

Fragmented vendor ecosystem leaves media industry increasingly vulnerable to software supply chain threats24 August 2022Stop, pressFragmented vendor ecosystem leaves media industry increasingly vulnerable to software supply chain threats

SOS.dev

Security reward program launched to help protect critical upstream software18 August 2022SOS.devSecurity reward program launched to help protect critical upstream software

Black Hat USA

Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time11 August 2022Black Hat USALog4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

HTTP parameter smuggling flaw found in Go projects

04 August 2022HTTP parameter smuggling flaw found in Go projectsHarbor, Traefik, and Skipper projects tackle unsafe URL parsing methods

‘You get respect for owning what happened’

SolarWinds’ CISO on the legacy and lessons of Sunburst01 August 2022‘You get respect for owning what happened’SolarWinds’ CISO on the legacy and lessons of Sunburst

GitHub Actions

Workflow flaws provided write access to projects including Logstash29 July 2022GitHub ActionsWorkflow flaws provided write access to projects including Logstash

Supply chain costs

One in five breaches due to third-party compromise, report warns27 July 2022Supply chain costsOne in five breaches due to third-party compromise, report warns

‘We’re still fighting last decade’s battle’

Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain22 July 2022‘We’re still fighting last decade’s battle’Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

‘Endemic’ Log4j bug will persist in wild for a ‘decade or longer’

18 July 2022‘Endemic’ Log4j bug will persist in wild for a ‘decade or longer’Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

ML security

A new white paper details the myriad security threats associated with machine learning models12 July 2022ML securityA new white paper details the myriad security threats associated with machine learning models

PyPI to send 4,000 security keys to ‘critical projects’

11 July 2022PyPI to send 4,000 security keys to ‘critical projects’Google is providing Titan Security Keys to maintainers of projects in top 1% of downloads

High severity OpenSSL bug could lead to remote code execution

06 July 2022High severity OpenSSL bug could lead to remote code executionFixes are available, update now

Latest web hacking tools – Q3 2022

01 July 2022Latest web hacking tools – Q3 2022We take a look at the latest additions to security researchers’ armory

RubyGems trials 2FA-by-default in code repo’s latest security effort

17 June 2022RubyGems trials 2FA-by-default in code repo’s latest security effortMove intended to help prevent Ruby packages from being used in supply chain attacks

US DoJ offers blueprint for more ‘innovative, secure IT capabilities’

10 June 2022US DoJ offers blueprint for more ‘innovative, secure IT capabilities’‘Zero trust’ architecture and secure supply chains to the fore in new strategy

Turkish flight operator Pegasus Airlines suffers data breach

09 June 2022Turkish flight operator Pegasus Airlines suffers data breachData protection regulator confirms sensitive information was leaked

Guzzle bug

Cookie leakage issue in PHP HTTP client prompts Drupal update27 May 2022Guzzle bugCookie leakage issue in PHP HTTP client prompts Drupal update

Treading a fine line

Security ‘researcher’ hits back against claims of malicious CTX file uploads27 May 2022Treading a fine lineSecurity ‘researcher’ hits back against claims of malicious CTX file uploads

Suspicious update

Malicious Python library removed from PyPI repo amid reports of domain hijack25 May 2022Suspicious updateMalicious Python library removed from PyPI repo amid reports of domain hijack

DBIR 2022

Ransomware surge increases global data breach woes24 May 2022DBIR 2022Ransomware surge increases global data breach woes

European Council extends sanction regime to deter future cyber-attacks

24 May 2022European Council extends sanction regime to deter future cyber-attacksStrategy includes travel bans and asset freezing

Widespread Swagger-UI bug leads to DOM XSS

20 May 2022Widespread Swagger-UI bug leads to DOM XSSDozens of bugs reported with a backlog containing hundreds more

Hack thy off-prem neighbor

Rogue cloud users could sabotage fellow tenants via critical Flux flaw19 May 2022Hack thy off-prem neighborRogue cloud users could sabotage fellow tenants via critical Flux flaw

Securing the supply chain

NIST refreshes risk management guidance for orgs11 May 2022Securing the supply chainNIST refreshes risk management guidance for orgs

EU targets standardization as key to bloc-wide cyber-resilience

10 May 2022EU targets standardization as key to bloc-wide cyber-resilienceThreat landscape’s increasing complexity adds impetus to drive for consistency across 27 member states

Poisoned packages

NPM developer reputations could be leveraged to legitimize malicious software03 May 2022Poisoned packagesNPM developer reputations could be leveraged to legitimize malicious software

Socket

New tool takes a proactive approach to prevent OSS supply chain attacks28 April 2022SocketNew tool takes a proactive approach to prevent OSS supply chain attacks

IBM database updates address critical bugs in third-party parser

25 April 2022IBM database updates address critical bugs in third-party parserFlaws in popular parser prompt updates from numerous downstream vendors

Wake-up call

Is the infosec skills gap causing a mental health crisis?07 April 2022Wake-up callIs the infosec skills gap causing a mental health crisis?

Spring4Shell

Microsoft, CISA warn of limited, in-the-wild exploitation06 April 2022Spring4ShellMicrosoft, CISA warn of limited, in-the-wild exploitation

Cyber certification

Singaporean cybersecurity agency launches scheme for businesses05 April 2022Cyber certificationSingaporean cybersecurity agency launches scheme for businesses

PEAR shaped

Supply chain flaws in PHP package manager lay undiscovered for 15 years04 April 2022PEAR shapedSupply chain flaws in PHP package manager lay undiscovered for 15 years