Security News > 2021

Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow inside the npm public code repository - all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

As we have become more aware of scams, criminals have had to become more cunning. Now we are also leaking personal information through home-working photos and visuals - even that seemingly-harmless background shown during video calls.

Scammers will always find a new way to get money. Job searchers can be vulnerable, too.

Intel patched 231 vulnerabilities in its products last year, roughly the same as in the previous year, when it fixed 236 flaws. The chipmaker on Wednesday published its 2020 Product Security Report, which reveals that nearly half of the vulnerabilities patched last year were discovered by its own employees, and the company claims that a vast majority of the addressed issues are the direct result of its investment in product security assurance.

Government imposter scams now come with a new twist that has the potential to make them even more effective, as the Inspector General for the Social Security Administration warns. According to reports received by the Office of the Inspector General, the scammers' tactics arsenal has been updated to include the use of fake IDs designed to look like those used by Federal employees.

Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists. Ransomware gang specialist Brett Callow, of infosec biz Emsisoft, told The Register: "Entities that have had dealings with Qualys should be on high alert."

Proof of concept code has been published for a vulnerability in popular data centre security management tool Saltstack, which was discovered after a developer at Immersive Labs found a privilege escalation bug allowing any old user to become root. The latest CVE is a command injection flaw leading to the priv-esc flaw, according to Immersive Labs, whose Matt Rollings found the vuln.

Cybersecurity firm Qualys is likely the latest victim to have suffered a data breach after a zero-day vulnerability in their Accellion FTA server was exploited to steal hosted files. Yesterday, the Clop ransomware gang posted screenshots of files allegedly belonging to the cybersecurity firm Qualys.

Cybersecurity firm Qualys is likely the latest victim to have suffered a data breach after a zero-day vulnerability in their Accellion FTA server was exploited to steal hosted files. Yesterday, the Clop ransomware gang posted screenshots of files allegedly belonging to the cybersecurity firm Qualys.

It seems logical that big data might help to solve it. Where do you start? Easy, simply tune into our upcoming webcast, Applying Big Data analytics to Cybersecurity, on March 31 at 0900 PST. Proceedings will be overseen by our very own Tim Phillips, a technology veteran who has seen off more than a few big threats himself over the years.