Security News
WASP malware is using steganography and polymorphism to evade detection with malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers.
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability, at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library, that came to light last month.
Cybersecurity researchers have uncovered 29 packages in Python Package Index, the official third-party software repository for the Python programming language, that aim to infect developers' machines with a malware called W4SP Stealer. "The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22," software supply chain security company Phylum said in a report published this week.
While some security teams are beginning to assess their own open-source security by implementing SBOMs, many businesses are considering ditching open-source software altogether. Instead of reluctantly using open source and blaming developers when something goes wrong, businesses should be working with the open-source community with the aim of improving security and working to minimize the fallout from the next vulnerability.
The report, Developer Engagement Report: Are Your Developers Happy or Halfway Out The Door?, draws on data from 860 global developers from different backgrounds to identify trends regarding satisfaction and retention of developers, and provide best practices for IT leaders to avoid developer burnout and turnover. "We continue to be amazed by how IT leaders and developers around the globe continue to innovate in the face of challenges. However, with a global talent shortage of over one million developers, IT leaders will not be able to hire their way out of the challenges they face in response to the insatiable appetite for building high-performance, quality software," said Gonçalo Gaiolas, Chief Product Officer of OutSystems.
Open-source software has reached greater levels of security than ever before, but its increased adoption comes with new challenges. In this Help Net Security video, Josep Prat, Open Source Engineering Director at Aiven, illustrates how threat actors see greater use of open-source software as an opportunity, deploying new methods targeting tech professionals and open-source projects.
Professional developers want to do the right thing, but in terms of security, they are rarely set up for success. The 2022 State of Developer-Driven Security Survey in conjunction with Evans Data supports this outlook, with 86% of surveyed developers revealing that they do not view application security as a top priority.
The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor. After security researcher 3xp0rt shared the tweet about the leaked LockBit 3.0 builder, VX-Underground shared that they were contacted on September 10th by a user named 'protonleaks,' who also shared a copy of the builder.
Password management service LastPass confirmed a security incident that resulted in the theft of certain source code and technical information. The security breach is said to have occurred two weeks ago, targeting its development environment.
Password management firm LastPass was hacked two weeks ago, allowing threat actors to steal the company's source code and proprietary technical information.After requests for information, LastPass released a security advisory today confirming that the company was breached through a compromised developer account that was used to access the company's developer environment.