Security News

GitHub will start requiring active developers to enable two-factor authentication on their accounts beginning next week, on March 13. The gradual rollout will start next week with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches to ensure that onboarding is seamless and users have time to sort out any issues.

Developers care about the quality and security of their code, and when empowered to help, developers make great security advocates who can help harden your supply chain security while reducing the burden on DevOps and security teams. Introducing security tools that allow developers to own code security within their existing development process can increase early risk identification and simplify the process of mitigating risks, slowing the growth of vulnerability backlogs.

LastPass is, once again, telling customers about a security incident related to the August 2022 breach of its development environment and subsequent unauthorized access to the company's third-party cloud storage service that hosted backups: "The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack." The second incident went initially unnoticed, LastPass says, the tactics, techniques, and procedures and the indicators of compromise of the second incident "Were not consistent with those of the first." It was only later determined that the two incidents were related.

Cybersecurity researchers are warning of "Imposter packages" mimicking popular libraries available on the Python Package Index repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.

Malicious actors have published more than 451 unique Python packages on the official Python Package Index repository in an attempt to infect developer systems with clipper malware. Targeted web browsers include Google Chrome, Microsoft Edge, Brave, and Opera, with the malware modifying browser shortcuts to load the add-on automatically upon launch using the "-load-extension" command line switch.

Malware developers and penetration testers are in high demand across dark web job posting sites, with a few astonishing - but mostly average - wages. The report found that many ads mirror the style of legitimate IT job postings but with a couple big exceptions: all the work is remote by default, and - for obvious reasons - there are no formal employment contracts for these illegal gigs.

An EMA survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. "Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from 'awareness' of AppSec to 'in-depth knowledge' and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers," Baker continued.

The packages - named colorslib, httpslib, and libhttps - by the author between January 7, 2023, and January 12, 2023. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary hosted on Dropbox, Fortinet disclosed in a report published last week.

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks. VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows.

Threat actors have published a malicious Python package on PyPI, named 'SentinelOne,' that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers. The attack was discovered by ReversingLabs, which confirmed the malicious functionality and reported the package to SentinelOne and PyPi, leading to the removal of the package.