Security News

White House urges devs to switch to memory-safe programming languages
2024-02-26 21:34

The White House Office of the National Cyber Director urged tech companies today to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory safety vulnerabilities. Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management issues when memory can be accessed, written, allocated, or deallocated.

Raspberry Robin devs are buying exploits for faster attacks
2024-02-08 17:15

Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks. An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group - most likely the latter.

'everything' blocks devs from removing their own npm packages
2024-01-04 09:55

Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy. Everything prevents you from unpublishing your packages.

EU lawmakers finalize cyber security rules that panicked open source devs
2023-12-04 06:01

Infosec in brief The European Union's Parliament and Council have reached an agreement on the Cyber Resilience Act, setting the long-awaited security regulation on a path to final approval and adoption, along with new rules exempting open source software. The CRA was proposed by the European Commission in September 2022 and imposes mandatory cyber security requirements for all hardware and software products - from baby monitors to routers, as the EU Commission put it.

Malicious Solana, Kucoin packages infect NuGet devs with SeroXen RAT
2023-10-12 17:40

Malicious NuGet packages appearing to have over 2 million downloads impersonate crypto wallets, crypto exchange, and Discord libraries to infect developers with the SeroXen remote access trojan. The malicious packages uploaded on NuGet by a user named 'Disti' were discovered by Phylum researchers, who published a report today to warn about the threat.

Rust devs push back as Serde project ships precompiled binaries
2023-08-19 13:55

Serde, a popular Rustserialization project, has decided to ship its serde derive macro as a precompiled binary. According to the Rust package registry, crates.io, serde has been downloaded over 196 million times over its lifetime, whereas the serde derive macro has scored more than 171 million downloads, attesting to the project's widespread circulation.

FBI warns of scammers posing as NFT devs to steal your crypto
2023-08-04 18:11

The FBI warned today of fraudsters posing as Non-Fungible Token developers to prey upon NFT enthusiasts and steal their cryptocurrency and NFT assets. In these attacks, the criminals gain unauthorized access to NFT developer social media accounts or create nearly identical accounts to promote "Exclusive" NFT releases.

Millions of people's data stolen because web devs forget to check access perms
2023-07-29 00:09

They essentially occur when a web app or a web API backend doesn't properly check that a user is actually allowed to access some info from a database or some other resource. More specifically, IDOR bugs can occur when access is granted to stuff on the basis of the user's input, rather than from looking up that person's access rights.

GitHub warns of Lazarus hackers targeting devs with malicious projects
2023-07-20 22:48

GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware. In a new security alert, GitHub warns that the Lazarus Group is compromising legitimate accounts or creating fake personas that pretend to be developers and recruiters on GitHub and social media.

1. This crypto-coin is called Jimbo. 2. $8m was stolen from its devs in flash loan attack
2023-05-30 23:56

Just days after releasing the second - and supposedly more stable and secure - version of its decentralized finance app, Jimbos Protocol over the weekend was hit by attackers who stole stole 4,090 ETH tokens from the project worth about $7.5 million. The developers behind the Arbitrum-based app were the apparent victims of a flash loan attack and now are scrambling to track down the light-fingered coders and retrieve the lost funds.