Security News

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
2024-02-15 14:20

A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains....

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries
2024-01-22 16:35

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. "Access to...

Microsoft Edge, Teams get fixes for zero-days in open-source libraries
2023-10-03 14:54

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The libwebp library is used by a large number of projects for encoding and decoding images in the WebP format, including modern web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers, as well as popular apps like 1Password and Signal.

Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel
2023-08-28 15:40

In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities.

NordVPN open sources its Linux VPN client and libraries
2023-03-15 21:34

Nord Security has released the source code of its Linux NordVPN client and associated networking libraries in the hopes of being more transparent and easing users' security and privacy concerns. As part of this announcement, NordVPN released the source code for its Linux applications and two libraries - Libtelio and Libdrop.

Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries
2023-02-23 06:25

Cybersecurity researchers are warning of "Imposter packages" mimicking popular libraries available on the Python Package Index repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.

Vulnerabilities in cryptographic libraries found through modern fuzzing
2023-01-13 14:47

Recently patched vulnerabilities in MatrixSSL and wolfSSL, two open-source TLS/SSL implementations / libraries for embedded environments, have emphasized the great potential of using fuzzing to uncover security holes in implementations of cryptographic protocols. Fuzzing cryptographic libraries to flag security flaws.

Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
2022-11-30 13:44

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "Unexpected behavior" in the npm command line interface tool. Npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
2022-11-30 13:44

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "Unexpected behavior" in the npm command line interface tool. Npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

Warning over Java libraries and deserialization security weaknesses
2022-08-22 20:00

Boffins at universities in France, Germany, Luxembourg, and Sweden took a deep dive into known Java deserialization vulnerabilities, and have now resurfaced with their findings. Log4Shell, the remote code execution flaw affecting the Apache Log4j logging library was made possible by Java deserialization.