Security News
Anyscale announced Ray 1.0, the latest version of the Ray open source project. Ray 1.0, which provides a universal serverless compute API and an expanded ecosystem of libraries, was shared with attendees at the first annual Ray Summit, along with the announcement of the private beta of Anyscale's managed Ray platform.
How many vulnerabilities lurk inside the bazillions of open source libraries that today's developers happily borrow to build their applications? Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.
Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. An application's attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.
A legitimate file may be called "Thisisafile.exe," while a malicious impersonator may call itself "This1safile.exe." Unobservant users could thus download the malicious file by mistake. If developers accidentally downloaded the rogue files instead of the legitimate gems they were looking for, the software packages they built using the libraries would automatically harbor the Bitcoin-stealer, endangering all users of that software.
As developers increasingly embrace off-the-shelf software components into their apps and services, threat actors are abusing open-source repositories such as RubyGems to distribute malicious packages, intended to compromise their computers or backdoor software projects they work on. In the latest research shared with The Hacker News, cybersecurity experts at ReversingLabs revealed over 700 malicious gems - packages written in Ruby programming language - that supply chain attackers were caught recently distributing through the RubyGems repository.
A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser. Similar to other major browsers, Firefox relies on third-party libraries to render content - such as audio, video, and images - and these libraries often introduce additional vulnerabilities, researchers from the University of California San Diego, University of Texas at Austin, Stanford University and Mozilla say.
Python developers have once again fallen victim to malicious software libraries lurking in their favourite package manager.
Small governments make up two-thirds of infections observed by infosec bods Ransomware criminals have taken a particular shine to US city and state governments, infecting them with file-scrambling...
The proliferation of malicious packages in repositories for software developers that rely on typosquatting points to a problem: A reliance on flat namespaces.
Organizations are becoming increasingly dependent on open source libraries (OSLs) to develop code for software and websites. However, Jing Xie, senior threat intelligence researcher for Venafi,...