Security News

Where are we today and what are some of the tailwinds driving the implementation of AI into supply chains, especially coming out of COVID? Where do we see the future of AI in modern supply chains and in the supply chains of the future?

As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use. We at Scribe Security recently launched a new platform to address these urgent needs by enabling its users to build trust in their software across teams and organizations.

Open-source software is a critical element of the software supply chain in companies of all sizes, but there are new security concerns for the open-source software supply chain - calling for better approaches to packaging security, according to VMware. Top-level findings from The State of the Software Supply Chain: Open Source Edition 2022, show that OSS is clearly fulfilling stakeholder expectations for cost efficiency, increased flexibility, and developer productivity.

Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.

With that in mind, they decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products and have launched a friendly and easy-to-use platform. Software security evidence hub: While most other Software Supply Chain security solutions ignore the need to make software products' security transparent to customers, buyers, and security teams, Scribe's platform introduces a hub for security evidence.

Software supply chains at risk: The account takeover threat. A software supply chain attack consists of targeting software repositories or download locations, in order to spread malware instead of or in addition to legitimate software.

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The official installer for the Comm100 Live Chat application, a widely deployed SaaS that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.

A threat actor likely with associations to China has been attributed to a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Cybersecurity firm CrowdStrike said the attack made use of a signed Comm100 desktop agent app for Windows that was downloadable from the company's website.

There's been a massive push for supply chain security in the last few years: integrity protection, vulnerability management, and transparency. This push has left organizations struggling to secure their pipelines and manage vulnerabilities, especially when running in the cloud.