Security News

Product showcase: Scribe platform’s end-to-end software supply chain security
2022-10-18 03:30

As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use. We at Scribe Security recently launched a new platform to address these urgent needs by enabling its users to build trust in their software across teams and organizations.

New security concerns for the open-source software supply chain
2022-10-17 03:30

Open-source software is a critical element of the software supply chain in companies of all sizes, but there are new security concerns for the open-source software supply chain - calling for better approaches to packaging security, according to VMware. Top-level findings from The State of the Software Supply Chain: Open Source Edition 2022, show that OSS is clearly fulfilling stakeholder expectations for cost efficiency, increased flexibility, and developer productivity.

New npm timing attack could lead to supply chain attacks
2022-10-12 15:16

Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.

Scribe Platform: End-to-end Software Supply Chain Security
2022-10-12 14:28

With that in mind, they decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products and have launched a friendly and easy-to-use platform. Software security evidence hub: While most other Software Supply Chain security solutions ignore the need to make software products' security transparent to customers, buyers, and security teams, Scribe's platform introduces a hub for security evidence.

Software supply chains at risk: The account takeover threat
2022-10-05 18:38

Software supply chains at risk: The account takeover threat. A software supply chain attack consists of targeting software repositories or download locations, in order to spread malware instead of or in addition to legitimate software.

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository
2022-10-04 15:09

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

Live support service hacked to spread malware in supply chain attack
2022-10-03 17:58

The official installer for the Comm100 Live Chat application, a widely deployed SaaS that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.

Comm100 Chat Provider Hijacked to Spread Malware in Supply Chain Attack
2022-10-03 14:35

A threat actor likely with associations to China has been attributed to a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Cybersecurity firm CrowdStrike said the attack made use of a signed Comm100 desktop agent app for Windows that was downloadable from the company's website.

Wolfi Linux provides the control needed to fix modern supply chain threats
2022-09-28 03:30

There's been a massive push for supply chain security in the last few years: integrity protection, vulnerability management, and transparency. This push has left organizations struggling to secure their pipelines and manage vulnerabilities, especially when running in the cloud.

Wolfi: A Linux undistro with security measures for the software supply chain
2022-09-22 13:00

Wolfi is a new community Linux undistribution that combines the best aspects of existing container base images with default security measures that will include software signatures powered by Sigstore, provenance, and software bills of material. Software supply chain security is unique - you've got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle.