Security News

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The official installer for the Comm100 Live Chat application, a widely deployed SaaS that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.

A threat actor likely with associations to China has been attributed to a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Cybersecurity firm CrowdStrike said the attack made use of a signed Comm100 desktop agent app for Windows that was downloadable from the company's website.

There's been a massive push for supply chain security in the last few years: integrity protection, vulnerability management, and transparency. This push has left organizations struggling to secure their pipelines and manage vulnerabilities, especially when running in the cloud.

Wolfi is a new community Linux undistribution that combines the best aspects of existing container base images with default security measures that will include software signatures powered by Sigstore, provenance, and software bills of material. Software supply chain security is unique - you've got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle.

Despite all the security vendors' best efforts to whitewash their products around software supply chain security, it's still unclear exactly how anyone is supposed to build or maintain these SBOMs. Recent memos out to the heads of federal agencies merely underscore the "Importance of secure software development environments" without much useful elaboration on how to get there. A new stack is forming, and I believe we are about to see theoretical conversations about software supply chain security leapfrog into actual implementations and refinement of best practices.

Infosec outfit Sansec raised the alarm this week that FishPig's software was acting weird: when a deployment's control panel was visited by a logged-in Magento staff user, the code would automatically fetch and run from FishPig's back-end systems a Linux binary that turned out to be Rekoobe. Free versions of FishPig modules available on GitHub were likely clean.

FishPig, a UK-based company developing extensions for the popular Magento open-source e-commerce platform, has announced that its paid software offerings have been injected with malware after its distribution server was compromised. How the attackers compromised the FishPig extensions.

Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads. The intruders took control of FishPig's server infrastructure and added malicious code to the vendor's software to gain access to websites using the products, in what is described as a supply-chain attack.

Just as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.'s most prestigious security agencies dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers. My first reaction was that it's great to see these agencies adding to the public discourse in these still heady days where we're all sorting out software supply chain security best practices.