Security News
Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution. The vulnerability stems from the manner the store's product listings page parses HTML or embedded media fields, thereby potentially allowing an attacker to inject malicious JavaScript code that could result in arbitrary code execution.
A group of cryptominers was found to have infiltrated the Python Package Index, which is a repository of software code created in the Python programming language. It offers a place where coders can upload software packages for use by developers in building various applications, services and other projects.
Attacks against the container infrastructure are continuing to increase in both frequency and sophistication. The attacks are becoming more evasive, while the supply chain is now targeted.
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications. Called "Supply chain Levels for Software Artifacts", the end-to-end framework aims to secure the software development and deployment pipeline - i.e., the source build publish workflow - and mitigate threats that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain.
Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA - short for Supply chain Levels for Software Artifacts and pronounced "Salsa" for those inclined to add convenience vowels - aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.
The U.S. tech giant this week unveiled SLSA, a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain. "The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume."
Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach. CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.
A new cyber espionage group named Gelsemium has been linked to a supply chain attack targeting the NoxPlayer Android emulator that was disclosed earlier this year. "Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand."
Cyborg Security unveiled new capabilities within the HUNTER content platform. These capabilities are designed to defend against rapidly evolving threats, including growing attacks on critical infrastructure and supply chains, while reducing Mean-Time-to-Deployment of threat hunting and detection content.
A monster cyberattack on SITA, a global IT provider for 90 percent of the world's airline industry, is slowly unfurling to reveal the largest supply-chain attack on the airline industry in history. The enormous data breach, estimated to have already impacted 4.5 million passengers, has potentially been traced back to the Chinese state-sponsored threat actor APT41, and analysts are warning airlines to hunt down any traces of the campaign concealed within their networks.