Security News

Addressing Fortune 500 business concerns, this virtual series will provide the supply chain analysis of the SunBurst compromise, while offering attendees new approaches and immediate actions they can take to mitigate future unknown software supply chain attacks. "Our team led the charge in dissecting the supply chain portion of this incident and introducing new approaches that businesses can use to detect and prevent future software supply chain attacks. Through this roadshow, our experts will help attendees better understand the anatomy of a supply chain attack and receive prescriptive recommendations to stop this kind of compromise."

Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm said in a disclosure.

US cybersecurity firm Rapid7 has disclosed that some source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool. Only internal credentials and tooling source code accessed.

Rapid7 says unauthorized third-party accessed source code, customer data during Codecov supply chain breach. Enterprise security vendor Rapid7 says it was among the victims of the Codecov software supply chain attack and warned Thursday that data for a subset of its customers was accessed in the breach.

Each one of these supply chain attacks targeted a different piece of implicitly trusted infrastructure-infrastructure that you may or not be paying attention to as a potential target in your organization. Package squatting via software package repositories.

HackerOne and SecurityScorecard announced an integrated solution that uses hacker-powered security signals and data as a leading indicator for evaluating corporate and supply chain cyber risk. By seamlessly integrating the HackerOne API into the SecurityScorecard platform, users will now be able to showcase their bug bounty and vulnerability disclosure efforts in their scorecards and gain visibility into how their suppliers and partners are deploying these programs within their own environments.

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets. The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

We look into Apple's recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous "Flubot" home delivery scam works and how to stop it.

Cloud communications company Twilio has now disclosed that it was impacted by the recent Codecov supply-chain attack in a small capacity. Today, cloud communications and VoIP platform Twilio has announced that it was impacted by the Codecov supply-chain attack.

Supply chain researcher Max Justicz noticed that he could upload new PHP packages that would trick the Packagist system into running commands of his choice, rather than simply dowloading and publishing his submission. The 2018 exploit involved simply swapping out a URL for a system command, and instead of Composer downloading data from a URL, it would inadvertently run the command inserted where the URL was supposed to be.