Security News

Open source web programming language PHP narrowly avoided a potentially dangerous supply chain attack over the weekend. In theory, anyone who downloaded the very latest "Still in development" version of PHP on Sunday 2021-03-28, compiled it, and installed it on a real-life, internet facing web server could have been at risk.

A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide. There's much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software.

Accenture and Ripjar are collaborating with Royal Dutch Shell to further enhance risk screening within its global supply chain using artificial intelligence. Shell is leveraging Accenture's industry experience and risk expertise to configure Ripjar's AI technology for analysis of its supply chain.

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer. Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer's applications.

Email security biz Mimecast has dumped SolarWinds' network monitoring tool in favour of Cisco's Netflow product after falling victim to the infamous December supply chain attack. In an incident report detailing its experiences of the SolarWinds compromise, Mimecast said it had "Decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system".

The Telecommunications Industry Association published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology industry. With sophisticated supply chain cyberattacks on the rise, SCS 9001 is on an accelerated schedule to address the urgent need for an ICT-specific standard for global supply chain security.

Sigstore could eliminate the headaches associated with current software signing technology through public ledgers. The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.

Join Intel on Wednesday, March 10, at SecurityWeek's Supply Chain Security Summit, where industry leaders will examine the current state of supply chain attacks. Hear Intel's experts discuss the need for transparency and integrity across the complete product lifecycle, from build to retire.

Join Intel on Wednesday, March 10, at SecurityWeek's Supply Chain Security Summit, where industry leaders will examine the current state of supply chain attacks. Hear Intel's experts discuss the need for transparency and integrity across the complete product lifecycle, from build to retire.

If you suddenly realise you want to use Python module called asteroid, for example, you can just do pip install asteroid, after which your own Python programs can say import asteroid, and start making use of the package. A third sort of supply chain attack - one that is rather less sophisticated and has no guarantee of success, yet is extremely easy to pull off - is to create a fake package with a misleading name that users in a hurry might download and install by mistake.