Security News
The security team says they found vulnerable CocoaPods pods in "The documentation or terms of service documents of applications provided by Meta, Apple, and Microsoft; as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more." E.V.A. reported the vulnerability to CocoaPods in October 2023, at which point it was patched.
EVA claims CocoaPods in 2014 migrated all "Pods" - a file describing a project's dependencies - to a new "Trunk server" on GitHub. CocoaPods authenticates new devices using an email sent to users who request a session, the researchers noted - but authentication doesn't rely on anything but a client verifying their email address by clicking a link.
A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting...
Your profile can be used to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests. Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services, possible interests and personal aspects.
Your profile can be used to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests. Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services, possible interests and personal aspects.
The heightened regulatory and legal pressure on software-producing organizations to secure their supply chains and ensure the integrity of their software should come as no surprise. In the last...
Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to...
While the healthcare sector gets a "B+" security rating for the first half of 2024, it faces a critical vulnerability: supply chain cyber risk, according to SecurityScorecard. The US healthcare industry's security ratings were better than expected, with an average score of 88.
A threat actor modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them. Although it is possible that the attack impacts a larger number of WordPress plugins, current evidence suggests that the compromise is limited to the aforementioned set of five.
Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites. The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.