The Cyber Express
Critical XZ Utils Backdoor (CVE-2024-3094) Leads to SSH Compromise
A critical vulnerability has been discovered within the XZ Utils library (a command line tool for compressing and decompressing XZ
The Cyber Express
A critical vulnerability has been discovered within the XZ Utils library (a command line tool for compressing and decompressing XZ
DarkReading
In this Tech Tip, we outline how to check if a system is impacted by the newly discovered backdoor in the open source xz compression utility.
Cyber Security News
The XZ cyber incident is a textbook example of how sophisticated social engineering tactics can lead to significant security breaches.
Security Affairs
Red Hat warns of a backdoor in XZ Utils data compression tools and libraries in Fedora development and experimental versions.
SecurityWeek
The discovery of the XZ Utils backdoor reminds an F-Droid developer of a similar incident that occurred a few years ago.
SecurityWeek
Major Linux distributions have been impacted by a supply chain attack involving backdoored versions of the XZ Utils data compression library.
The Hacker News
Malicious "test files" linked to the XZ Utils backdoor found in popular Rust crate liblzma-sys, downloaded over 21,000 times.
HACKRead
A vulnerability, CVE-2024-3094, was discovered in XZ Utils package. This vulnerability threatens Linux systems with backdoor attacks.
Bleeping Computer
Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094.
The Hacker News
Secret backdoor found in XZ Utils compression library used by major Linux distros, like Fedora, Kali Linux, and openSUSE.
The Hacker News
Popular Linux compression tool XZ Utils found with backdoor. Threat actors can remotely execute code on your machine, bypassing authentication.
Bleeping Computer
Today, Red Hat warned users to immediately stop using systems running Fedora development versions because of a backdoor found in the latest XZ data compression tools and libraries.
Cyber Security News
A backdoor was recently discovered in the xz-utils package versions 5.6.0 to 5.6.1, shocking the Linux community. This poses a significant threat to the security of Linux distributions, including Kali Linux.
DarkReading
Unlike the SolarWinds and CodeCov incidents, all that it took for an adversary to nearly pull off a massive supply chain attack was some slick social engineering and a string of pressure emails.
DarkReading
Had a researcher not spotted the malware when he did, the outcome could have been much worse.
DarkReading
Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.
CyberSecurity Dive
Security researchers are raising questions about whether the actor behind an attempted supply chain attack was engaged in a random, solo endeavor.
Infosecurity News
Two open source organizations have revealed attempts to socially engineer project takeovers
CyberSecurity Dive
The attempted malicious backdoor may have been part of a wider campaign using social engineering techniques, the open source community warned.
Ars Technica
Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.
The Record
The thwarted social engineering attempts highlight the urgent need to address weaknesses in the management of open source software.
CyberSecurity Dive
OSSF developed warning system to protect open source maintainers, developers from social engineering, active exploits.
Ars Technica
Malicious code planted in xz Utils has been circulating for more than a month.
The Hacker News
Security researchers uncover a "credible" takeover attempt on the OpenJS Foundation, mirroring a recent incident with XZ Utils.
The Record
The malicious code affects XZ Utils, a tool that helps compress large file formats which is present in nearly every Linux distribution.
SecurityWeek
OpenSSF and OpenJS incidents similar to XZ backdoor, Moldovan botnet operator charged, US automotive company targeted by FIN7.
CyberScoop
An operation to undermine the software utility XZ Utils has exposed the fragile human foundations on which the modern internet is built.
CyberSecurity Dive
Federal officials are said to be investigating potential links between the recent XZ Utils campaign and new threat activity against JavaScript project maintainers.
Infosecurity News
A backdoor in XZ Utils, a widely used file-compressing software in Linux systems, could have led to a critical supply chain attack had a Microsoft researcher not spotted it in time
Cyber Security News
Fedora Linux 40 beta users have been urged to take immediate action after an Upstream supply chain attack that has compromised SSH protocol.
SC Magazine
The critical supply chain threat affects beta releases of Red Hat Fedora, Debian and more.
Security Affairs
Researchers from the firmware security firm Binarly released a free online scanner to detect the CVE-2024-3094 Backdoor
Cyber Security News
Attackers tried to take over the JavaScript project from OpenJS Foundation, which is home to JavaScript projects utilized by billions of
HACKRead
The OpenSSF issued alerts for social engineering takeovers of open-source projects after hackers tried to gain control of an OpenJS-hosted project.
CyberSecurity Dive
With a CVSS of 10, CISA urged users and developers to downgrade to an uncompromised version, search for any malicious activity and report findings back to the agency.
HACKRead
A new vulnerability dubbed 'LeakyCLI' leaks cloud credentials, especially impacting popular services like AWS and Google Cloud.
Security Affairs
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs are free for you.
SecurityWeek
A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.
SecurityWeek
Noteworthy stories that might have slipped under the radar: Volkswagen hacked by Chinese threat group, DDoS service shut down, Rubrik IPO.
SecurityWeek
Vulnerability (CVE-2024-28085) in core Linux system utilities package util-linux allows attackers to leak user passwords using fake prompts.
The Hacker News
Researchers found a malicious Python package called requests-darwin-lite hiding a sneaky malware.
SecurityWeek
CISA instructs federal agencies to mitigate CVE-2024-1086, a Linux kernel flaw leading to privilege escalation.
The Record
Cisco said the breach occurred in the system of a telephony supplier that its Duo unit uses to send MFA messages.
DarkReading
Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from NSA.
SecurityWeek
Backdoored JAVS courtroom recording and management software installer puts thousands at risk of complete takeover.
Security Affairs
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs are free for you.
Security Affairs
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs are free for you.
The Hacker News
Millions of malicious "imageless" containers have been planted on Docker Hub over the past 5 years in multiple cybercriminal campaigns.
SecurityWeek
Checkmarx warns of a new attack relying on GitHub search manipulation to deliver malicious code.
Cyber Security News
In order to enhance your security posture and defenses, it is essential that you have up-to-date knowledge on two key things like emerging cyber risks and attack vectors.
SecurityWeek
With $10 million in funding, cybersecurity startup Simbian is building a fully autonomous security platform using AI.
Bleeping Computer
The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. There is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack.
Bleeping Computer
The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. There is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack.
Cyber Security News
Welcome to this week's edition of the Cyber Security News Weekly Round-Up. This issue covers the latest vulnerabilities, cyber attacks, and emerging threats that have been making headlines. Stay informed and stay secure!
Bleeping Computer
Recent high-profile malware attacks teach us lessons on limiting malware risks at organizations. Learn more from Blink Ops about what these attacks taught us.
Cyber Security News
Running a system network is not so easy, and for this, you need to select the right sysadmin tools so that work can happen peacefully.
Bleeping Computer
Today is Microsoft's April 2024 Patch Tuesday, which includes security updates for 150 flaws and sixty-seven remote code execution bugs.