CyberNews
One-fifth of Docker Hub repositories are malicious, researchers find
Nearly three million repositories on Docker Hub, a platform for web developers to collaborate on their code for web applications, contain malicious content.
Cyber Security News
Millions of Docker Hub Repositories Found Pushing Malware for Over 5 Years
Repositories on Docker Hub, a popular platform for developers to store and share containerized applications, have been exploited to spread malicious software and phishing scams.
DarkReading
Attackers Planted Millions of Imageless Repositories on Docker Hub
The purported metadata for each these containers had embedded links to malicious files.
Bleeping Computer
Millions of Docker repos found pushing malware, phishing sites
Three large-scale campaigns have targeted Docker Hub users, planting millions of repositories designed to push malware and phishing sites since early 2021.
SecurityWeek
Docker Hub Users Targeted With Imageless, Malicious Repositories
JFrog raises an alarm after finding three large-scale malware campaigns targeting Docker Hub with imageless repositories.
Infosecurity News
Millions of Malicious Containers Found on Docker Hub
According to JFrog, approximately 25% of all repositories lack useful functionality and serve as vehicles for spam and malware
The Hacker News
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years
Millions of malicious "imageless" containers have been planted on Docker Hub over the past 5 years in multiple cybercriminal campaigns.
CyberNews
Software supply chain risks for AI and ML models
How AI and ML models can increase software supply chain risks and lead to cybersecurity incidents
DarkReading
Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases
Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but security researchers found ways to circumvent the protections.
CyberSecurity Dive
Motivations behind XZ Utils backdoor may extend beyond rogue maintainer
Security researchers are raising questions about whether the actor behind an attempted supply chain attack was engaged in a random, solo endeavor.
Infosecurity News
Trusted Contributor Plants Backdoor in Critical Open-Source Library
A backdoor in XZ Utils, a widely used file-compressing software in Linux systems, could have led to a critical supply chain attack had a Microsoft researcher not spotted it in time
The Hacker News
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
Popular Linux compression tool XZ Utils found with backdoor. Threat actors can remotely execute code on your machine, bypassing authentication.
DarkReading
XZ Utils Backdoor Implanted in Intricate Supply Chain Attack
Had a researcher not spotted the malware when he did, the outcome could have been much worse.
CyberSecurity Dive
Security concerns creep into generative AI adoption
As the AI ecosystem grows and more tools connect to internal data, threat actors have a wider field to introduce vulnerabilities.
The Hacker News
Over 800 npm Packages Found with Discrepancies, 18 Exploitable to 'Manifest Confusion'
New report reveals 800+ packages in the npm registry contain hidden code discrepancies.
DarkReading
ML Model Repositories: The Next Big Supply Chain Attack Target
Machine-learning platforms like Hugging Face are suspectible to the same kind of attacks that threat actors have executed successfully for years via npm, PyPI, and other open source repos.
The Hacker News
Over 100 Malicious AI/ML Models Found on Hugging Face Platform
Over 100 AI/ML models discovered with malicious intent on the Hugging Face platform. The cyber realm faces a new threat.
Ars Technica
Hugging Face, the GitHub of AI, hosted code that backdoored user devices
Malicious submissions have been a fact of life for code repositories. AI is no different.
DarkReading
Hugging Face AI Platform Riddled With 100 Malicious Code-Execution Models
The finding underscores the growing risk of weaponizing publicly available AI models and the need for better security to combat the looming threat.
Bleeping Computer
Malicious AI models on Hugging Face backdoor users’ machines
At least 100 instances of malicious AI ML models were found on the Hugging Face platform, some of which can execute code on the victim's machine, giving attackers a persistent backdoor.
SecurityWeek
Cyber Insights 2024: Supply Chain
Supply chain security: A successful attack against a supplier can lead to multiple opportunities against the supplier’s downstream customers
DarkReading
Linux Distros Hit By RCE Vulnerability in Shim Bootloader
However, not everyone agrees with the NVD's assessment of CVE-2023-40547 being a near-maximum severity bug.
The Hacker News
Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines
Malicious code hiding in seemingly innocent PyPI packages steals your passwords, crypto & more
Security Affairs
Multiple PoC exploits released for Jenkins flaw CVE-2024-23897
Multiple proof-of-concept (PoC) exploits for recently disclosed critical Jenkins vulnerability CVE-2024-23897 have been released.
The Hacker News
New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security
Researchers uncover a critical SSH protocol vulnerability, "Terrapin" (CVE-2023-48795), allowing attackers to compromise secure connections.
The Hacker News
Malicious NuGet Package Targeting .NET Developers with SeroXen RAT
Malicious NuGet package distributing SeroXen RAT targets .NET developers.
The Hacker News
Two High-Risk Security Flaws Discovered in Curl Library - New Patches Released
Security Advisory : Two major security flaws in the Curl data transfer library exposed.
CSO
JFrog combines ML development with DevSecOps
ML model management capabilities manage the organization’s local and open source ML models and ensure the security of those models through SDLC.
Infosecurity News
High-Severity Access Control Vulnerability Found in Spring WebFlux
Tracked as CVE-2023-34034, the flaw has a CVSS score of 9.8
CSO
JFrog adds new DevOps capability for vetting external packages
JFrog Curation vets and blocks infected open source or third-party packages before they enter development.
CSO
Thousands of misconfigured container and artifact registries expose sensitive credentials
Shadow IT or careless configuration of container and artifact registries could give attackers access to sensitive data and inject malicious code.
DarkReading
Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning
Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.
The Hacker News
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages
Cybersecurity researchers have uncovered a sophisticated typosquatting campaign that deployed cryptocurrency stealer malware via 13 malicious NuGet.
The Hacker News
Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware
NuGet Repository under attack! New malicious campaign aims to infect #DotNET developer systems with cryptocurrency stealer malware.
Cyber Security News
Hackers Attack .NET Developers Using Malicious NuGet Repository Packages
There is a concerning trend among cybercriminals targeting individuals working with the .NET framework using a sneaky tactic called typosquatting.
Bleeping Computer
Hackers target .NET developers with malicious NuGet packages
Threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.
CSO
PyTorch suffers supply chain attack via dependency confusion
A rogue packet on the machine learning framework allowed the attacker to exfiltrate data, including SSH keys.
The Hacker News
PyTorch Machine Learning Framework Compromised with Malicious Dependency
PyTorch, a well-known machine learning framework, fell victim to a supply chain attack between Dec. 25 and Dec. 30, 2022
The Hacker News
Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
An "unexpected behavior" in the npm command line interface could allow malicious NPM libraries to bypass security checks and hide vulnerabilities.
DarkReading
Apache Commons Vulnerability: Patch but Don't Panic
Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.
Infosecurity News
LofyGang Group Linked to Recent Software Supply Chain Attacks
The group focuses on utilizing open-source software for malicious purposes
DarkReading
LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software
The group has been operating for over a year, promoting their tools in hacking forums, stealing credit card information, and using typosquatting techniques to target open source software flaws.
Bleeping Computer
LofyGang hackers built a credential-stealing enterprise on Discord, NPM
A threat group using the name 'LofyGang', operating since 2020, is considered responsible for creating and distributing over 200 malicious packages on multiple code hosting platforms, including GitHub and NPM.
The Hacker News
LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data
A hacker group called LofyGang distributed nearly 200 trojanized packages on the NPM open source repository that steals credit card information.
SecurityWeek
Rust Gets a Dedicated Security Team
The non-profit Rust Foundation has scored funding to build a dedicated security team to proactively address security defects in the popular Rust programming language.
SecurityWeek
Details Disclosed for OPC UA Vulnerabilities Exploited at ICS Hacking Competition
JFrog has disclosed the details of several DoS and remote code execution vulnerabilities affecting OPC UA, including flaws exploited at an ICS hacking competition.
Security Affairs
Experts found 10 malicious packages on PyPI used to steal developers’ data
10 packages have been removed from the Python Package Index (PyPI) because they were found harvesting data. Check Point researchers have discovered ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers. The researchers provide details about […]
Infosecurity News
New Malicious Python Libraries Found on PyPI Repository
Some of these packages were capable of stealing user credentials and environment variables
ThreatPost
Malicious Npm Packages Tapped Again to Target Discord Users
Recent LofyLife campaign steals tokens and infects client files to monitor various user actions, such as log-ins, password changes and payment methods.
CSO
GitGuardian launches ggcanary project to help detect open-source software risks
GitGuardian says its new open-source canary tokens project helps businesses detect breaches as they unfold.
Security Affairs
Researchers disclosed a remote code execution flaw in Fastjson Library
Researchers disclosed a remote code execution vulnerability, tracked as CVE-2022-25845, in the popular Fastjson library. Cybersecurity researchers from JFrog disclosed details of a now patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. […]
CSO
New Mend service auto-detects and fixes code, app security issues
Mend, formerly WhiteSource, announces new service designed to detect and fix code security issues, reduce the software attack surface and application security burden.
The Hacker News
Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys
Two trojanized Python and PHP packages, "ctx" and "phpass," have been uncovered in another instance of a software supply chain attack.
DarkReading
Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems
The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open source software repositories.
ZDNet
White House joins OpenSSF and the Linux Foundation in securing open-source software | ZDNet
Open-source software supply chain security is now a vital issue of national security.
The Record
How a pentester's attempt to be 'as realistic as possible' alarmed cybersecurity firms
Pentersters working for a threat intelligence firm are facing backlash after several researchers were fooled into thinking an npm supply chain attack on German companies was a legitimate hack.
Ars Technica
Backdoor in public repository used new form of attack to target big firms
Dependency confusion attacks exploit our trust in public code repositories.
The Hacker News
Malicious NPM Packages Target German Companies in Supply Chain Attack
Researchers uncover a new NPM supply-chain attack campaign in which attackers distribute malicious packages to compromise leading German companies.
ZDNet
Docker Desktop for Linux finally arrives | ZDNet
Docker is finally bringing its container development and deployment tool, Docker Desktop, to Linux.
SecurityWeek
The VC View: The DevSecOps Evolution and Getting "Shift Left" Right
For providers of DevSecOps services and solutions, the focus should be on removing friction from integrating security and helping teams come together to make security everyone’s responsibility.
CSO
Spring4Shell patching is going slow but risk not comparable to Log4Shell
More tools to identify vulnerable applications and options to mitigate the risk from Spring4Shell are also now available.
DarkReading
Millions of Installations Potentially Vulnerable to Spring Framework Flaw
Internet scan indicates hundreds of thousands of vulnerable installations, while data from the major Java repository suggests millions, firms say.
CSO
Remote code execution flaws in Spring and Spring Cloud frameworks put Java apps at risk
Users are urged to update both the Spring Framework and Spring Boot tool.
The Hacker News
A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages
Researchers uncover an ongoing large-scale supply-chain attack which exploits dependency confusion attacks against the NPM package repository.
ZDNet
Hundreds more packages found in malicious npm 'factory' | ZDNet
Over 600 malicious packages were published in only five days.
ThreatPost
Microsoft Azure Developers Awash in PII-Stealing npm Packages
A large-scale, automated typosquatting attack saw 200+ malicious packages flood the npm code repository, targeting popular Azure scopes.
CyberNews
Booming business: average ransom payment almost doubles | CyberNews
Extortion gangs continue to wreak havoc with the ever-expanding ecosystem and ballooning ransom demands.
CyberNews
Azure developers targeted in a large supply chain attack | CyberNews
Over 200 hundred malicious NPM packages were crafted to steal developers’ PII.
ZDNet
Malicious npm packages target Azure developers to steal personal data | ZDNet
Typosquatting and automatic tools are the weapons of choice.
The Hacker News
Over 200 Malicious NPM Packages Caught Targeting Azure Developers
Researchers identified over 200 malicious NPM packages distributed through official repositories that targeted Azure developers.
ZDNet
Some developers are fouling up open-source software
From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone.
The Hacker News
Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data
Multiple high-severity vulnerabilities uncovered in widely used open-source ClickHouse OLAP Database Management System (DBMS) for Big Data.
Cyber Security News
RCE Flaws Found in Communication Library Used by WhatsApp
The PJSIP open-source library is one of the most used libraries which is used by WhatsApp and several other VoIP applications. But, recently, several critical RCE flaws have been detected in PJSIP open source library.
SecurityWeek
Open Source Security Foundation Now Counts 60 Members
OpenSSF announces that 19 more organizations have joined the initiative, which now has a total of 60 members.
The Hacker News
Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack
Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack
ThreatPost
RCE Bugs Found in WhatsApp, Other Hugely Popular VoIP Apps: Patch Now!
Three of the vulnerabilities can lead to remote-code execution if successfully exploited, and the other two are DoS vulnerabilities.
ZDNet
Malware authors target rivals with malicious npm packages | ZDNet
Trojan packages reveal what could be internal rivalry between cybercriminals.
The Hacker News
25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository
A new batch of malicious JavaScript libraries has been found in NPM's package repository.
ZDNet
Apache Cassandra users urged to upgrade after vulnerability disclosed | ZDNet
JFrog's Security Research found a remote code execution vulnerability in Apache Cassandra.
ThreatPost
High-Severity RCE Bug Found in Popular Apache Cassandra Database
On the plus side, only instances with non-standard not recommended configurations are vulnerable. On the downside, those configurations aren't easy to track down, and it's easy as pie to exploit.
Security Affairs
Experts disclose details of Apache Cassandra DB RCE
Researchers disclose a now-patched remote code execution (RCE) vulnerability in the Apache Cassandra database software. JFrog researchers publicly disclosed details of a now-patched high-severity security vulnerability (CVE-2021-44521) in Apache Cassandra database software that could be exploited by remote attackers to achieve code execution on affected installations. Apache Cassandra is an open-source NoSQL distributed database used […]
SecurityWeek
High-Severity Vulnerability Found in Apache Database System Used by Major Firms
Researchers have published full technical details on a high-severity remote code execution vulnerability addressed in the latest version of Apache Cassandra.
The Hacker News
High-Severity RCE Security Bug Reported in Apache Cassandra Database Software
A new high-severity remote code execution vulnerability (CVE-2021-44521) has been reported in Apache Cassandra NoSQL database software.
SecurityWeek
2021 Record Year for Cybersecurity M&A, Financing: Report
2021 was a record year for cybersecurity M&A and financing activity, according to financial advisory firm Momentum Cyber.
ZDNet
When open-source developers go bad | ZDNet
JavaScript developer Marak Squires wasn't happy about not making money from his open-source libraries, so he deliberately corrupted them, leaving programmers and end-users with dead-in-the-water programs.
ZDNet
KCodes NetUSB kernel remote code execution flaw impacts millions of devices | ZDNet
The vulnerability is present in software licensed to multiple router vendors.
ThreatPost
Log4J-Related RCE Flaw in H2 Database Earns Critical Rating
Critical flaw in the H2 open-source Java SQL database are similar to the Log4J vulnerability, but do not pose a widespread threat.
ZDNet
JFrog researchers find JNDI vulnerability in H2 database consoles similar to log4shell | ZDNet
JFrog's senior director of security research said the vulnerability has a root cause similar to Log4Shell.
ZDNet
Log4j flaw hunt shows how complicated the software supply chain really is | ZDNet
A new analysis shows why the Log4j flaw for Java web applications will haunt tech people for years.
ZDNet
Malware distribution in public repositories highlighted by malicious npm packages stealing Discord tokens | ZDNet
JFrog researchers found 17 malicious packages in the npm repository that intentionally seek to attack and steal a user's Discord tokens.
ThreatPost
Malicious npm Code Packages Built for Hijacking Discord Servers
The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.
The Record
Malicious npm packages caught stealing Discord tokens, environment variables
The Node Package Manager (npm) security team has removed 17 JavaScript libraries this week that contained malicious code to collect and steal Discord access tokens and environment variables from users' computers.
Bleeping Computer
INFRA:HALT security bugs impact critical industrial control devices
High-severity and critical vulnerabilities collectively referred to as INFRA:HALT are affecting all versions of NicheStack below 4.3, a proprietary TCP/IP stack used by at least 200 industrial automation vendors, many in the leading segment of the market.
Bleeping Computer
PyPI packages caught stealing credit card numbers, Discord tokens
The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users' credit card numbers, Discord tokens, and granting arbitrary code execution capabilities to attackers. These malicious packages were downloaded over 30,000 times according to the researchers who caught them.