Entry points threaten multiple open-source ecosystems

Sign illustrating how vulnerabilities with entry points can be exploited by hackers to threaten open-source packages of multiple programming ecosystems.

While current tools have improved at detecting common tactics for exploiting open-source packages, a feature remains largely overlooked: entry points.

Security researchers at Checkmarx uncovered how attackers can leverage entry points across multiple programming ecosystems, with a particular focus on PyPI, to trick victims into running malicious code. This method – while not allowing for immediate system compromise – offers a subtler approach for patient attackers to...

14 October 2024 | Developer

Images weaponised in latest supply chain attack

A series of malicious packages disguised as legitimate software have been discovered in the npm registry by cybersecurity firm Phylum.

The packages – identified on 13 July 2024 – contained hidden command and control functionality embedded within image files, executed during the installation process.

Phylum researchers uncovered two packages in this campaign, with one named "img-aws-s3-object-multipart-copy" mimicking a legitimate GitHub library. The malicious version...

16 July 2024 | Hacking & Security

CocoaPods flaws highlight growing supply chain risks

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities potentially expose millions of Apple devices to supply chain attacks, highlighting the growing risks associated with open-source software dependencies.

CocoaPods, used in over three million mobile apps, plays a crucial role in the iOS and macOS development ecosystem. The discovered...

2 July 2024 | Developer

GitHub’s 2FA rollout boosts supply chain security

In a push to enhance the security of the software supply chain, GitHub has successfully rolled out mandatory two-factor authentication (2FA) for code contributors on its platform.

GitHub’s 2FA rollout – announced in May 2022 – aimed to address the critical first link in the software supply chain by securing the developers responsible for designing, building, and maintaining the software we all rely on.

The results are in

After a year of meticulous preparation,...

25 April 2024 | Developer

Mathew Payne, GitHub: Protecting code while nurturing user experience

Developer caught up with Mathew Payne, Principal Field Security Specialist at GitHub, to discuss the platform’s security strategies and how they aim to strike a balance between robustness and a seamless user experience.

At the heart of GitHub's security philosophy lies a commitment to safeguarding user code. Payne emphasised that a major focus is on securing the code created by both users and developers.

“The first thing that we focus on at GitHub is the security...

18 August 2023 | Development Tools

Checkmarx uncovers supply chain attacks targeting banking

Checkmarx has uncovered a new and sophisticated cyber threat targeting the banking sector.

The security testing firm's research team detected two distinct open-source software supply chain attacks targeting financial institutions. These attacks, which involved advanced techniques and deceptive tactics, have raised alarm bells among cybersecurity experts.

Attack one: NPM

The first attack occurred on April 5th and 7th when a threat actor exploited the NPM platform,...

21 July 2023 | Hacking & Security

Visual Studio Marketplace is the latest supply chain attack vector

Aqua Security researchers have found that hackers are using Visual Studio Marketplace to conduct supply chain attacks.

In a new report, the researchers uncovered that attackers could impersonate popular VS Code extensions to trick developers into downloading malicious versions.

VS Code is the most popular IDE, with around 74.48 percent of developers using it. The vast array of extensions available for VS Code is partly what drives its popularity.

Here are some...

9 January 2023 | Development Tools

GitHub will mandate 2FA to help secure the software supply chain

GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.

Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.

“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity...

4 May 2022 | Git

Large-scale supply chain attack used 218 malicious NPM packages

A large-scale supply chain attack has been uncovered that used 218 malicious NPM packages.

Researchers from JFrog claim that several of their automated analysers started throwing up alerts regarding a set of packages in the npm registry earlier this week.

Over a few days, the number of packages swelled from around 50 packages to more than 200 (as of March 21st).

The researchers manually analysed the packages and found that it was a targeted attack against the...

24 March 2022 | Hacking & Security

Software supply chain attacks increased over 300% in 2021

We all knew there was an increase in software supply chain attacks in 2021, but a new study has quantified just how bad things got.

Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week.

The headline stat from Argon’s report that software supply chain attacks grew by more than 300 percent in 2021 compared to 2020.

Eran Orzel, Senior Director of Argon Customer...

20 January 2022 | Development Tools