Tag: supply-chain
-
Thousands of GitHub repositories’ secrets exposed by supply chain compromise
by
in SecurityNewsFirst seen on scworld.com Jump to article: www.scworld.com/brief/thousands-of-github-repositories-secrets-exposed-by-supply-chain-compromise
-
Second GitHub Actions Supply Chain Attack Discovered
by
in SecurityNewsMalicious Code Injected in reviewdog Just Hours Before tj-actions Backdoored. Just days after researchers discovered an attack that subverted a widely used tool for software development platform GitHub, they discovered a second, prior attack, as part of what one expert said may be a chain of supply chain attacks eventually leading to a specific high-value…
-
New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors
by
in SecurityNewsCybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious code.”This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent First seen on thehackernews.com Jump…
-
Die Lieferkette als primäres Ziel für Cyberangreifer
by
in SecurityNewsMit dem stetigen Voranschreiten der digitalen Transformation in den letzten Jahren wurden Unternehmen zunehmend abhängig von zahlreichen Partnern und Lieferanten. Diese Verschiebung hat zu einer komplexeren IT-Infrastruktur geführt und signifikant die Angriffsfläche vergrößert, die Cyberkriminelle ausnutzen können. Sie haben es auf das schwächste Glied in der Lieferkette abgesehen, um Zugang zum Gesamtsystem zu bekommen. Ein…
-
Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos
by
in SecurityNewsAd giant just confirmed its cloudy arm will embrace security shop in $30B deal First seen on theregister.com Jump to article: www.theregister.com/2025/03/18/wiz_github_supply_chain/
-
GitHub Actions supply chain attack spotlights CI/CD risks
by
in SecurityNewsExperts say a GitHub Actions vulnerability should renew enterprises’ attention to securing build pipelines the same way they secure production environments. First seen on techtarget.com Jump to article: www.techtarget.com/searchitoperations/news/366621078/GitHub-Actions-supply-chain-attack-spotlights-CI-CD-risks
-
GitHub Action tj-actions/changed-files was compromised in supply chain attack
by
in SecurityNewsThe GitHub Action tj-actions/changed-files was compromised, enabling attackers to extract secrets from repositories using the CI/CD workflow. Researchers reported that threat actors compromised the GitHub Action tj-actions/changed-files, allowing the leak of secrets from repositories using the continuous integration and continuous delivery CI/CD workflow. The tj-actions/changed-files GitHub Action is used in over 23,000 repositories, it automates workflows by…
-
Third of UK Supply Chain Relies on “Chinese Military” Companies
by
in SecurityNewsBitsight reveals that UK companies are more exposed to cyber risk than global peers via their digital supply chains First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/third-uk-supply-chain-relies/
-
Hackers target AI and crypto as software supply chain risks grow
by
in SecurityNewsThe growing sophistication of software supply chain attacks is driven by widespread flaws in open-source and third-party commercial software, along with malicious campaigns … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/03/18/software-supply-chain-risks/
-
Supply Chain Attack Targets 23,000 GitHub Repositories
by
in SecurityNewsA critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is used in over 23,000 repositories. The attack involves a malicious modification of the Action’s code, leading to the exposure of CI/CD secrets in GitHub Actions build logs. This vulnerability was detected by StepSecurity’s Harden-Runner, a tool designed to secure CI/CD…
-
Supply chain attack against GitHub Action triggers massive exposure of secrets
by
in SecurityNewsThe incident highlights ongoing security concerns in the software supply chain. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/supply-chain-github-exposure-secrets/742693/
-
Supply Chain Attack Targets GitHub Repositories and Secrets
by
in SecurityNewsOver 23,000 Code Repositories at Risk After Malicious Code Added to GitHub Action. Attackers subverted a widely used tool for software development environment GitHub, potentially allowing them to steal secrets from thousands of private code repositories as well as compromise other, widely used open source libraries, binaries and artifacts that use the tool, experts warned.…
-
Supply chain attack on popular GitHub Action exposes CI/CD secrets
by
in SecurityNewsA supply chain attack on the widely used ‘tj-actions/changed-files’ GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
-
FCC creates national security council to counter cyber threats from China
by
in SecurityNews
Tags: 5G, access, ai, attack, breach, china, communications, computing, cyber, cyberattack, cybersecurity, data, espionage, government, group, hacking, incident, infrastructure, Internet, microsoft, office, strategy, supply-chain, technology, threat, vulnerabilityThree-pronged strategy: The council will pursue a tripartite strategy focusing on reducing dependency, mitigating vulnerabilities, and ensuring American technological leadership.First, it aims to reduce American technology and telecommunications sectors’ trade and supply chain dependencies on foreign adversaries. This goal aligns with broader government efforts to “friend-shore” critical technology supply chains and decrease reliance on potentially…
-
GitHub supply chain attack spills secrets from 23,000 projects
by
in SecurityNewsLarge organizations among those cleaning up the mess First seen on theregister.com Jump to article: www.theregister.com/2025/03/17/supply_chain_attack_github/
-
100 Car Dealerships Hit by Supply Chain Attack
by
in SecurityNewsThe websites of over 100 auto dealerships were found serving malicious ClickFix code in a supply chain compromise. The post 100 Car Dealerships Hit by Supply Chain Attack appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/100-car-dealerships-hit-by-supply-chain-attack/
-
âš¡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More
by
in SecurityNews
Tags: attack, cybersecurity, exploit, finance, fraud, group, Hardware, malware, open-source, pypi, ransomware, router, supply-chain, threat, toolFrom sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source First…
-
Popular GitHub Action Targeted in Supply Chain Attack
by
in SecurityNewsThe tj-actions/changed-files GitHub Action, which is used in 23,000 repositories, has been targeted in a supply chain attack. The post Popular GitHub Action Targeted in Supply Chain Attack appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/popular-github-action-targeted-in-supply-chain-attack/
-
Tj-actions Supply Chain Attack Exposes 23,000 Organizations
by
in SecurityNewsResearchers warn that popular open source software package tj-actions has been compromised First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/tjactions-supply-chain-attack/
-
AI development pipeline attacks expand CISOs’ software supply chain risk
by
in SecurityNews
Tags: access, ai, api, application-security, attack, backdoor, breach, business, ciso, cloud, container, control, cyber, cybersecurity, data, data-breach, detection, encryption, exploit, flaw, fortinet, government, infrastructure, injection, intelligence, LLM, malicious, malware, ml, network, open-source, password, penetration-testing, programming, pypi, risk, risk-assessment, russia, saas, sbom, service, software, supply-chain, threat, tool, training, vpn, vulnerabilitydevelopment pipelines are exacerbating software supply chain security problems.Incidents of exposed development secrets via publicly accessible, open-source packages rose 12% last year compared to 2023, according to ReversingLabs (RL).A scan of 30 of the most popular open-source packages found an average of six critical-severity and 33 high-severity flaws per package.Commercial software packages are also a…
-
PowerShell Gallery Prone to Typosquatting, Other Supply Chain Attacks
by
in SecurityNewsMicrosoft is aware of the issue, but so far its attempts to address it don’t appear to have worked, researchers say. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks
-
Large enterprises scramble after supply-chain attack spills their secrets
by
in SecurityNewstj-actions/changed-files, corrupted to run credential-stealing memory scraper. First seen on arstechnica.com Jump to article: arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/
-
Malicious PyPI Packages Stole Cloud Tokens”, Over 14,100 Downloads Before Removal
by
in SecurityNewsCybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as “time” related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens.Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The…
-
CIOs and CISOs take on NIS2: Key challenges, security opportunities
by
in SecurityNews
Tags: access, cio, ciso, compliance, cybersecurity, data, GDPR, group, healthcare, ISO-27001, jobs, monitoring, nis-2, office, organized, privacy, regulation, risk, skills, software, strategy, supply-chain, technology, trainingCompliance will be easier for some: There are CIOs and CISOs who have found NIS2 compliance relatively easy: those who have worked toward ISO/IEC 27001:2022 certification, whether they remained in the preparation phase or actually got certified.Those who have the certification report having found themselves with “80% of the work done”: the company is ready…
-
Silk Typhoon Targeting IT Supply Chains and Network Devices, Microsoft Reports
by
in SecurityNews
Tags: china, espionage, exploit, group, intelligence, microsoft, network, supply-chain, tactics, threatMicrosoft Threat Intelligence has issued new reporting about tactics being used by Silk Typhoon (also called APT27 or HAFNIUM by some researchers). Silk Typhoon is a Chinese espionage group, observed targeting Microsoft Exchange Servers in 2021, now reported to be targeting common IT solutions for initial access. Microsoft reports that Silk Typhoon exploits unpatched applications,……
-
Cyber-Risikomanagement in der Supply Chain – Eskalierende Bedrohungslandschaft für Lieferketten
by
in SecurityNewsFirst seen on security-insider.de Jump to article: www.security-insider.de/supply-chain-angriffe-schutz-lieferkette-a-11630a1cbc64b1e9b6d7a65efd5e83d4/
-
6 wichtige Punkte für Ihren Incident Response Plan
by
in SecurityNews
Tags: backup, business, ceo, ciso, compliance, cyber, cyberattack, cybersecurity, cyersecurity, finance, incident response, mail, ransomware, risk, security-incident, service, strategy, supply-chain, updateLesen Sie, welche Schritte für Ihren Notfallplan besonders wichtig sind.Wenn ein Unternehmen einen größeren Ausfall seiner IT-Systeme erlebt beispielsweise aufgrund eines Cyberangriffs ist es zu diesem Zeitpunkt nicht mehr voll geschäftsfähig. Deshalb ist ein effektiver Plan zur Reaktion auf Vorfälle (Incident Response, IR) unerlässlich.Es geht jedoch nicht nur darum, die Quelle eines Angriffs zu finden…
-
Unternehmen ertrinken in Software-Schwachstellen
by
in SecurityNews
Tags: ai, cve, cyersecurity, framework, open-source, risk, software, strategy, supply-chain, vulnerability, xssDie durchschnittliche Behebungszeit für Sicherheitslücken ist in den vergangenen fünf Jahren deutlich gestiegen. Laut dem aktuellen State of Software Security Report von Veracode ist die durchschnittliche Behebungszeit für Sicherheitslücken in den vergangenen fünf Jahren von 171 auf 252 Tage gestiegen.Darüber hinaus weist die Hälfte (50 Prozent) der Unternehmen inzwischen eine risikoreiche “Sicherheitsschuld” auf, die länger…
-
Sonatype Brings Supply Chain Security Tools to Open Source AI
by
in SecurityNewsFirst seen on scworld.com Jump to article: www.scworld.com/news/sonatype-brings-supply-chain-security-tools-to-open-source-ai