#software-supply-chain

[ follow ]
#cybersecurity #npm #malware #sbom #open-source-security #security #open-source #phishing #jfrog #devsecops #devops
Information security
fromTheregister
4 days ago

Chinese cyberspies compromised Russian tech provider

Chinese state-linked APT group Jewelbug compromised a Russian IT services firm from early 2025 to May, risking software supply-chain attacks on customers.
Tech industry
fromTheregister
5 days ago

'Highly sophisticated' government goons hacked F5

Nation-state hackers breached F5, stealing BIG-IP source code, undisclosed vulnerability details, and some customers' configuration data while maintaining long-term access.
fromThe Hacker News
5 days ago

Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks

"A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base," Wiz security researcher Rami McCarthy said in a report shared with The Hacker News. "An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base."
Information security
fromSecuritymagazine
1 week ago

60% of Security Leaders Say Threat Actors Are Evolving Too Quickly

The report found that 68% of security leaders are concerned about the risks of third-party software tools and components introduced across their tech stacks. Seventy-three percent reported receiving at least one notification of a software supply chain vulnerability or incident in the past year. According to the report, 60% believe attackers are evolving too quickly to maintain a truly resilient security posture and 46% are uneasy about AI-driven features and large language models.
Information security
Information security
fromWIRED
2 weeks ago

Vibe Coding Is the New Open Source-in the Worst Way Possible

AI-generated vibe coding speeds development but can reproduce existing and new vulnerabilities, increasing software-supply-chain risk and demanding revised development lifecycles and rigorous human review.
#javascript
more#javascript
Software development
fromTheregister
2 weeks ago

Kroah-Hartman explains Cyber Resilience Act for open source

The EU Cyber Resilience Act largely protects individual open-source contributors while placing documentation, SBOM, vulnerability-tracking, and transparency obligations on product-producing organizations.
Information security
fromThe Hacker News
3 weeks ago

EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations

Threat actors hide malware inside legitimate-seeming AI and productivity tools, distributing the EvilAI campaign globally across sectors to enable stealthy, future attacks.
Information security
fromThe Hacker News
3 weeks ago

First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package

Malicious npm package 'postmark-mcp' added a BCC that forwarded every email to phan@giftshop[.]club, exposing thousands of emails and supply-chain risk.
#open-source
more#open-source
fromTheregister
3 weeks ago

OpenSSF to freeloaders: Open source infra isn't free

A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point. Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
Software development
#open-source-security
fromNextgov.com
1 month ago
Information security

Report: Russia-based Yandex employee oversees open-source software approved for DOD use

fromNextgov.com
1 month ago
Information security

Report: Russia-based Yandex employee oversees open-source software approved for DOD use

more#open-source-security
#ai-driven-devops
more#ai-driven-devops
fromDevOps.com
1 month ago

Building End-to-End Trust in the Software Supply Chain - DevOps.com

One of the highlights Levi pointed to was AppTrust, JFrog's initiative to establish end-to-end trust across the software supply chain. By unifying governance, risk, and compliance capabilities into a single framework, AppTrust is designed to give enterprises more confidence that applications are secure and reliable from development through deployment. The goal is to tie disparate security and verification processes into one cohesive approach that simplifies how organizations enforce trust at scale.
DevOps
Information security
fromFuturism
1 month ago

CrowdStrike Infested With "Self-Replicating Worms"

A self-replicating NPM worm named Shai-Hulud stole access tokens to compromise maintainer accounts and propagate across hundreds of packages, including CrowdStrike-managed modules.
Software development
fromDevOps.com
1 month ago

Sketch Coding and the Rise of MCP in DevOps - DevOps.com

Developer-focused culture and hands-on coding drive JFrog's innovation, blending AI, DevOps, and open source to create scalable, secure software supply chain tools.
fromInfoWorld
1 month ago

JFrog announces 'agentic repo' for AI-driven development

JFrog has introduced JFrog Fly, an offering the company describes as a zero-config, "agentic repository" for accelerating AI-driven software development. Introduced September 9, JFrog Fly is intended to support agentic workflows for development teams. AI agents orchestrate artifacts across the software life cycle, enabling developers to focus on delivering software to production with speed and scale, according to JFrog. Developers can join a beta waitlist for JFrog Fly.
Artificial intelligence
#npm
more#npm
Artificial intelligence
fromDevOps.com
1 month ago

JFrog CEO: AI Agents Require Practices Beyond Security, Traceability - DevOps.com

Foundational software platforms must embed agentic AI practices, security, traceability, and a single system of record to manage AI-driven development and supply-chain risk.
Artificial intelligence
fromDevOps.com
1 month ago

JFrog Continues Leaping at SwampUP - DevOps.com

JFrog is defining modern software supply chains by unifying artifact and AI model repositories with built-in governance, compliance, and agentic automation to balance speed and trust.
Information security
fromTheregister
1 month ago

DoD reportedly relies on utility written by Russian

A widely used Node.js utility fast-glob appears maintained solely by a Yandex employee based in Russia, creating significant supply-chain security risk.
Software development
fromDevOps.com
1 month ago

The Quantum Shift Is Here: A Survival Guide for the New Era of Software - DevOps.com

Software teams now shoulder the entire software supply chain, facing unsustainable complexity, security and compliance burdens, and tool sprawl that increase cognitive load and risk.
#sbom
more#sbom
#ai
fromTechzine Global
3 months ago
DevOps

JFrog launches MCP Server for AI-driven development workflows

JFrog's MCP Server enhances developer productivity by integrating AI capabilities into coding environments.
fromWIRED
5 months ago
Artificial intelligence

AI Code Hallucinations Increase the Risk of 'Package Confusion' Attacks

AI-generated code often references non-existent third-party libraries, posing risks for supply-chain attacks.
Artificial intelligence
fromWIRED
5 months ago

AI Code Hallucinations Increase the Risk of 'Package Confusion' Attacks

AI-generated code often references non-existent third-party libraries, posing risks for supply-chain attacks.
more#ai
Information security
fromThe Hacker News
3 months ago

North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign

North Korean threat actors are deploying malicious npm packages as part of ongoing software supply chain attacks against the open-source ecosystem.
#cybersecurity
fromDevOps.com
3 months ago
Privacy professionals

Survey Surfaces Significant Lack of Visibility Into Software Supply Chain Risks - DevOps.com

fromDevOps.com
4 months ago
Software development

Checkmarx Surfaces Malicious Effort to Compromise Software Supply Chains - DevOps.com

New malware targets application developers through typo-squatting, aiming to compromise software supply chains by providing persistent access and data exfiltration.
fromThe Hacker News
5 months ago
Node JS

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

Three malicious npm packages targeting Cursor on macOS are stealing user credentials and distributing harmful upgrades to the software.
fromDevOps.com
3 months ago
Privacy professionals

Survey Surfaces Significant Lack of Visibility Into Software Supply Chain Risks - DevOps.com

Software development
fromDevOps.com
4 months ago

Checkmarx Surfaces Malicious Effort to Compromise Software Supply Chains - DevOps.com

New malware targets application developers through typo-squatting, aiming to compromise software supply chains by providing persistent access and data exfiltration.
more#cybersecurity
fromDevOps.com
4 months ago

JFrog Extends Alliance With NVIDIA to Secure AI Software Supply Chain - DevOps.com

JFrog and NVIDIA have expanded integrations to include the Enterprise AI Factory, enabling the management of AI applications through JFrog's Software Supply Chain Platform.
Artificial intelligence
DevOps
fromInfoQ
5 months ago

Docker Introduces Hardened Images to Strengthen Container Security

Docker's Hardened Images significantly enhance container security by reducing attack surfaces and minimizing vulnerabilities.
DevOps
fromDevOps.com
5 months ago

Veracode Extends Scope and Reach of DevSecOps Portfolio - DevOps.com

Veracode enhances its risk management tool to strengthen DevSecOps capabilities and improve vulnerability identification in Kubernetes environments.
[ Load more ]