#supply-chain-security

[ follow ]
fromSecurityWeek
22 hours ago

PyPI Warns Users of Fresh Phishing Campaign

The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action. "This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation]," PSF security developer-in-residence Seth Larson warns. Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.
Information security
fromZero Day Initiative
1 day ago

Zero Day Initiative - CVE-2025-23298: Getting Remote Code Execution in NVIDIA Merlin

For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered.
Information security
#npm
fromThe Hacker News
3 days ago
Information security

GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security

GitHub will strengthen npm publishing by requiring FIDO 2FA, short-lived granular tokens, trusted OIDC publishing, and deprecating legacy tokens to prevent supply chain attacks.
fromIT Pro
3 months ago
Node JS

Developers beware: Malware has been found in a dozen popular NPM packages - here's what you need to know

Over a dozen NPM packages have been compromised, delivering malware that allows attackers to control infected machines.
Node JS
fromIT Pro
3 months ago

Developers beware: Malware has been found in a dozen popular NPM packages - here's what you need to know

Over a dozen NPM packages have been compromised, delivering malware that allows attackers to control infected machines.
Software development
fromTheregister
3 days ago

RubyGems maintainer quits after Ruby Central takes control

Ellen Davis resigned after long-term RubyGems and Bundler maintainers were removed and administrative control was concentrated under Ruby Central staff.
fromZDNET
1 week ago

This 'critical' Cursor security flaw could expose your code to malware - how to fix it

"This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks," Oasis wrote. While Cursor and other AI-powered coding tools like Claude Code and Windsurf have become popular among software developers, the technology is still fraught with bugs. Replit, another AI coding assistant that debuted its newest agent earlier this week, recently deleted a user's entire database.
Information security
Software development
fromDevOps.com
2 weeks ago

Nominations Are Open: DevOps Dozen 2025 - DevOps.com

Nominations are open for the DevOps Dozen awards recognizing community leaders and tools across 24 categories emphasizing AI, platform engineering, and supply-chain security.
Information security
fromInfoQ
3 weeks ago

Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"

GitHub public commits remain archived after force pushes, exposing thousands of secrets including high-value tokens and admin-level credentials.
#contact-form-phishing
Information security
fromSecuritymagazine
4 weeks ago

1.1M Impacted by Farmers Insurance Data Breach, Security Leaders Discuss

Farmers Insurance suffered a third-party breach of ~1.1 million customers' PII—names, addresses, birthdates, driver’s license numbers, last four SSNs—possibly tied to Salesforce social engineering.
Information security
fromInfoWorld
4 weeks ago

8 vendors bringing AI to devsecops and application security

AI is becoming foundational to software security, enabling automated vulnerability remediation, real-time secure coding, and supply-chain hardening while introducing governance and risk challenges.
World news
fromTheregister
1 month ago

Trump pulls out 't-word' again over China rare earths ban

China's export controls on rare-earth minerals and processing equipment create strategic leverage over global tech and defense supply chains, prompting US tariff threats.
fromDevOps.com
1 month ago

Tackling the DevSecOps Gap in Software Understanding - DevOps.com

Let's dig into what this really means, why it matters, and where we go from here. But then I thought a bit more. It's not just necessary-it's overdue. And not only for national security systems. This gap in software understanding exists across nearly every enterprise and agency in the public and private sector. The real challenge is not recognizing the problem. It's addressing it early, systemically and sustainably-especially in a DevSecOps context.
DevOps
Software development
fromInfoQ
1 month ago

Supply Chain Security: Provenance Tools Becoming Standard in Developer Platforms

Software provenance is essential for securing supply chains and ensuring compliance with regulations like SLSA.
Health
fromMedCity News
1 month ago

Trump's Push for U.S. Drug Manufacturing Expands to Pharma Ingredients With New Executive Order - MedCity News

The Trump administration's new executive order aims to stockpile active pharmaceutical ingredients (APIs) to enhance U.S. drug manufacturing security.
#python
Artificial intelligence
fromFortune
1 month ago

Former Intel board members: America's champion is likely to retreat, and we still need a leading-edge chip manufacturer

The U.S. must prioritize American-owned semiconductor manufacturing to secure its supply chains and technological supremacy in AI and critical technologies.
Software development
fromHackernoon
6 months ago

Reproducible Go Toolchains: What You Need to Know | HackerNoon

Reproducible builds in open-source software prevent supply chain attacks by enabling verification of binaries against trustworthy sources.
fromThe Hacker News
2 months ago

5 Ways Identity-based Attacks Are Breaching Retail

Adidas confirmed a data breach caused by an attack on a third-party customer service provider. The company said customer data was exposed, including names, email addresses, and order details.
Privacy professionals
fromwww.theguardian.com
2 months ago

Quad countries agree to diversify critical mineral supplies amid China concerns

The four countries said in a joint statement that they were establishing the Quad Critical Minerals Initiative, aimed at collaborating on securing and diversifying supply chains.
US politics
#cybersecurity
fromHackernoon
2 years ago
Privacy professionals

Decentralized Public-Key Infrastructure: The Future of Supply Chain Security | HackerNoon

Information security
fromIT Pro
3 months ago

Two more NHS Trusts have been hit with cyber attacks - here's what we know so far

Cyber attacks on NHS trusts emphasize the urgent need for improved supply chain security practices.
fromHackernoon
2 years ago
Privacy professionals

Decentralized Public-Key Infrastructure: The Future of Supply Chain Security | HackerNoon

fromIT Pro
3 months ago
Information security

Two more NHS Trusts have been hit with cyber attacks - here's what we know so far

Growth hacking
fromThe Hacker News
3 months ago

Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Malicious packages in multiple repositories have been discovered, posing significant security threats in open-source ecosystems.
DevOps
fromInfoWorld
1 year ago

GitHub Artifact Attestations sign and verify software artifacts

GitHub introduced Artifact Attestations for securing software supply chains in GitHub Actions.
[ Load more ]