#supply-chain-security

#supply-chain-security

The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action. "This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation]," PSF security developer-in-residence Seth Larson warns. Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.

For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered.

"This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks," Oasis wrote. While Cursor and other AI-powered coding tools like Claude Code and Windsurf have become popular among software developers, the technology is still fraught with bugs. Replit, another AI coding assistant that debuted its newest agent earlier this week, recently deleted a user's entire database.

The homeland is no longer secure,

Let's dig into what this really means, why it matters, and where we go from here. But then I thought a bit more. It's not just necessary-it's overdue. And not only for national security systems. This gap in software understanding exists across nearly every enterprise and agency in the public and private sector. The real challenge is not recognizing the problem. It's addressing it early, systemically and sustainably-especially in a DevSecOps context.

Adidas confirmed a data breach caused by an attack on a third-party customer service provider. The company said customer data was exposed, including names, email addresses, and order details.

The four countries said in a joint statement that they were establishing the Quad Critical Minerals Initiative, aimed at collaborating on securing and diversifying supply chains.