251 matches found
VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Microsoft has announced that Visual Studio Code VS Code will apply a two-hour delay before extensions for the integrated development environment IDE are updated automatically to a newer version in an attempt to tackle software supply chain threats. "When automatic updates are enabled, new version...
Architectural Implications of the UK Cyber Security and Resilience Bill
The UK Cyber Security and Resilience CS&R Bill represents the most significant reform of UK cyber legislation since the Network and Information Systems NIS Regulations 2018. While existing analysis has addressed the Bill's regulatory requirements, there is a critical gap in guidance on the...
Exploiting PendingIntent Provenance Confusion to Spoof Android SDK Authentication
A single authentication bypass in a partner SDK grants attackers the identity of every partner in the ecosystem -- and millions of apps use SDKs with exactly this vulnerability. OWASP's 2024 Mobile Top 10 ranks Inadequate Supply Chain Security as the second most critical mobile risk, explicitly...
CVE-2026-28407
malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archiv...
CVE-2026-28407
malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archiv...
Many Hands Make Light Work: An LLM-Based Multi-Agent System for Detecting Malicious PyPI Packages
Malicious code in open-source repositories such as PyPI poses a growing threat to software supply chains. Traditional rule-based tools often overlook the semantic patterns in source code that are crucial for identifying adversarial components. Large language models LLMs show promise for software...
Strengthening supply chain security: Preparing for the next malware campaign
The open source ecosystem continues to face organized, adaptive supply chain threats that spread through compromised credentials and malicious package lifecycle scripts. The most recent example is the multi-wave Shai-Hulud campaign. While individual incidents differ in their mechanics and speed,...
CVE-2025-65109
Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have acce...
CVE-2025-65109
Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have acce...
PT-2025-47814
Name of the Vulnerable Software and Affected Versions Minder Helm version 0.20241106.3386+ref.2507dbf Minder Go versions 0.0.72 through 0.0.83 Description Minder is an open source software supply chain security platform. Minder users may be able to retrieve content through the Minder server that...
Software Supply Chain Security of Web3
Web3 applications, built on blockchain technology, manage billions of dollars in digital assets through decentralized applications dApps and smart contracts. These systems rely on complex, software supply chains that introduce significant security vulnerabilities. This paper examines the software...
EUVD-2025-150015
Malicious code in teagood-cuekin32 npm...
Publish Your Threat Models! the Benefits Far Outweigh the Dangers
Threat modeling has long guided software development work, and we consider how Public Threat Models PTM can convey useful security information to others. We list some early adopter precedents, explain the many benefits, address potential objections, and cite regulatory drivers. Internal threat...
The Geomys Standard of Care
One of the most impactful effects of professionalizing open source maintenance is that as professionals we can invest into upholding a set of standards that make our projects safer and more reliable. The same commitments and overhead that are often objected to when required of volunteers should b...
131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign
Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to...
EUVD-2010-2381
Malware in sbrugna...
EUVD-2024-2072
Malicious code in bioql PyPI...
EUVD-2024-1208
Malicious code in bioql PyPI...
EUVD-2024-1605
Malicious code in bioql PyPI...
EUVD-2024-0695
Malicious code in bioql PyPI...