Collaborate Disseminate
We are just halfway through 2021, and have already seen an exceptional increase in open source malware and novel supply chain attacks. And, they seem to just keep coming.
The post What Constitutes a Software Supply Chain Attack? appeared first … Continue reading What Constitutes a Software Supply Chain Attack?
Node.js has released updates for a high severity vulnerability that could be exploited by attackers to crash the process and cause unexpected behaviors. The use-after-free vulnerability, tracked as CVE-2021-22930 is to do with how HTTP2 streams are han… Continue reading Node.js fixes severe HTTP bug that could let attackers crash apps
The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users’ credit card numbers, Discord tokens, and granting arbitrary code execution capabilities to attackers. These malicious packages were download… Continue reading PyPI packages caught stealing credit card numbers, Discord tokens
Northern Ireland’s Department of Health (DoH) has temporarily halted its COVID-19 vaccine certification web service and mobile apps following a data exposure incident. […] Continue reading Northern Ireland suspends vaccine passport system after data leak
Signal has fixed a serious bug in its Android app that, in some cases, sent random unintended pictures to contacts without an obvious explanation. Although the issue was reported in December 2020, given the difficulty of reproducing the bug, it isn’t u… Continue reading Signal fixes bug that sent random images to wrong contacts
Major news sites including The Washington Post, New York Magazine, and HuffPost, saw their stories now displaying porn videos instead of the once-embedded intended ones. The fiasco happened as prominent websites relied on the now-defunct domain vid.me … Continue reading Major news sites serve porn after vid.me domain takeover
Atlassian is prompting its enterprise customers to patch a critical vulnerability in multiple versions of its Jira Data Center and Jira Service Management Data Center products. The vulnerability tracked as CVE-2020-36239 can give remote attackers code … Continue reading Atlassian asks customers to patch critical Jira vulnerability
New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. Additionally, this malware listens for incoming connections from the attacker’s C2 server and provid… Continue reading NPM package steals Chrome passwords on Windows via recovery tool
Attackers have stolen 1 TB of proprietary data belonging to Saudi Aramco and are offering it for sale on the darknet. The Saudi Arabian Oil Company, better known as Saudi Aramco, is one of the largest public petroleum and natural gas companies in the w… Continue reading Saudi Aramco data breach sees 1 TB stolen data for sale
Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.
The post This npm Package Could Have Brought Down Cloudfl… Continue reading This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites