Collaborate Disseminate
A new report by cyber security firm Radware identifies the four main impacts of AI on the threat landscape emerging this year. Continue reading Prompt Hacking, Private GPTs, Zero-Day Exploits and Deepfakes: Report Reveals the Impact of AI on Cyber Security Landscape
This week Jonathan Bennett and Aaron Newcomb chat with Isaac Connor about Zoneminder! That’s the project that’s working to store and deliver all the bits from security cameras — but …read more Continue reading FLOSS Weekly Episode 780: Zoneminder — Better Call Randal
Interesting social-engineering attack vector:
McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.
The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.
What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.
As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures…
Protobom is an open-source software supply chain tool that enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs), file data, and translate this data acro… Continue reading Protobom: Open-source software supply chain tool
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor…
Continue reading Other Attempts to Take Over Open Source Projects
Organizations can contribute to the platform’s GitHub or receive a framework for creating enterprise-grade generative AI systems. Continue reading Intel, VMware, Linux Foundation & Others Form Open Platform for Enterprise AI
Damn Vulnerable RESTaurant is an open-source project that allows developers to learn to identify and fix security vulnerabilities in their code through an interactive game. “I wanted to create a generic playground for ethical hackers, developers,… Continue reading Damn Vulnerable RESTaurant: Open-source API service designed for learning
The OpenJS Foundation has headed off a “credible takeover attempt” similar to the one that resulted in a backdoor getting included in the open-source XZ Utils package by someone who called themselves “Jia Tan”. This malicious ma… Continue reading New open-source project takeover attacks spotted, stymied
By Deeba Ahmed
Alarming social engineering attacks target critical open-source projects! Learn how to protect your project and the open-source community from takeovers.
This is a post from HackRead.com Read the original post: OpenSSF Warns of Fake Main… Continue reading OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects
By Uzair Amir
In the rapidly evolving work environment of today, collaborative scheduling stands out as a foundational pillar for effective…
This is a post from HackRead.com Read the original post: Collaborative Scheduling: Enhancing Team Coordin… Continue reading Collaborative Scheduling: Enhancing Team Coordination With Open-Source Tools