Vụ tấn công chuỗi cung ứng nhắm vào X, Vercel, Cursor, Discord cảnh báo: phụ thuộc phần mềm dễ bị khai thác. Đừng quên chạy npm audit, dùng Dependabot, Snyk và thiết lập CI/CD kiểm tra bảo mật. Xây dựng văn hoá bảo mật trong dev! #SupplyChainAttack #Cybersecurity #DevSecOps #BảoMật #PhátTriển #DependencyConfusion

https://dev.to/technoblogger14o3/we-pwned-x-vercel-cursor-and-discord-through-a-supply-chain-attack-4ffc

Ich bin geschockt und schockiert. Was ein Schocker! Wer hätte das denn ahnen können?

https://arxiv.org/pdf/2406.10279

TLDR: Künstliche Intelligenz halluziniert konsequent Pakete, welche sich, sofern ein Programmierer sich auf die KI verlässt, per Dependency Confusion exploiten lassen.

#KI #AI #moreAthanI #Sicherheitslücke #IT #DependencyConfusion #RepositoryHijacking #ProgrammerHumor

AI-generated code could be a disaster for the software supply chain. Here’s why. https://arstechni.ca/fUp9Y #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #Security #Biz&IT #AI

"CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package"

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package

#security #infosec #cybersecurity #dependencyconfusion #supplychain

Over 100,000 Infected Repos Found on GitHub

https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/

#GitHub #DependencyConfusion

Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!

https://giraffesecurity.dev/posts/dependabot-confusion/

#DependencyConfusion #dependabot #vulnerability

> Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.
[ . . . ]
> In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
> Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.

"In this post, I demonstrate that critical parts of the #Haskell package management system are vulnerable to the #DependencyConfusion supply chain attack." #security #cabal #hackage

https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html