Supply-chain attack using invisible code hits GitHub and other repositories https://arstechni.ca/LKbk #supplychainattacks #publicuseareas #Security #Unicode #Biz&IT
#supplychainattacks
Es gibt beim Einsatz einer weitreichenden #HomeAutomation schwere nicht zu vernachlässigende #Sicherheitsrisiken, nicht
nur durch Einsatz von #agenticAI.
Der Ersteller dieses Threads hat völlig recht.
Aber auch durch die vielen Integrationen und Plugins (z.T. auch externe über diverse Repos) ergibt sich ein erhebliches Verwundbarkeitspotential.
Template for AI startup:
* pitch trivial features anyone with a brain can do and has in fact been doing just fine for decades now, thanks
* requires giving them read/copy/exfiltrate rights to your critical PII, secrets, I.P. and source code (ideally also "security scan" the latter and "patch" commit to the latter) and/or full access to your Google accounts, AWS, etc -- but you can TOTALLY trust them, bro
* have names of 1 to 4 young Russian/Chinese/Indian males associated with it in GitHub (assuming you can even find names). oh and Anthropic Claude as a "co-commiter" or LLM du jour. though they TOTALLY WROTE ALL OF IT THEMSELVES, BRO!
good luck, kids
Notepad++ users take note: It's time to check if you're hacked https://arstechni.ca/6Vb8 #Opensourcesoftware #supplychainattacks #Security #notepad #Biz&IT
Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025 https://arstechni.ca/g8eH #supplychainattacks #signalmessenger #2025yearend #Security #Biz&IT #Apple #cloud #AI
Supply Chain Attacks Targeting GitHub Actions Increased in 2025
https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025
#Infosec #Security #Cybersecurity #CeptBiro #SupplyChainAttacks #GitHubActions
So Senna just told me about the most recent attack on #NPM.
I swear I wrote the above post independent of that! The problem ist just so pervasive that you keep running into it.
#supplychainattacks
Pluralistic: Daily links from Cory Doctorow – No trackers, no ads. Black type, white background. Privacy policy: we don't collect or retain any data at all ever period.pluralistic.net@web.brid.gy
2025-11-26Pluralistic: O(N^2) nationalism (26 Nov 2025)
https://fed.brid.gy/r/https://pluralistic.net/2025/11/26/difficult-multipolarism/
Supply chain attacks reached unprecedented scale this week, affecting billions of users through compromised development tools and package repositories.
#cybersecurity #supplychainattacks #artificialintelligence #malware #hacking
https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-37
Software packages with more than 2 billion weekly downloads hit in supply-chain attack https://arstechni.ca/PHyN #supplychainattacks #supplychain #opensource #Security #Biz&IT #npm
A single weak link can bring down giants. Recent supply-chain attacks exploited trusted vendor vulnerabilities to compromise big names like Palo Alto, Google, and more. How deep does the security gap really run?
https://thedefendopsdiaries.com/understanding-supply-chain-attacks-a-modern-cybersecurity-challenge/
#supplychainattacks
#cybersecurity
#infosec
#databreach
#thirdpartysecurity
Supply-chain attacks are a favourite in the toolbox of cyber warfare. The SolarWinds attack remains in the history books of cybersecurity for the clever use of patching as an attack vector to disrupt C2 infrastructure.
Read how it unfolded in our deep dive article! 👇
https://negativepid.blog/the-solarwinds-supply-chain-attack/
#cyberwarfare #supplychainattacks #patching #cozybear #orion #C2
Supply-chain attacks on open source software are getting out of hand https://arstechni.ca/t2ay #supplychainattacks #repositories #opensource #Security #Biz&IT
Are Web Components & Cybersecurity A Better Combo?
I'm not trying to dunk on popular #UI #frameworks – I'm sure they're totally fine for #cybersecurity stuff, probably get loads of reviews and #audits.
But from my angle: Web Components are *native* to the #browser. Doesn't that just inherently reduce the risk of **#SupplyChainAttacks** (you know, like a rogue `npm install` on a bad network) for your #AppSecurity?
Or am I overthinking it, and the #framework choice is less important than the #browser, #OS, or #device running it? What are your thoughts, #DevCommunity?
---
Quick context: I've got a #ReactJS #messagingApp (repo here: https://github.com/positive-intentions/chat) and a separate #UIFramework (repo here: https://github.com/positive-intentions/dim) built with #Lit (which uses Web Components). I'm genuinely wondering if there's a compelling #cybersecurity reason to refactor the chat app to use my #WebComponent UI framework. Might be a whole new level of #SecurityByDesign for #FrontEndDev.
FYI, same question's on Reddit here: https://www.reddit.com/r/ExperiencedDevs/comments/1lmk1rg/are_web_components_better_for_cybersecurity/, got some good #insights, but want to make sure nothing's getting overlooked! Let's discuss #InfoSec #WebDev #JavaScript #OpenSource #TechQuestion.
Supply-chain attacks are a favourite in the toolbox of cyber warfare. The SolarWinds attack remains in the history books of cybersecurity for the clever use of patching as an attack vector to disrupt C2 infrastructure.
Read how it unfolded in our deep dive article! 👇
https://negativepid.blog/the-solarwinds-supply-chain-attack/
#cyberwarfare #supplychainattacks #patching #cozybear #orion #C2
GitHub: How Code Provenance Can Prevent Supply Chain Attacks
https://www.darkreading.com/application-security/github-code-provenance-supply-chain-attacks
#Infosec #Security #Cybersecurity #CeptBiro #GitHub #CodeProvenance #SupplyChainAttacks
Supply Chain Attacks on Linux Distributions – Fedora Pagure
#HackerNews #SupplyChainAttacks #LinuxDistributions #FedoraPagure #Cybersecurity #OpenSource
Supply Chain Attacks on Linux Distributions
https://fenrisk.com/supply-chain-attacks
#HackerNews #SupplyChainAttacks #LinuxDistributions #CyberSecurity #OpenSource #ThreatDetection
Undocumented backdoor found in Bluetooth chip used by a billion devices
> The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.
The Register: It’s only a matter of time before LLMs jump start supply-chain attacks. ” Now that criminals have realized there’s no need to train their own LLMs for any nefarious purposes – it’s much cheaper and easier to steal credentials and then jailbreak existing ones – the threat of a large-scale supply chain attack using generative AI becomes more real.”
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst