Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025 https://arstechni.ca/g8eH #supplychainattacks #signalmessenger #2025yearend #Security #Biz&IT #Apple #cloud #AI

Supply Chain Attacks Targeting GitHub Actions Increased in 2025
https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025

#Infosec #Security #Cybersecurity #CeptBiro #SupplyChainAttacks #GitHubActions

So Senna just told me about the most recent attack on #NPM.

I swear I wrote the above post independent of that! The problem ist just so pervasive that you keep running into it.

#supplychainattacks

Pluralistic: O(N^2) nationalism (26 Nov 2025)

https://fed.brid.gy/r/https://pluralistic.net/2025/11/26/difficult-multipolarism/

Supply chain attacks reached unprecedented scale this week, affecting billions of users through compromised development tools and package repositories.

#cybersecurity #supplychainattacks #artificialintelligence #malware #hacking

https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-37

Software packages with more than 2 billion weekly downloads hit in supply-chain attack https://arstechni.ca/PHyN #supplychainattacks #supplychain #opensource #Security #Biz&IT #npm

A single weak link can bring down giants. Recent supply-chain attacks exploited trusted vendor vulnerabilities to compromise big names like Palo Alto, Google, and more. How deep does the security gap really run?

https://thedefendopsdiaries.com/understanding-supply-chain-attacks-a-modern-cybersecurity-challenge/

#supplychainattacks
#cybersecurity
#infosec
#databreach
#thirdpartysecurity

Supply-chain attacks are a favourite in the toolbox of cyber warfare. The SolarWinds attack remains in the history books of cybersecurity for the clever use of patching as an attack vector to disrupt C2 infrastructure.

Read how it unfolded in our deep dive article! 👇

https://negativepid.blog/the-solarwinds-supply-chain-attack/

#cyberwarfare #supplychainattacks #patching #cozybear #orion #C2

Supply-chain attacks on open source software are getting out of hand https://arstechni.ca/t2ay #supplychainattacks #repositories #opensource #Security #Biz&IT

Are Web Components & Cybersecurity A Better Combo?

I'm not trying to dunk on popular #UI #frameworks – I'm sure they're totally fine for #cybersecurity stuff, probably get loads of reviews and #audits.

But from my angle: Web Components are *native* to the #browser. Doesn't that just inherently reduce the risk of **#SupplyChainAttacks** (you know, like a rogue `npm install` on a bad network) for your #AppSecurity?

Or am I overthinking it, and the #framework choice is less important than the #browser, #OS, or #device running it? What are your thoughts, #DevCommunity?

---

Quick context: I've got a #ReactJS #messagingApp (repo here: https://github.com/positive-intentions/chat) and a separate #UIFramework (repo here: https://github.com/positive-intentions/dim) built with #Lit (which uses Web Components). I'm genuinely wondering if there's a compelling #cybersecurity reason to refactor the chat app to use my #WebComponent UI framework. Might be a whole new level of #SecurityByDesign for #FrontEndDev.

FYI, same question's on Reddit here: https://www.reddit.com/r/ExperiencedDevs/comments/1lmk1rg/are_web_components_better_for_cybersecurity/, got some good #insights, but want to make sure nothing's getting overlooked! Let's discuss #InfoSec #WebDev #JavaScript #OpenSource #TechQuestion.

Supply-chain attacks are a favourite in the toolbox of cyber warfare. The SolarWinds attack remains in the history books of cybersecurity for the clever use of patching as an attack vector to disrupt C2 infrastructure.

Read how it unfolded in our deep dive article! 👇

https://negativepid.blog/the-solarwinds-supply-chain-attack/

#cyberwarfare #supplychainattacks #patching #cozybear #orion #C2

GitHub: How Code Provenance Can Prevent Supply Chain Attacks
https://www.darkreading.com/application-security/github-code-provenance-supply-chain-attacks

#Infosec #Security #Cybersecurity #CeptBiro #GitHub #CodeProvenance #SupplyChainAttacks

Supply Chain Attacks on Linux Distributions – Fedora Pagure

https://fenrisk.com/pagure

#HackerNews #SupplyChainAttacks #LinuxDistributions #FedoraPagure #Cybersecurity #OpenSource

Supply Chain Attacks on Linux Distributions

https://fenrisk.com/supply-chain-attacks

#HackerNews #SupplyChainAttacks #LinuxDistributions #CyberSecurity #OpenSource #ThreatDetection

Undocumented backdoor found in Bluetooth chip used by a billion devices

> The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/

#infosec #supplychainsecurity #supplychainattacks

The Register: It’s only a matter of time before LLMs jump start supply-chain attacks. ” Now that criminals have realized there’s no need to train their own LLMs for any nefarious purposes – it’s much cheaper and easier to steal credentials and then jailbreak existing ones – the threat of a large-scale supply chain attack using generative AI becomes more real.”

https://rbfirehose.com/2024/12/30/the-register-its-only-a-matter-of-time-before-llms-jump-start-supply-chain-attacks/

Putting on my headphones while thinking about future #supplyChainAttacks...

@eroc1990 @JohnDal I disagree, as all such #SupplyChainAttacks are merely based upon lack or #reviewers and lack of #funding.

• Whereas with #CCSS you have no independent auditability as with #FLOSS and everything is a "#TrustMeBro!" approach, which ALL the #GAFAMs, #PRISM-Collaborators, #CloudAct subjects and willingful #Govware integrators have forfeilt by their actions!

Not to mention it's easier and faster to fix #FOSS as well as the #diversity of systems mitigate said issues (i.e. #dropbear was affected by neither #RegreSSHion #XZ's #backdoor, likely preventing another #Mirai-Style #Botnet from being created...

• Instead of shoving money into buying #CSS Governments should instead provide proper fundibg to #OSS, instead of wasting it on #HypeBasedDevelopment / #BuzzwordDrivenDevelopment like #Zensursula's @EUCommission does with garbage like "#AI"...

After all, these issues are systemic, and denying the root cause is turning a blind eye at the obvious fix!

Aanvallen op de softwareketen nemen een hoge vlucht - en beveiligingsleiders reageren traag
Meer slachtoffers van cyberaanvallen via software-supplychains:
https://www.agconnect.nl/tech-en-toekomst/security/aanvallen-op-de-softwareketen-nemen-een-hoge-vlucht
#cybersecurity #hackaanvallen #supplychainattacks #AGConnect #SijthoffMedia

They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low.

Read more 👉 https://lttr.ai/AUqFx

#Security #Infosec #GeneralInfoSec #SupplyChainAttacks