Paul

If you want a really honest case study of this, please read: research.checkpoint.com/2025/generativ…

THEY MADE A WORM IN NPM THEY MADE A WORM IN NPM THEY MADE A WORM IN NPM THEY MADE A WORM IN NPM THEY MADE A WORM IN NPM

🚨We're continuing to track the unfolding compromise of npm packages with a new data exfiltrating malware, in the new campaign dubbed Shai Hulud. Our monitoring infrastructure has detected 31 additional malicious packages with the same payload with hundreds of versions. New malicious packages are still being uploaded continuously, follow this thread to get the latest news on this ongoing campaign as it unfolds.

always the weekend to research (non) security issues 😬 discuss.elastic.co/t/elastic-resp…

Oh wow, a popular GitHub Action (tj-actions/changed-files) was fully compromised. Someone committed a base64-encoded payload that runs a script that in turn prints out encoded secrets… Stay safe out there!

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)! I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz

A new container escape vulnerability just dropped. It gives an attacker the ability to hop from container to host OS via runc.

One Supply Chain Attack to Rule Them All adnanthekhan.com/2023/12/20/one…

We should reject the culture of laziness and/or incompetence. "Some tool somewhere report something and so we must do what it suggests right away". Yes. We care about security. Yes. We care about bugs. Yes. We want good tools, good reports. But blindly following flags and tools? No. It does not make you safer. Take time to understand the issues first.

CVE-2020-19909 is everything that is wrong with CVEs Another 9.8 CRITICAL curl problem. All made up. daniel.haxx.se/blog/2023/08/2…

The world just became a little bit safer 🥰 thanks to all the hackers and researchers reporting vulnerabilities nvd.nist.gov/vuln/detail/CV…

It's official! Version 1.0 of the OWASP Top 10 for LLMs is here covering the top security risks for AI developers today. Please check it out! linkedin.com/pulse/official…

@zaproxy Best of luck folks!

ZAP is joining the Software Security Project (and leaving OWASP). For more details see zaproxy.org/blog/2023-08-0…

Elastic enlisted us to engage in an assessment of their software supply chain using the SLSA framework-- the largest one we've done to date! 🌟 chainguard.dev/unchained/elas…

I wrote some code! Introducing Parlay, a CLI tool for enriching an SBOM with extra information about the compinents github.com/snyk/parlay

The hardest problem in supply chain security is explaining what supply chain security is.

Hey Oracle can you be a little more vague with the CVEs you release in your CPUs ? oracle.com/security-alert… Boilerplate statements every quarter.. Anyone has additional info on CVE-2023-21930 ?