Mastodawn

ANSSI (French gov entity) is helping GrapheneOS to secure it. I read the entire FAQ. AI can't beat XP, it is slowing down everything (sure it can weaken GitHub strategy).

#smartphone #infosec #supplychainattacks

https://github.com/GrapheneOS/hardened_malloc/pull/131

Fix a few issues detected with static code analysis by tsautereau-anssi · Pull Request #131 · GrapheneOS/hardened_malloc

Static code analysis of hardened_malloc flagged some small issues. This pull request proposes fixes for three of them, and I'll open an issue to discuss the remaining ones, if that's OK for...

GitHub

N-gated Hacker News Jun 5

Oh, great! Ruby Bundler now comes with a "cooldown" feature, because who doesn't love waiting around for their gems to turn into fine wine before installing them? 🍷 Just what we needed—more "exciting" ways to fight those pesky supply chain attacks by doing absolutely nothing for a few days. 🙄👏
https://blog.rubygems.org/2026/06/03/cooldown-let-new-gems-be-vetted.html #RubyBundler #CooldownFeature #SupplyChainAttacks #GemInstallation #DeveloperHumor #RubyCommunity #HackerNews #ngated

Cool down before you install: give new gems a few days to be vetted

Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. ...

RubyGems Blog

Show thread

Nicolas Mouart Jun 3

There is some serious time passing between the changelog entries, and the date of the .deb file itself.. Over a month. #debian #infosec
NB: the maintainer may have changed, not the same name for latest release ( relatively speaking, it's oldstable branch) in the example below (it's not the official maintainer name, it does not mean it's unexpected "Non-maintainer upload by the LTS Security Team.").
#supplychainattacks

tech news ᳇ eicker.news May 2

#Supplychainattacks targeting security and developer tools continue, with #SAP, #Intercom, and #lightning #npmpackages compromised. The attacks, attributed to TeamPCP, involve credential-stealing malware that self-propagates, encrypts stolen data, and exfiltrates it to a new GitHub repository. https://www.theregister.com/2026/04/30/supply_chain_attacks_sap_npm_packages/?eicker.news #tech #media #news

The never-ending supply chain attacks worm into SAP npm packages, other dev tools

: Mini Shai-Hulud caught spreading credential-stealing malware

The Register

Analyst207 Apr 11

Malware Poisons Open Source Tools in Dual Supply Chain Attacks

Imagine trusting a tool, only to have it secretly turned against you - that's what happened in March when two massive supply chain attacks infected popular open source tools with malware, putting tens of thousands of organizations at risk. The full extent of the damage may not be known for months, but one thing is…

https://osintsights.com/malware-poisons-open-source-tools-in-dual-supply-chain-attacks?utm_source=mastodon&utm_medium=social

#SupplyChainAttacks #OpenSourceSecurity #MalwareOperations #EmergingThreats #NationState

Malware Poisons Open Source Tools in Dual Supply Chain Attacks

Malware infects open source tools in dual supply chain attacks, stealing secrets from tens of thousands of organizations, learn how to protect yourself now.

OSINTSights

N-gated Hacker News Apr 9

🐱‍💻 Oh, Astral's here to save us all from the horrors of open source security, one blog post at a time. Because, clearly, a company that "builds tools" for "millions" will tame the wild world of supply chain attacks with just a sprinkle of their secret sauce. 🥄✨
https://astral.sh/blog/open-source-security-at-astral #OpenSourceSecurity #AstralSupplyChain #CybersecurityBlog #SupplyChainAttacks #TechInnovation #HackerNews #ngated

Open source security at Astral

Insights and guidance from our engineering team on how Astral secures its tools.

रञ्जित (Ranjit Mathew)Apr 3

True that:

“Every Dependency You Add Is A Supply Chain Attack Waiting To Happen”, Ben Hoyt (https://benhoyt.com/writings/dependencies/).

Via Lobsters: https://lobste.rs/s/j6uemk/every_dependency_you_add_is_supply_chain

On HN: https://news.ycombinator.com/item?id=47613210

#Security #Dependencies #Programming #SupplyChainAttacks #ComputerSecurity

Every dependency you add is a supply chain attack waiting to happen

Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.

Ars Technica News Mar 13

Supply-chain attack using invisible code hits GitHub and other repositories https://arstechni.ca/LKbk #supplychainattacks #publicuseareas #Security #Unicode #Biz&IT

Supply-chain attack using invisible code hits GitHub and other repositories

Unicode that's invisible to the human eye was largely abandoned—until attackers took notice.

Ars Technica

Marko Jahnke Mar 12

Es gibt beim Einsatz einer weitreichenden #HomeAutomation schwere nicht zu vernachlässigende #Sicherheitsrisiken, nicht
nur durch Einsatz von #agenticAI.

Der Ersteller dieses Threads hat völlig recht.

Aber auch durch die vielen Integrationen und Plugins (z.T. auch externe über diverse Repos) ergibt sich ein erhebliches Verwundbarkeitspotential.

https://community.simon42.com/t/warnung-niemals-einer-ki-zugriff-auf-euren-ha-gewaehren-eine-ki-auf-euren-ha-lassen/80847

#InfoSec #SupplyChainAttacks

Warnung! Niemals einer KI Zugriff auf euren HA gewähren // eine KI auf euren HA lassen

Ich habe in einem Beitrag hier im Forum auf ein Thema geantwortet in dem ein User erklärt hat, dass er Claude auf seinen Home Assistant alles erledigen lässt. Er hat Claude den Zugriff gewährt.. Da dieses Thema wirklich kritisch ist, meine Integration(en) lokale KI nutzen möchte ich auch euch für das Thema sensibilisieren und erklären, warum die vermutlich be*** Idee überhaupt und seit der Geburt der Menschheit ist, eine KI auf den HA zu lassen! Ich bitte euch das unter keinen Umständen zu erm...

simon42 Community

synlogic4242 Feb 10

Template for AI startup:

* pitch trivial features anyone with a brain can do and has in fact been doing just fine for decades now, thanks

* requires giving them read/copy/exfiltrate rights to your critical PII, secrets, I.P. and source code (ideally also "security scan" the latter and "patch" commit to the latter) and/or full access to your Google accounts, AWS, etc -- but you can TOTALLY trust them, bro

* have names of 1 to 4 young Russian/Chinese/Indian males associated with it in GitHub (assuming you can even find names). oh and Anthropic Claude as a "co-commiter" or LLM du jour. though they TOTALLY WROTE ALL OF IT THEMSELVES, BRO!

good luck, kids

#AI
#LLM
#Claude
#supplychainattacks
#cybersecurity