tech news ᳇ eicker.newsMay 2
#Supplychainattacks targeting security and developer tools continue, with #SAP, #Intercom, and #lightning #npmpackages compromised. The attacks, attributed to TeamPCP, involve credential-stealing malware that self-propagates, encrypts stolen data, and exfiltrates it to a new GitHub repository. https://www.theregister.com/2026/04/30/supply_chain_attacks_sap_npm_packages/?eicker.news #tech #media #news
The never-ending supply chain attacks worm into SAP npm packages, other dev tools

: Mini Shai-Hulud caught spreading credential-stealing malware

The Register
Analyst207Apr 11

Malware Poisons Open Source Tools in Dual Supply Chain Attacks

Imagine trusting a tool, only to have it secretly turned against you - that's what happened in March when two massive supply chain attacks infected popular open source tools with malware, putting tens of thousands of organizations at risk. The full extent of the damage may not be known for months, but one thing is…

https://osintsights.com/malware-poisons-open-source-tools-in-dual-supply-chain-attacks?utm_source=mastodon&utm_medium=social

#SupplyChainAttacks #OpenSourceSecurity #MalwareOperations #EmergingThreats #NationState

Malware Poisons Open Source Tools in Dual Supply Chain Attacks

Malware infects open source tools in dual supply chain attacks, stealing secrets from tens of thousands of organizations, learn how to protect yourself now.

OSINTSights
N-gated Hacker NewsApr 9
🐱‍💻 Oh, Astral's here to save us all from the horrors of open source security, one blog post at a time. Because, clearly, a company that "builds tools" for "millions" will tame the wild world of supply chain attacks with just a sprinkle of their secret sauce. 🥄✨
https://astral.sh/blog/open-source-security-at-astral #OpenSourceSecurity #AstralSupplyChain #CybersecurityBlog #SupplyChainAttacks #TechInnovation #HackerNews #ngated
Open source security at Astral

Insights and guidance from our engineering team on how Astral secures its tools.

रञ्जित (Ranjit Mathew)Apr 3

True that:

“Every Dependency You Add Is A Supply Chain Attack Waiting To Happen”, Ben Hoyt (https://benhoyt.com/writings/dependencies/).

Via Lobsters: https://lobste.rs/s/j6uemk/every_dependency_you_add_is_supply_chain

On HN: https://news.ycombinator.com/item?id=47613210

#Security #Dependencies #Programming #SupplyChainAttacks #ComputerSecurity

Every dependency you add is a supply chain attack waiting to happen

Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.

Ars Technica NewsMar 13
Supply-chain attack using invisible code hits GitHub and other repositories https://arstechni.ca/LKbk #supplychainattacks #publicuseareas #Security #Unicode #Biz&IT
Supply-chain attack using invisible code hits GitHub and other repositories

Unicode that's invisible to the human eye was largely abandoned—until attackers took notice.

Ars Technica
Marko JahnkeMar 12

Es gibt beim Einsatz einer weitreichenden #HomeAutomation schwere nicht zu vernachlässigende #Sicherheitsrisiken, nicht
nur durch Einsatz von #agenticAI.

Der Ersteller dieses Threads hat völlig recht.

Aber auch durch die vielen Integrationen und Plugins (z.T. auch externe über diverse Repos) ergibt sich ein erhebliches Verwundbarkeitspotential.

https://community.simon42.com/t/warnung-niemals-einer-ki-zugriff-auf-euren-ha-gewaehren-eine-ki-auf-euren-ha-lassen/80847

#InfoSec #SupplyChainAttacks

Warnung! Niemals einer KI Zugriff auf euren HA gewähren // eine KI auf euren HA lassen

Ich habe in einem Beitrag hier im Forum auf ein Thema geantwortet in dem ein User erklärt hat, dass er Claude auf seinen Home Assistant alles erledigen lässt. Er hat Claude den Zugriff gewährt.. Da dieses Thema wirklich kritisch ist, meine Integration(en) lokale KI nutzen möchte ich auch euch für das Thema sensibilisieren und erklären, warum die vermutlich be*** Idee überhaupt und seit der Geburt der Menschheit ist, eine KI auf den HA zu lassen! Ich bitte euch das unter keinen Umständen zu erm...

simon42 Community
synlogic4242Feb 10

Template for AI startup:

* pitch trivial features anyone with a brain can do and has in fact been doing just fine for decades now, thanks

* requires giving them read/copy/exfiltrate rights to your critical PII, secrets, I.P. and source code (ideally also "security scan" the latter and "patch" commit to the latter) and/or full access to your Google accounts, AWS, etc -- but you can TOTALLY trust them, bro

* have names of 1 to 4 young Russian/Chinese/Indian males associated with it in GitHub (assuming you can even find names). oh and Anthropic Claude as a "co-commiter" or LLM du jour. though they TOTALLY WROTE ALL OF IT THEMSELVES, BRO!

good luck, kids

#AI
#LLM
#Claude
#supplychainattacks
#cybersecurity

Ars Technica NewsFeb 2
Notepad++ users take note: It's time to check if you're hacked https://arstechni.ca/6Vb8 #Opensourcesoftware #supplychainattacks #Security #notepad #Biz&IT
Notepad++ users take note: It's time to check if you're hacked

Suspected China-state hackers used update infrastructure to deliver backdoored version.

Ars Technica
Ars Technica NewsDec 31
Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025 https://arstechni.ca/g8eH #supplychainattacks #signalmessenger #2025yearend #Security #Biz&IT #Apple #cloud #AI
Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025

The past year has seen plenty of hacks and outages. Here are the ones topping the list.

Ars Technica
Rene RobichaudDec 12

Supply Chain Attacks Targeting GitHub Actions Increased in 2025
https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025

#Infosec #Security #Cybersecurity #CeptBiro #SupplyChainAttacks #GitHubActions