Bakomebandia11h ago

๐Ÿ›ก๏ธ Building open-source AI & cybersecurity infrastructure with Rust.

Current projects from BAKOME-Hub include:
โ€ข Supply chain security scanners
โ€ข AI terminals
โ€ข Dependency analyzers
โ€ข Trading intelligence systems
โ€ข Automation dashboards

Main stack:
Rust โ€ข Python โ€ข Pine Script โ€ข MQL5

Everything is open source:
github.com/BAKOME-Hub

Seeking collaboration and guidance from @sovtechfund and @SovereignTechAgency around:
#OpenSource #Rust #CyberSecurity #SupplyChainSecurity #AI

Kevin1d ago

Introducing wormbox!

Transparent sandbox + pre-install audit for the macOS Node.js toolchain (npm, pnpm, yarn, bun). Every install runs under sandbox-exec; the audit reads tarballs first and flags the shapes seen in chalk, debug, Shai-Hulud: window.ethereum proxies, atob+eval lifecycle scripts, decoded payloads fed to Function(). AWS_*/GH_TOKEN never reach postinstall.

https://codeberg.org/head1328/wormbox

#SupplyChainSecurity #SandboxExec #NodeJS #PackageSecurity

wormbox

Transparent sandbox and pre-install audit for developer toolchains on macOS.

Codeberg.org
TechNadu1d ago

This weekโ€™s major cyber trends:
โ€ข Massive npm/PyPI supply chain attacks
โ€ข Suspected AI-assisted zero-day exploit development
โ€ข Ransomware groups shifting toward silent extortion
โ€ข Active cPanel exploitation campaigns
โ€ข Fake Claude.ai malware delivery targeting macOS

https://www.technadu.com/cybersecurity-news-roundup-cybercrime-shifts-toward-faster-supply-chain-attacks-silent-extortion-and-real-world-consequences/627920/

#CyberSecurity #ThreatIntel #SupplyChainSecurity #InfoSec

packagist2d ago

We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

Slides at https://glaubinix.github.io/talks/2026-05-15-Composer-2-10-Malware-Filtering.html

#php #phpc #phpday #composerphp #supplychainsecurity #malware

sayzard2d ago

Hackers earning millions from hijacked cargo, FBI says

FBI๋Š” ์ตœ๊ทผ 2๋…„๊ฐ„ ํ•ด์ปค๋“ค์ด ์ค‘๊ฐœ์—…์ฒด์™€ ์šด์†ก์—…์ฒด ์‹œ์Šคํ…œ์„ ์นจํ•ดํ•ด ํ™”๋ฌผ ์šด์†ก ๋ฉ”์‹œ์ง€ ๊ฒŒ์‹œํŒ์— ์‚ฌ๊ธฐ์„ฑ ๊ฒŒ์‹œ๋ฌผ์„ ์˜ฌ๋ฆฌ๊ณ , ๋ฐฐ์†ก ๊ฒฝ๋กœ๋ฅผ ๋ณ€๊ฒฝํ•ด ์ˆ˜๋ฐฑ๋งŒ ๋‹ฌ๋Ÿฌ ์ƒ๋‹น์˜ ํ™”๋ฌผ์„ ํƒˆ์ทจํ•˜๋Š” ์‚ฌ๋ก€๊ฐ€ ๊ธ‰์ฆํ–ˆ๋‹ค๊ณ  ๊ฒฝ๊ณ ํ–ˆ๋‹ค. 2025๋…„ ๋ฏธ๊ตญ๊ณผ ์บ๋‚˜๋‹ค์—์„œ ๋ฐœ์ƒํ•œ ํ™”๋ฌผ ์ ˆ๋„ ํ”ผํ•ด์•ก์€ ์ „๋…„ ๋Œ€๋น„ 60% ์ฆ๊ฐ€ํ–ˆ์œผ๋ฉฐ, ํ•ด์ปค๋“ค์€ ์ด๋ฉ”์ผ ์Šคํ‘ธํ•‘๊ณผ ์•…์„ฑ ๋งํฌ๋ฅผ ํ†ตํ•ด ์‹œ์Šคํ…œ ์ ‘๊ทผ ๊ถŒํ•œ์„ ํš๋“ํ•˜๊ณ , '๋”๋ธ” ๋ธŒ๋กœ์ปค๋ง' ์ˆ˜๋ฒ•์œผ๋กœ ๋ฐฐ์†ก ์ฒด์ธ์„ ์กฐ์ž‘ํ•œ๋‹ค. ํ”ผํ•ด ๊ธฐ์—…๋“ค์€ ํ•ด์ปค๋กœ๋ถ€ํ„ฐ ๋ชธ๊ฐ’ ์š”๊ตฌ ์—ฐ๋ฝ์„ ๋ฐ›๊ธฐ๋„ ํ•˜๋ฉฐ, ์šด์†ก์—…๊ณ„ ์ „๋ฐ˜์— ๊ฑธ์ณ ์‹ฌ๊ฐํ•œ ๋ณด์•ˆ ์œ„ํ˜‘์œผ๋กœ ๋Œ€๋‘๋˜๊ณ  ์žˆ๋‹ค.

https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi

#cybersecurity #cargotheft #fbi #supplychainsecurity #cybercrime

Hackers earning millions from hijacked cargo, FBI says

In an advisory this week, FBI officials said cyber actors have spent the last two years breaking into the systems of brokers and carriers โ€” allowing them to pose as victim companies and post fraudulent listings on freight delivery message boards.

sayzard2d ago

Ask HN: How do you defend against supply chain attacks today?

์ตœ๊ทผ NPM๊ณผ PyPI ํŒจํ‚ค์ง€์—์„œ ์†Œํ”„ํŠธ์›จ์–ด ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ์ด ๋น ๋ฅด๊ฒŒ ์ฆ๊ฐ€ํ•˜๊ณ  ๋ณต์žกํ•ด์ง€๊ณ  ์žˆ๋‹ค. ๊ธฐ์กด ์˜์กด์„ฑ ์Šค์บ๋„ˆ๋Š” ๋Œ€์‘ ์†๋„๊ฐ€ ๋Š๋ฆฌ๊ณ , ์ž๋™ ์—…๋ฐ์ดํŠธ๋Š” ์•…์„ฑ์ฝ”๋“œ ํฌํ•จ ์œ„ํ—˜์ด ์žˆ์–ด ํšจ๊ณผ์ ์ด์ง€ ์•Š๋‹ค. ๋ชจ๋“  ์˜์กด์„ฑ ๋ฒ„์ „์„ ์ผ์ผ์ด ๊ฐ์‚ฌํ•˜๋Š” ๊ฒƒ์€ ๋น„์šฉ์ด ๋งŽ์ด ๋“ค๊ธฐ ๋•Œ๋ฌธ์—, ๊ฐœ๋ฐœ์ž๋“ค์€ ๋ณด๋‹ค ํšจ์œจ์ ์ด๊ณ  ์‹ ์†ํ•œ ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ ๋ฐฉ์–ด ์ „๋žต์„ ๋ชจ์ƒ‰ ์ค‘์ด๋‹ค.

https://news.ycombinator.com/item?id=48134972

#supplychainsecurity #npm #pypi #dependencysecurity #softwaresecurity

kpcyrd ๐Ÿด3d ago

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. ๐Ÿ˜บ

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

GitHub - kpcyrd/repro-env: Dependency lockfiles for reproducible build environments ๐Ÿ“ฆ๐Ÿ”’

Dependency lockfiles for reproducible build environments ๐Ÿ“ฆ๐Ÿ”’ - kpcyrd/repro-env

GitHub
TechNadu3d ago

OpenAI says the recent TanStack npm supply-chain attack did not compromise production systems or user data, though 2 employee devices were impacted.

The company isolated systems, restricted deployments, and rotated code-signing certificates.

https://www.technadu.com/openai-addresses-tanstack-npm-supply-chain-attack-impact-%e2%81%a0production-systems-intellectual-property-not-compromised/627878/

#CyberSecurity #SupplyChainSecurity #DevSecOps #InfoSec

TechNadu3d ago

TeamPCP claims it breached Mistral AI while the company confirms impact from the TanStack supply chain attack involving malicious NPM and PyPI packages.

Mistral says thereโ€™s currently no evidence of an internal infrastructure breach.

https://www.technadu.com/teampcp-claims-mistral-ai-breach-the-company-announces-being-impacted-by-the-tanstack-supply-chain-attack/627870/

#Cybersecurity #SupplyChainSecurity #AI #Infosec

DIESEC3d ago

TeamPCP open-sourced its npm supply chain worm under MIT license. 7 attacks since January โ€” SAP, Trivy, LiteLLM, TanStack (12.7M downloads), Mistral AI. Now anyone can clone it. Valid SLSA provenance on malicious packages. 
Audit your CI/CD runners today.

#SupplyChainSecurity