Relying on fragmented security tools creates conflicting remediation priorities. What one tool considers acceptable before the build, another flags in production.

Anchore Enterprise v6 solves this with the new Unified Asset Model. Join our June 4 webinar to see how v6 combines all of your application assets—from modern containers to legacy infrastructure and third-party SBOMs—into a single, normalized "Application Version" for unified... https://go.anchore.com/anchore-enterprise-6.html

#DevSecOps #SupplyChainSecurity

🎙️ The #FIRSTImpressionsPodcast is back for the 2026 conference season!
Tune in to the newest episode at: https://media.first.org/podcasts/FIRST_Impressions-MorLior.mp3

In this episode, podcasters interview Mor Weinberger and Lior Kaplan to preview their #FIRSTCON26 session: “From Discovery to Fix: What 10,000 Open Source Projects Reveal About CVE Remediation”

The conversation dives into:
🔹 Why 90% of #CVEs already have fixes available
🔹 Why #remediation still takes months
🔹 How AI is accelerating vulnerability discovery
🔹 The hidden complexity of open source supply chains
🔹 Practical ways organizations can reduce risk today

New episodes drop every Friday leading up to FIRSTCON, featuring previews of conference talks and conversations with presenters across the global incident response community.

📍FIRST Conference 2026
June 14–19 | Denver, Colorado

Secure your seat today: https://www.first.org/conference/2026/registration

#FIRSTCON26 #CyberSecurity #OpenSource #VulnerabilityManagement #CVE #DevSecOps #SupplyChainSecurity

GitHub links a repo breach to the TanStack npm supply-chain attack - one compromised dependency can ripple across thousands of developers. Trust in code must be continuously verified. 📦⚠️ #SupplyChainSecurity #OpenSourceRisk

https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/

Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

⚠️ Vendors can pass audits while exposing live risk
⚠️ Attackers rank vendors by exposure paths, not spend
⚠️ AI is worsening noise and confidence problems in cyber datasets

“Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

https://www.technadu.com/why-attackers-understand-supply-chains-better-than-companies/628246/

#CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

If you’ve seen the latest supply chain compromise via a malicious update to a VS Code extension, you might be thinking of using Intune to manage VS Code enterprise settings.

Microsoft however have the stupidest bug that they might want to prioritise fixing…

If you create the HKLM\Software\Policies\Microsoft\VSCode registry path first then it will work.

🤦‍♂️

#SupplyChainSecurity #SupplyChainCompromise #VSCode #VSCodeExtensions #Intune

https://github.com/microsoft/vscode/issues/281840

Compromised art-template npm package versions reportedly delivered a Coruna-like iOS Safari exploit framework through a watering-hole attack.
Researchers say the framework targeted Safari users on iOS 11–17.2 via malicious redirect chains.

https://www.technadu.com/compromised-art-template-npm-package-delivers-coruna-like-ios-exploit/628212/

#CyberSecurity #SupplyChainSecurity #iOS #InfoSec

GitHub says a poisoned Nx Console VS Code extension enabled unauthorized access to internal infrastructure, contributing to the loss of ~3,800 repositories.

Researchers say the payload harvested GitHub tokens, AWS creds, SSH keys, and more.

https://www.technadu.com/3800-internal-github-repositories-lost-due-to-malicious-nx-console-vs-code-extension/628149/

#CyberSecurity #SupplyChainSecurity #GitHub #VSCode