Great article on slopsquatting and more LLM vulnerability invention.
| https://www.linkedin.com/in/wysopal | |
| https://www.twitter.com/WeldPond :verified: | |
| Wikipedia | https://en.m.wikipedia.org/wiki/Weld_Pond |
Chris Wysopal
@Weld@infosec.exchange
- 4.7K Followers
- 238 Following
- 416 Posts
Co-founder/CTO Veracode. Former L0pht security researcher. Builds tools to find vulnerabilities in code at scale. Twitter: @weldpond
Are you reviewing your NPM dependancies for malicious code? #devsecops #appsec #npm
https://www.scworld.com/news/complex-npm-attack-uses-7-plus-layers-of-obfuscation-to-spread-pulsar-rat
https://www.scworld.com/news/complex-npm-attack-uses-7-plus-layers-of-obfuscation-to-spread-pulsar-rat
"Absurd" 12-step malware dropper spotted in malicious npm packages. Supply chain attack effort used steganography, a "dizzying wall of Unicode characters" and more.
https://www.thestack.technology/absurd-12-step-malware-dropper-spotted-in-malicious-npm-packages/
https://www.thestack.technology/absurd-12-step-malware-dropper-spotted-in-malicious-npm-packages/
Trump's new Cybersecurity EO eliminates these provisions from Biden's last Cybersecurity EO:
Mandatory, machine-readable attestations from every federal software supplier that they follow NIST’s Secure Software Development Framework (SSDF)
A CISA-run Repository for Software Attestations & Artifacts (RSAA) plus a program that randomly validates those filings and publicly names vendors that fail.
New FAR clauses forcing every agency to buy only from suppliers that file acceptable attestations.
Escalation path to DOJ for vendors that lie in an attestation.
The centralized requirement to hand over an SBOM (or any validating artifact) for every piece of software the government buys has been removed. However, SBOMs still exist in federal policy, and any individual agency can continue to demand them under EO 14028 and existing OMB or DoD guidance
By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
Researchers from Rice and Stanford refer to this recursive data contamination as Model Autophagy Disorder (MAD), analogous to mad cow disease. (Reminder: do not eat the neural tissue of your own species.)
https://therepublicjournal.com/essays/the-curse-of-the-ai-ouroboros/
https://therepublicjournal.com/essays/the-curse-of-the-ai-ouroboros/
Cyber hard problems, unsolved tech & research problems for which progress toward solution would have a significant impact on the practical security of cyber systems, are frequently caused or sustained by human or societal factors & misaligned incentives
https://nap.nationalacademies.org/catalog/29056/cyber-hard-problems-focused-steps-toward-a-resilient-digital-future
https://nap.nationalacademies.org/catalog/29056/cyber-hard-problems-focused-steps-toward-a-resilient-digital-future
Last time I was in a play, I was Falstaff in "A Midsummer Night’s Dream" (yeah, that’s not a typo. it was 5th grade).
Now I’m back as Weldy McPond in @veracode's “Hack to the Future.” From Shakespeare to cyber-chaos—what could go wrong?
The @L0pht got a Battlezone machine in 1995 when it was 15 years old. It was the first FPS arcade game! Now it's pushing 45 and needs repair. It got new resistors and a cleaning. Still work to be done however as it gets to the gameplay screen and no tanks show up including yours!
