Chris Wysopal

@Weld@infosec.exchange
4.7K Followers
238 Following
421 Posts
Co-founder/CTO Veracode. Former L0pht security researcher. Builds tools to find vulnerabilities in code at scale. Twitter: @weldpond
LinkedInhttps://www.linkedin.com/in/wysopal
Twitterhttps://www.twitter.com/WeldPond :verified:
Wikipediahttps://en.m.wikipedia.org/wiki/Weld_Pond
Chris Wysopal3d ago

17, 17, 19 and 20 year olds

"M&S was the first retailer to be attacked in April in an incident that forced the closure of its online store for nearly seven weeks."

https://www.theguardian.com/uk-news/2025/jul/10/four-arrested-over-cyber-attacks-marks-and-spencer-co-op-harrods

Four people arrested over cyber-attacks on M&S, Co-op and Harrods

Four arrested on suspicion of breaching Computer Misuse Act, blackmail, money laundering and joining activities of organised crime

The Guardian
Chris Wysopal3d ago
The Black Hat USA keynote list has dropped. Impressive!
Chris Wysopal5d ago

Do we need the term PoliPhish when government officials are voice and text spoofed.

https://www.newser.com/story/371511/marco-rubio-impersonator-is-making-phone-calls.html

A Fake Marco Rubio Is Making Calls in DC

Someone is using AI software to mimic his voice and texting style, reports Washington Post

Newser LLC
Chris Wysopal5d ago
The EU Product Liability Directive will take effect Dec 2026. Software, firmware, applications, AI systems, and will now be subject to the same strict liability regime as traditional physical goods. Cybersecurity vulnerabilities will be considered product defects. Analysis by Reed Smith LLP: https://www.lexology.com/library/detail.aspx?g=bbef1939-2af0-465a-8b8f-c1ff3ebe9118
Chris Wysopal5d ago

Attacking AI agents. AIJacking?

https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a

A Copilot Studio Story 2: When AIjacking Leads to Full Data Exfiltration

Discover how prompt injections can lead to zero-click exploits threatening AI agents built using Copilot Studio. Learn about real-world risks, including data leakage and security blind spots. Bypass Copilot Studio prompt shields.

Zenity Labs
Chris WysopalJun 19

Great article on slopsquatting and more LLM vulnerability invention.

https://www.usenix.org/publications/loginonline/we-have-package-you-comprehensive-analysis-package-hallucinations-code

Package Hallucinations: How LLMs Can Invent Vulnerabilities

USENIX
Chris WysopalJun 10
Are you reviewing your NPM dependancies for malicious code? #devsecops #appsec #npm
https://www.scworld.com/news/complex-npm-attack-uses-7-plus-layers-of-obfuscation-to-spread-pulsar-rat
Complex npm attack uses 7-plus layers of obfuscation to spread Pulsar RAT

The package uses Japanese Unicode characters, hex encoding, Base64 and more to hide its actions.

SC Media
Chris WysopalJun 9
"Absurd" 12-step malware dropper spotted in malicious npm packages. Supply chain attack effort used steganography, a "dizzying wall of Unicode characters" and more.
https://www.thestack.technology/absurd-12-step-malware-dropper-spotted-in-malicious-npm-packages/
"Absurd" 12-step malware dropper spotted in npm package

Supply chain attack effort used steganography, a "dizzying wall of Unicode characters" and more.

The Stack
Chris WysopalJun 9

Trump's new Cybersecurity EO eliminates these provisions from Biden's last Cybersecurity EO:

Mandatory, machine-readable attestations from every federal software supplier that they follow NIST’s Secure Software Development Framework (SSDF)

A CISA-run Repository for Software Attestations & Artifacts (RSAA) plus a program that randomly validates those filings and publicly names vendors that fail.

New FAR clauses forcing every agency to buy only from suppliers that file acceptable attestations.

Escalation path to DOJ for vendors that lie in an attestation.

The centralized requirement to hand over an SBOM (or any validating artifact) for every piece of software the government buys has been removed. However, SBOMs still exist in federal policy, and any individual agency can continue to demand them under EO 14028 and existing OMB or DoD guidance

Show threadChris WysopalJun 9
By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
×
Chris WysopalJun 9
Trump issues new Cybersecurity EO
Show threadChris WysopalJun 9
By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
Show threadVissJun 9
@Weld
Show threadVissJun 9
@Weld i need to make a better version of this gif
Show threadScott FrancisJun 9
@Viss that show is chock-full of excellent meme content, besides being the best Star Wars writing ever
Show threadVissJun 9
@darkuncle agreed. this gif is from rogue one though
Show threadScott FrancisJun 9
@Viss oh snap
Show threadVissJun 9
@Weld improved
Show threadNonya Bidniss Jun 9
@Weld "preventing misuse against domestic political opponents" isn't something I thought I'd see from the Trump regime. But of course they'll do whatever they want, watch what they do not what they say.
Show threadnoahmJun 9
@Weld I love how he just can't resist a dig at Obama and Biden, as if there weren't a Trump in between the two.
Show threadDave "Wear A Goddamn Mask" Cochran Jun 9
@Weld post-quantum, eh?