Okta thwarted the supply-chain attack with security controls it had in place. Zscaler did not. Their experiences provide insights into the root of a much broader problem.
submitted by /u/digicat [link] [comments]
The digital world continues to face growing threats around software vulnerabilities, data breaches, and cyber supply chain attacks. As companies rely more heavily on open-source software, third-party code, and cloud-native applications, the need for supply chain intelligence security solutions has never been greater. In 2025, organizations must adopt highly reliable platforms that provide visibility, compliance,
arXiv:2510.02251v1 Announce Type: cross Abstract: Reproducible builds are a set of software development practices that establish an independently verifiable path from source code to binary artifacts, helping to detect and mitigate certain classes of supply chain attacks. Although quantum computing is a rapidly evolving field of research, it can already benefit from adopting reproducible builds. This paper aims to bridge the gap between the quantum computing and reproducible builds communities....
arXiv:2510.02169v1 Announce Type: cross Abstract: The growing integration of open-source software and AI-driven technologies has introduced new layers of complexity into the software supply chain, challenging existing methods for dependency management and system assurance. While Software Bills of Materials (SBOMs) have become critical for enhancing transparency and traceability, current frameworks fall short in capturing the unique characteristics of AI systems -- namely, their dynamic,...
Building on top of open source packages can help accelerate development. By using common libraries and modules from npm, PyPI, Maven Central, NuGet, and others, teams can focus on writing code that is unique to their situation. These open source package registries host millions of packages that are integrated into thousands of programs daily. Unfortunately,
I just finished a scan on what we thought was a well-maintained project. Turns out, my direct dependencies are all clean.. not a single critical vulnerability. I felt pretty good. Then I let the scanner go deeper. That's when it found it: a critical RCE in a tiny, forgotten library buried five layers deep in node_modules . The maintainer hasn't touched it in years. Now I'm staring at a full fork and patching job that could break everything else. It feels completely hopeless. How is anyone...
arXiv:2510.00554v1 Announce Type: new Abstract: Machine learning systems increasingly rely on open-source artifacts such as datasets and models that are created or hosted by other parties. The reliance on external datasets and pre-trained models exposes the system to supply chain attacks where an artifact can be poisoned before it is delivered to the end-user. Such attacks are possible due to the lack of any authenticity verification in existing machine learning systems. Incorporating...
Efficiently managing supply chains has long been a top priority for many industries
The world of enterprise technology is undergoing a dramatic shift. Gen-AI adoption is accelerating at an unprecedented pace, and SaaS vendors are embedding powerful LLMs directly into their platforms. Organizations are embracing AI-powered applications across every function, from marketing and development to finance and HR. This transformation unlocks innovation and efficiency, but it also
The UK Government is providing Jaguar Land Rover (JLR) with a £1.5 billion loan guarantee to restore its supply chain after a catastrophic cyberattack forced the automaker to halt production.
The U.K. will support a $2 billion loan guarantee to help restore the automaker's supply chain after a cyberattack disrupted production.
Overview A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. At the time of writing, over 500 packages have been affected, and the number continues to grow. The attack involves a self-propagating malware variant dubbed Shai-Hulud , which spreads via credential theft and automated package publishing. The campaign escalated rapidly, including compromise of packages published by CrowdStrike. This notice aims to raise...
Cybersecurity researchers have discovered what has been described as the first-ever instance of a malicious Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks. According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called "postmark-mcp" that copied an official Postmark Labs library of the same name.
submitted by /u/NISMO1968 [link] [comments]
submitted by /u/coinspect [link] [comments]
Fake PyPI login site phishing campaign threatens developer credentials and the open-source supply chain.
Cybercriminals have launched a sophisticated supply chain attack targeting cryptocurrency developers through malicious Rust crates designed to steal digital wallet keys. Two fraudulent packages, faster_log and async_println, have infiltrated the Rust package registry by impersonating the legitimate fast_log logging library, embedding malicious code that scans source files for Solana and Ethereum private keys before exfiltrating
China-linked hackers use BRICKSTORM malware to hit tech, SaaS, and legal firms, threatening the US supply chain.
Cybersecurity researchers have discovered two malicious Rust crates impersonating a legitimate library called fast_log to steal Solana and Ethereum wallet keys from source code. The crates, named faster_log and async_println, were published by the threat actor under the alias rustguruman and dumbnbased on May 25, 2025, amassing 8,424 downloads in total, according to software supply chain