#supply-chain-security

#supply-chain-security

Quantum computing stocks continue to rebound following a Wall Street Journal article yesterday detailing potential U.S. government equity investments in the sector. The report outlined early discussions with the Commerce Dept., where firms could trade shares for at least $10 million each in federal funds. The story ignited investor excitement after consecutive days of declining stock prices, with QBTS, RGTI, IONQ, and QUBT all racing higher by double-digit percentages.

Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL."

Data from 28,000 internal projects at Red Hat has been stolen. The hacker group Crimson Collective claims to have stolen nearly 570GB of data. The stolen information is not only affecting Red Hat: BleepingComputer reports that customer data from around 800 Customer Engagement Reports has also been stolen. The hackers claim that the breach took place around two weeks ago. Customer Engagement Reports (CERs) are documents that contain infrastructure details, configuration data, authentication keys, and other sensitive customer information.

New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action. "This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation]," PSF security developer-in-residence Seth Larson warns. Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.

For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered.

"This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks," Oasis wrote. While Cursor and other AI-powered coding tools like Claude Code and Windsurf have become popular among software developers, the technology is still fraught with bugs. Replit, another AI coding assistant that debuted its newest agent earlier this week, recently deleted a user's entire database.

The homeland is no longer secure,

Let's dig into what this really means, why it matters, and where we go from here. But then I thought a bit more. It's not just necessary-it's overdue. And not only for national security systems. This gap in software understanding exists across nearly every enterprise and agency in the public and private sector. The real challenge is not recognizing the problem. It's addressing it early, systemically and sustainably-especially in a DevSecOps context.

Adidas confirmed a data breach caused by an attack on a third-party customer service provider. The company said customer data was exposed, including names, email addresses, and order details.

The four countries said in a joint statement that they were establishing the Quad Critical Minerals Initiative, aimed at collaborating on securing and diversifying supply chains.