#supply-chain-security

#supply-chain-security

saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.

Europe faces increasingly sophisticated hybrid attacks on every area of its infrastructure, the EC claims. The revised Cybersecurity Act looks to address this with union-level risk assessments, combined with targeted mitigation measures that will include bans on IT components from "high-risk suppliers." The suggested timeframe for this could leave member states with as little as three years to remove non-compliant kit.

Midway through a decade that is coming to be defined by the runaway acceleration of technological change, the threat of ransomware attacks seems to be dropping down the agenda in boardrooms around the world, with C-suite executives more concerned about growing risks arising from artificial intelligence (AI) vulnerabilities, cyber-enabled fraud and phishing attacks, disruption to supply chains, and exploitation of software vulnerabilities.

Charlie Marsh announced the Beta release of ty on Dec 16 "designed as an alternative to tools like mypy, Pyright, and Pylance." Extremely fast even from first run Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.

As organizations operate across cloud infrastructure, distributed endpoints, and complex supply chains, security has shifted from a collection of point solutions to a question of architecture, trust, and execution speed. This report examines how core areas of cybersecurity are evolving in response to that shift. Across authentication, endpoint security, software supply chain protection, network visibility, and human risk, it explores how defenders are adapting to adversaries that move faster, blend technical and social techniques, and exploit gaps between systems rather than weaknesses in any single control.

The first seafood vanished on Nov. 22 in Falmouth, Maine, where authorities suspect someone stole 14 cages full of oysters from an aquaculture site in Casco Bay. Many of the oysters were full-grown and ready for sale, and together with the cages were worth $20,000, according to the Maine Marine Patrol. "This is a devastating situation for a small businessman," said Marine Patrol Sgt. Matthew Sinclair.

The chairman of the Senate Intelligence Committee asked National Cyber Director Sean Cairncross in a Wednesday letter to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies. Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia.

A lawsuit brought by the US Securities & Exchange Commission (SEC) against SolarWinds has been dropped. The legal fire was also directed at the company's CISO, Timothy G. Brown. Brown's alleged personal responsibility will now not be determined in court. It therefore appears that CISOs have less to fear from the law than previously thought. CISOs are responsible for securing their company's IT infrastructure.

This represents a "new operational model that's neither traditional cyber attack nor conventional warfare," Amazon Chief Security Officer Steve Schmidt told The Register. "The targeting data collected through cyber means flows directly into kinetic decision making."

Slopsquatting is an attack method in which hackers exploit common AI hallucinations to trick engineers into mistakenly installing malicious packages. In short, hackers track non-existent packages hallucinated by AI coding tools and then publish malicious packages under these names on public repositories such as . The seemingly legitimate packages are then installed by victims who trust their AI code suggestions.

An influential bipartisan congressional commission is urging lawmakers to create a new economic statecraft office to enforce U.S. sanctions, limit Chinese influence in the electrical grid, and release funding to maintain dominance in cyber and quantum technologies - warning that the national security threat from Beijing has escalated over the past year and could threaten the United States in a future conflict.

I think the big cyber incidents happening in the Middle East and Europe in recent months, particularly ransomware as a service, so big names like Jaguar Land Rover and others, have kind of given this meeting an extra buzz just before we met. Quite a few people flew in from that have been affected by the supply chain attack on baggage handling software. So it was very relevant and topical.

Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems which could be exploited to affect buses while in transit.

The Log4j vulnerability in 2021 served as a wake-up call for how vulnerable today's supply chains are. Four years later, this remains apparent amid the recent incident at F5 which has impacted a number of businesses globally. These types of attacks continue to expose the increasingly sophisticated cyber threats that exist as a result of a growingly complex landscape. Third-party ecosystems are now one of the most profitable attack avenues as when one supplier is compromised, the effects can quickly ripple through entire industries. All partners are then exposed to fallbacks like revenue loss, reputational damage and operational disruption.

Quantum computing stocks continue to rebound following a Wall Street Journal article yesterday detailing potential U.S. government equity investments in the sector. The report outlined early discussions with the Commerce Dept., where firms could trade shares for at least $10 million each in federal funds. The story ignited investor excitement after consecutive days of declining stock prices, with QBTS, RGTI, IONQ, and QUBT all racing higher by double-digit percentages.

Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL."

Data from 28,000 internal projects at Red Hat has been stolen. The hacker group Crimson Collective claims to have stolen nearly 570GB of data. The stolen information is not only affecting Red Hat: BleepingComputer reports that customer data from around 800 Customer Engagement Reports has also been stolen. The hackers claim that the breach took place around two weeks ago. Customer Engagement Reports (CERs) are documents that contain infrastructure details, configuration data, authentication keys, and other sensitive customer information.

New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered.

"This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks," Oasis wrote. While Cursor and other AI-powered coding tools like Claude Code and Windsurf have become popular among software developers, the technology is still fraught with bugs. Replit, another AI coding assistant that debuted its newest agent earlier this week, recently deleted a user's entire database.

The homeland is no longer secure,

Let's dig into what this really means, why it matters, and where we go from here. But then I thought a bit more. It's not just necessary-it's overdue. And not only for national security systems. This gap in software understanding exists across nearly every enterprise and agency in the public and private sector. The real challenge is not recognizing the problem. It's addressing it early, systemically and sustainably-especially in a DevSecOps context.

Adidas confirmed a data breach caused by an attack on a third-party customer service provider. The company said customer data was exposed, including names, email addresses, and order details.