🚨We're continuing to track the unfolding compromise of npm packages with a new data exfiltrating malware, in the new campaign dubbed Shai Hulud.
Our monitoring infrastructure has detected 31 additional malicious packages with the same payload with hundreds of versions.
New malicious packages are still being uploaded continuously, follow this thread to get the latest news on this ongoing campaign as it unfolds.
Oh wow, a popular GitHub Action (tj-actions/changed-files) was fully compromised. Someone committed a base64-encoded payload that runs a script that in turn prints out encoded secrets…
Stay safe out there!
🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!
I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz
We should reject the culture of laziness and/or incompetence. "Some tool somewhere report something and so we must do what it suggests right away".
Yes. We care about security. Yes. We care about bugs. Yes. We want good tools, good reports.
But blindly following flags and tools? No. It does not make you safer.
Take time to understand the issues first.
It's official! Version 1.0 of the OWASP Top 10 for LLMs is here covering the top security risks for AI developers today. Please check it out! https://t.co/CI05o6ch3s
Elastic enlisted us to engage in an assessment of their software supply chain using the SLSA framework-- the largest one we've done to date! 🌟
https://t.co/5X3cdmpTMM
Hey Oracle can you be a little more vague with the CVEs you release in your CPUs ? https://t.co/i5r9ie0zKk Boilerplate statements every quarter..
Anyone has additional info on CVE-2023-21930 ?