The latest series of attacks using the notorious Shai-Hulud worm puts into sharp focus the threats facing software developers and their CI/CD pipelines, an issue that has been raised in recent months as bad actors increasingly turn their attention to DevOps environments. That said, these most recent Shai-Hulud incidents attributed to the TeamPCP group also […]
Bad Actor Drops 36 Malicious Packages in npm, Targets Guardarian Users
The npm code repository is again being used by a bad actor to launch a supply chain attack that includes three dozen malicious packages that appear as Strapi CMS plugins but deliver a range of threats. Strapi is a popular open source headless Node.js content management system developers use to build, manage, and expose content […]
Sophisticated Supply Chain Attack Targeting Trivy Expands to Checkmarx, LiteLLM
The supply chain attack that compromised Aqua Security’s Trivy open source security vulnerability scanner and its associated GitHub Actions earlier this month continues to expand, with software development tools from Checkmarx and LiteLLM being the latest victims of the sophisticated campaign. The threat group behind it, TeamPCP, is using the attacks to create persistence and […]
Analysis of GitHub Repositories Surfaces Nearly 23M Secrets
An analysis of public GitHub repositories published today finds 22.8 million hardcoded secrets, representing a 25% increase since a similar study was done a year ago.
HashiCorp Extends Secrets Management Reach
Secrets management is core to DevSecOps—how credentials are managed can make all the difference in preventing an application from being compromised in the first place. The challenge is making it as simple as possible for developers to access where most of those credentials are stored in the enterprise. HashiCorp this week released an update to […]
Moving Security Beyond SSH and PKI
SSH (secure shell) is still the most common method of remotely accessing a Linux server, which makes it a common target for attackers attempting to infiltrate corporate networks. While the protocol itself carries a number of advanced security properties, it does allow for human error, opening the door for unwarranted privileged access to sensitive company […]
DevOps and Database Security
Osterman Research recently released a survey-based report on database security. The results don’t exactly instill confidence where username breaches are concerned: While more than 50 percent of respondents felt that a breach of the database would be a serious problem for their organization, 44 percent responded that it would take more than a day to […]