Blogs about Threats
The Risks of Being Blind to AI in Your Own Organization
Uncover the security concerns in the era of AI and LLMs, delving into code opacity and application embedding risks.
Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack
Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.
Exposing Secrets Via SDLC Tools: The SonarQube Case
We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.
Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders
OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.
Toyota Customer Data Leaked Due To Software Supply Chain Attack
On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.
Software Supply Chain Attack Leads to Trojanized Comm100 Installer
On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.
New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform
A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.
Google & Apache Found Vulnerable to GitHub Environment Injection
Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.
LastPass Software Supply Chain Attack: What Happened and Tips to Protect Against Similar Attacks
LastPass disclosed that an unauthorized party had gained access to portions of the LastPass developer environment. An attacker gained access to developer account credentials and used them to exfiltrate portions of their proprietary source code.
Breaking News: How a Massive Malware Attack Almost Occurred on GitHub
Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.
Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks
We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.