Legit Security Blog

Threats

The Top 8 Cloud Application Threats in 2023

In this blog post, we'll discuss 8 of the top threats targeting cloud applications in 2023. Taking steps to protect your cloud applications against...

Read More

1 min read

Exposing Secrets Via SDLC Tools: The SonarQube Case

Secrets are any data that is sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an API...

Read More

1 min read

The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services

Everybody is familiar with downtimes in major services. It can be very frustrating when a platform your organization depends upon becomes...

Read More

How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

Jenkins is an open-source automation and build platform that allows for automated tests, integrations, builds, and much more. However, Jenkins also...

Read More

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...

Read More

1 min read

Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

Update: On November 1st the OpenSSL project maintainers released their fix for the vulnerabilities. There were two vulnerabilities discovered. After...

Read More

Toyota Customer Data Leaked Due To Software Supply Chain Attack

On Oct 7th, Toyota announced a possible data leakage incident stemming from a code repository in their software supply chain. The compromised data...

Read More

Software Supply Chain Attack Leads to Trojanized Comm100 Installer

On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The...

Read More

Why You Can Still Get Hacked Even After Signing Your Software Artifacts

Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised (i.e.,...

Read More

New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

A popular vendor of Magento-Wordpress plug-ins/integrations with over 200,000 downloads, has been hacked. This recent attack is a reminder that...

Read More

Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

Update: a few weeks after this publication, GitHub decided to fix the issue and employed the mitigation we recommended to them in our initial report....

Read More

Google & Apache Found Vulnerable to GitHub Environment Injection

In this blog post, we'll discuss a new type of GitHub Actions workflow vulnerability we called "GitHub Environment Injection". We've found a couple of

Read More

1 min read

LastPass Software Supply Chain Attack: What Happened and Tips to Protect Against Similar Attacks

LastPass, one of the world's largest password managers with 25 million users, disclosed that an unauthorized party had gained access to portions of...

Read More

Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

Earlier today, Stephen Lacy published a Twitter post about a massive attack attempt on GitHub. This attack attempt is a huge deal, but fortunately it...

Read More

Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

In this blog post, we’ll explore a bug we’ve found in a popular third-party action and how in some cases it could lead to your SDLC pipeline being...

Read More

Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

On Friday April 15, GitHub Security announced it had detected the compromise of OAuth access tokens issued to Heroku and Travis-CI integrations to...

Read More

A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important...

Read More

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

At Legit Security, we’re focused on preventing software supply chain attacks and securing the SDLC for our customers and the broader cybersecurity...

Read More

Detecting Secrets in Your Source Code

Exposed secrets in source code pose a risk to you, your team and your entire organization. But what are secrets exactly? How do they become exposed?...

Read More

Stay Connected

 Please join our mailing list for future updates and announcements.