Blogs about Threats
Sign up for our newsletter
![Legit Security | Security Challenges Introduced by Modern Software Development. Understand how modern software development is changing security threats.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20-%201200%20x%20627%20%282%29.png?width=740&height=220&name=Blog%20-%201200%20x%20627%20%282%29.png)
Security Challenges Introduced by Modern Software Development
Security Challenges Introduced by Modern Software Development. Understand how modern software development is changing security threats.
Read More![Legit Security | Don't Protect Your Software Supply Chain, Defend the Entire Software Factory. Find out why a too-narrow definition of](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20-%20Liav.png?width=740&height=220&name=Blog%20-%20Liav.png)
Don’t Protect Your Software Supply Chain, Defend the Entire Software Factory
Don't Protect Your Software Supply Chain, Defend the Entire Software Factory. Find out why a too-narrow definition of "supply chain" may be hindering software security efforts.
Read More![Legit Security | Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development. Understand why securing build systems is as important as securing production systems.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%202.png?width=740&height=220&name=Blog%202.png)
Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development
Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development. Understand why securing build systems is as important as securing production systems.
Read More![Legit Security | New Survey Finds a Paradox of Confidence in Software Supply Chain Security. Get results of and analysis on ESG's new survey on supply chain security.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Enterprise%20Strategy%20Group%20Social%20Post%20-%201200%20x%20627%20-%204.png?width=740&height=220&name=Enterprise%20Strategy%20Group%20Social%20Post%20-%201200%20x%20627%20-%204.png)
New Survey Finds a Paradox of Confidence in Software Supply Chain Security
New Survey Finds a Paradox of Confidence in Software Supply Chain Security. Get results of and analysis on ESG's new survey on supply chain security.
Read More![Legit Security | Verizon 2024 DBIR Key Takeaways. Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Verizon%202024%20DBIR%20-%201200%20x%20627%20-%201.png?width=740&height=220&name=Verizon%202024%20DBIR%20-%201200%20x%20627%20-%201.png)
Verizon 2024 DBIR: Key Takeaways
Verizon 2024 DBIR Key Takeaways. Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.
Read More![Legit Security | Dependency Confusion Vulnerability Found in an Archived Apache Project. Get details on the Legit research team's discovery of a dependency confusion vulnerability in an archived Apache project.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20-%201200%20x%20627%20-%20Ofek%20Haviv%20%28V2.1%29.png?width=740&height=220&name=Blog%20-%201200%20x%20627%20-%20Ofek%20Haviv%20%28V2.1%29.png)
Dependency Confusion Vulnerability Found in an Archived Apache Project
Dependency Confusion Vulnerability Found in an Archived Apache Project. Get details on the Legit research team's discovery of a dependency confusion vulnerability in an archived Apache project.
Read More![Legit Security | Securing the Software Supply Chain: Risk Management Tips. Securing the software supply chain can seem daunting, but with the right strategy, you can optimize your software supply chain risk management practices.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Slide1-Apr-01-2024-06-28-13-4247-PM.jpeg?width=740&height=220&name=Slide1-Apr-01-2024-06-28-13-4247-PM.jpeg)
Securing the Software Supply Chain: Risk Management Tips
Securing the Software Supply Chain: Risk Management Tips. Securing the software supply chain can seem daunting, but with the right strategy, you can optimize your software supply chain risk management practices.
Read More![Legit Security | What You Need to Know About the XZ Utils Backdoor.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Slide1-Mar-30-2024-05-49-49-6283-PM.jpeg?width=740&height=220&name=Slide1-Mar-30-2024-05-49-49-6283-PM.jpeg)
![Legit Security | How to Get the Most From Your Secrets Scanning. Secret scanning is essential for unlocking next-level software supply chain security. Get tips & best practices for optimal secret scanning to secure your code.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Slide1-Mar-13-2024-04-14-21-4851-PM.jpeg?width=740&height=220&name=Slide1-Mar-13-2024-04-14-21-4851-PM.jpeg)
How to Get the Most From Your Secrets Scanning
How to Get the Most From Your Secrets Scanning. Secret scanning is essential for unlocking next-level software supply chain security. Get tips & best practices for optimal secret scanning to secure your code.
Read More![Legit Security | Microsoft Under Attack by Russian Cyberattackers. Understand how these attackers are operating and what their tactics mean for security strategies.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Slide1-3.jpeg?width=740&height=220&name=Slide1-3.jpeg)
Microsoft Under Attack by Russian Cyberattackers
Microsoft Under Attack by Russian Cyberattackers. Understand how these attackers are operating and what their tactics mean for security strategies.
Read More![The Legit Security research team has found and reported a zero-click attack that allowed attackers to submit malicious code and access secrets.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Azure%20Devops%20Zero-Click%20CICD%20Vulnerability%20-%20Legit%20Security%20-%20Featured%20Image.png?width=740&height=220&name=Azure%20Devops%20Zero-Click%20CICD%20Vulnerability%20-%20Legit%20Security%20-%20Featured%20Image.png)
![Legit Security | In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Legit%20Security%20-%20SLSA%20Provenance%20Series%20Part%204%20-%20Featured%20Image.png?width=740&height=220&name=Legit%20Security%20-%20SLSA%20Provenance%20Series%20Part%204%20-%20Featured%20Image.png)
![Learn how vulnerable self-hosted runners can lead to severe software supply chain attacks.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Self%20Hosted%20Runner%20Vulnerability.png?width=740&height=220&name=Self%20Hosted%20Runner%20Vulnerability.png)
![Legit Security | In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Legit%20Security%20Blog%20-%20SLSA%20Provenance%20Series%20Part%203%20v1-1.png?width=740&height=220&name=Legit%20Security%20Blog%20-%20SLSA%20Provenance%20Series%20Part%203%20v1-1.png)
![Legit Security | Uncovering 'AIJacking': How Attackers Exploit Hugging Face for AI Supply Chain Attacks - A Deep Dive into Vulnerabilities and Risks.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20HuggingFace.png?width=740&height=220&name=Blog%20HuggingFace.png)
![Legit Security | Uncover the security concerns in the era of AI and LLMs, delving into code opacity and application embedding risks.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Cybersecurity%20Awareness%20Month%20%281%29.png?width=740&height=220&name=Cybersecurity%20Awareness%20Month%20%281%29.png)
![Legit Security | Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/AI-blog-image-v2.png?width=740&height=220&name=AI-blog-image-v2.png)
Emerging Risks with Embedded LLM in Applications
Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.
Read More![Legit Security | This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20How%20We%20Found%20Another%20GitHub%20Action%20Environment%20Injection%20Vulnerability%20in%20a%20Google%20Project.png?width=740&height=220&name=Blog%20How%20We%20Found%20Another%20GitHub%20Action%20Environment%20Injection%20Vulnerability%20in%20a%20Google%20Project.png)
![Legit Security | On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/thumbnail_image%20%281%29.png?width=740&height=220&name=thumbnail_image%20%281%29.png)
Supply Chain Attacks Overflow: PyPI Suspended New Registrations
On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.
Read More![Legit Security | In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20What%20is%20Software%20Attestation%20%2810%29.png?width=740&height=220&name=Blog%20What%20is%20Software%20Attestation%20%2810%29.png)
![Legit Security | In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20What%20is%20Software%20Attestation%20%289%29.png?width=740&height=220&name=Blog%20What%20is%20Software%20Attestation%20%289%29.png)
![Legit Security | Learn the risks of exposing secrets through leaked source code and why traditional code scanners may not be enough to fight threats.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Roy%20Secrets%20Blog%20Image.png?width=740&height=220&name=Roy%20Secrets%20Blog%20Image.png)
![Legit Security | Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20The%20Business%20Risks%20and%20Costs%20of%20Source%20Code%20Leaks%20and%20Prevention%20Tips%20%282%29.png?width=740&height=220&name=Blog%20The%20Business%20Risks%20and%20Costs%20of%20Source%20Code%20Leaks%20and%20Prevention%20Tips%20%282%29.png)
The Business Risks and Costs of Source Code Leaks and Prevention Tips
Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.
Read More![Legit Security | 3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/_Blog%203CX%20Attack%20%284%29.png?width=740&height=220&name=_Blog%203CX%20Attack%20%284%29.png)
Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users
3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.
Read More![Legit Security | Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Blog%20Header%20-%20Targeted%20Azure%20Pipelines.png?width=740&height=220&name=Blog%20Header%20-%20Targeted%20Azure%20Pipelines.png)
![Discover 8 of the top threats to cloud applications in 2023 and learn about techniques that can be employed to help keep your cloud applications secure.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/cloud%20security%20image.jpeg?width=740&height=220&name=cloud%20security%20image.jpeg)
The Top 8 Cloud Application Threats in 2023
Discover 8 of the top threats to cloud applications in 2023 and learn about techniques that can be employed to help keep your cloud applications secure.
Read More![Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/3020e7f2-b389-40d8-9030-a202c8454f3d.png?width=740&height=220&name=3020e7f2-b389-40d8-9030-a202c8454f3d.png)
![We explore our findings in a popular implementation vulnerability of the markdown engine and potential Denial-of-Service (DoS) attack that it could cause.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/MarkdownTime2.png?width=740&height=220&name=MarkdownTime2.png)
![See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Jenkins%20Blog%20Image%202022.png?width=740&height=220&name=Jenkins%20Blog%20Image%202022.png)
How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack
See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.
Read More![New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Rust%20Vulnerability%20%281%29.jpg?width=740&height=220&name=Rust%20Vulnerability%20%281%29.jpg)
![OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/openssl%20graphics.png?width=740&height=220&name=openssl%20graphics.png)
![On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/toyota%20breach.jpg?width=740&height=220&name=toyota%20breach.jpg)
![On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Comm100%20Blog.jpg?width=740&height=220&name=Comm100%20Blog.jpg)
Software Supply Chain Attack Leads to Trojanized Comm100 Installer
On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.
Read More![Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised artifacts to your production servers.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/Artifact%20Poisoning%20Blog.jpg?width=740&height=220&name=Artifact%20Poisoning%20Blog.jpg)
Why You Can Still Get Hacked Even After Signing Your Software Artifacts
Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised artifacts to your production servers.
Read More![A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/FishPig%20Hack%20Blog.jpg?width=740&height=220&name=FishPig%20Hack%20Blog.jpg)
New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform
A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.
Read More![GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/GitHub%20Bypass%20Malicious%20Code.jpg?width=740&height=220&name=GitHub%20Bypass%20Malicious%20Code.jpg)
![Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/GitHub%20Workflows%20Blog%203.jpg?width=740&height=220&name=GitHub%20Workflows%20Blog%203.jpg)
Google & Apache Found Vulnerable to GitHub Environment Injection
Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.
Read More![LastPass disclosed that an unauthorized party had gained access to portions of the LastPass developer environment. An attacker gained access to developer account credentials and used them to exfiltrate portions of their proprietary source code.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/LastPass%20Blog1.jpg?width=740&height=220&name=LastPass%20Blog1.jpg)
LastPass Software Supply Chain Attack: What Happened and Tips to Protect Against Similar Attacks
LastPass disclosed that an unauthorized party had gained access to portions of the LastPass developer environment. An attacker gained access to developer account credentials and used them to exfiltrate portions of their proprietary source code.
Read More![Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/GitHub%20Malware%20Attempt%20Blog.jpg?width=740&height=220&name=GitHub%20Malware%20Attempt%20Blog.jpg)
Breaking News: How a Massive Malware Attack Almost Occurred on GitHub
Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.
Read More![We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/3rd%20party-noam.jpg?width=740&height=220&name=3rd%20party-noam.jpg)
Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks
We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.
Read More![This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/104471d1-cb94-4a95-854a-e5379b022eb2.png?width=740&height=220&name=104471d1-cb94-4a95-854a-e5379b022eb2.png)
Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself
This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.
Read More![On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/GitLab%20Backdoor%20header%20image_59175186-5afd-4896-b789-4c46e0443997.png?width=740&height=220&name=GitLab%20Backdoor%20header%20image_59175186-5afd-4896-b789-4c46e0443997.png)
A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)
On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.
Read More![Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/wp2124843-information-wallpapers.jpg?width=740&height=220&name=wp2124843-information-wallpapers.jpg)
Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline
Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.
Read More![What are secrets in source code, why they must be protected, and how to keep them safe.](https://20956152.fs1.hubspotusercontent-na1.net/hub/20956152/hubfs/piqsels.com-id-zbpzq.jpg?width=740&height=220&name=piqsels.com-id-zbpzq.jpg)
Detecting Secrets in Your Source Code
What are secrets in source code, why they must be protected, and how to keep them safe.
Read MoreRequest a Demo
Request a demo including the option to analyze your own software supply chain.