A new malicious package been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems for its recon activities. The malicious package is called "web-browserify." It imitates the popular Browserify npm component, downloaded over 160 million times over its lifetime. [...]
Adobe has released security updates that address security vulnerabilities in Adobe Photoshop, Adobe Digital Editions, Adobe Bridge, and RoboHelp. [...]
A security researcher has dropped a zero-day remote code execution vulnerability on Twitter that works on the current version of Google Chrome and Microsoft Edge. [...]
Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired. [...]
Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks. [...]
Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks. [...]
Researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. These files are named jquery-migrate.js & jquery-migrate.min.js and present at the exact locations where JavaScript files are normally present on WordPress sites but are malicious …
A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. [...]
A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. [...]
The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free 'sigstore' service that lets developers code-sign and verify open source software to prevent supply-chain attacks. [...]
Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. [...]
Last night, GitHub automatically logged out many users and invalidated their sessions to protect user accounts against a potentially serious security vulnerability. Earlier this month GitHub had received a report of anomalous behavior from an external party. [...]
Google Chrome will block the browser's access to TCP port 554 to protect against attacks using the NAT Slipstreaming 2.0 vulnerability. [...]
The heavily downloaded Node.js library "systeminformation" has a severe command injection vulnerability tracked as CVE-2021-21315. [...]
Starting next month, LastPass will no longer allow a free account to be used on multiple types of devices (computers and mobile) at the same time. [...]
This week, hundreds of new packages have been published to the npm open-source repository named after private components being internally used by major companies. These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech …
A researcher managed to hack systems of over 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla, and Uber in a novel software supply chain attack. For his ethical hacking research efforts, the researcher has been awarded over $130,000 in bug bounties. [...]
A researcher managed to hack systems of over 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, Tesla, and Uber in a novel software supply chain attack. For his ethical hacking research efforts, the researcher has been awarded over $130,000 in bug bounties. [...]
Mozilla has released Firefox 85.0.1 and includes a fix that prevents a Windows 10 NTFS corruption bug from being triggered from the browser. [...]
Google has forcibly uninstalled the immensely popular 'The Great Suspender' extension from Google Chrome and classified it as malware. [...]
This month a researcher was awarded a bug bounty award of an undisclosed amount after he broke into the official GitHub repository of Microsoft Visual Studio Code. A vulnerability in VS Code's issue management function and a lack of authentication checks enabled the researcher to obtain push access, and …
This month Google engineers have fixed two vulnerabilities in the Go language (Golang), including a severe RCE flaw, and a cryptographic weakness. The RCE vulnerability tracked as CVE-2021-3115 mainly impacts Windows users of Go running the 'go get' command, due to the default behavior of Windows PATH lookups. [...]
The privacy-focused search engine DuckDuckGo continues to grow rapidly as the company reached 102M daily search queries for the first time in January. [...]
An undisclosed XSS vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA. [...]
Online survey and form creator Typeform has quietly patched a data hijacking vulnerability in its Zendesk Sell integration. If exploited, the vulnerability could let attacks redirect the form submissions containing potentially sensitive information to themselves. [...]