1+ day, 9+ hour ago  (379+ words) Git Hub calls the new control "proof of presence" " evidence that a real, authenticated human reviewed and approved code before it reached developers. The approval step cannot be completed with automation credentials, Open ID Connect (OIDC) tokens, or any non-interactive…...

1+ day, 1+ hour ago  (175+ words) What made this attack particularly alarming was its scope and speed. In a single 48-hour window, Team PCP executed coordinated attacks across five different surfaces: Git Hub's statement emphasized that "the activity involved exfiltration of Git Hub-internal repositories only," but…...

1+ day, 1+ hour ago  (553+ words) 3rd Party Risk Management, Agentic AI, Application Security A startup led by a former Stanford University lecturer raised $60 million to bring security controls to endpoints, laptops, notebooks and local developer environments. See Also: Know Thy Enemy: Threats to Cyber Resilience "Security…...

1+ day, 5+ hour ago  (658+ words) There have been multiple notable supply chain attacks using the npm Registry since September: Shai-Hulud, Chalk/Debug, one abusing tea. xyz tokens, and recently axios. Thanks to community efforts involving the Amazon Inspector team, the Open Source Security Foundation, and…...

1+ day, 8+ hour ago  (188+ words) How software reuse, automation, and AI are reshaping risk across the SDLC. Across ecosystems, dependency adoption follows a power-law distribution, where a relatively small set of packages appears across a disproportionate share of organizations. As a result, weaknesses in widely…...

1+ day, 9+ hour ago  (512+ words) Unlike prior attacks, Trap Door combines classic credential stealing modules with a novel twist targeting AI coding assistants. Attackers embedded invisible directives inside Cursor rules and Claude config files to hijack trusted workflows. Socket researchers linked 34 distinct package names and…...

2+ day, 7+ hour ago  (117+ words) Discover how QLNX, targets developer workstations and CI/CD pipelines to execute supply-chain compromises, its tactics, and detection with Guardsix SIEM....

1+ day, 4+ hour ago  (409+ words) The vulnerabilities arise from insecure handling of user-controlled input and unsafe configuration loading within the extension. Researchers found that attackers can exploit trusted development workflows, such as opening a project or reviewing source code, to execute arbitrary commands on a…...

1+ day, 8+ hour ago  (372+ words) Detectify has unveiled the Detectify MCP (Model Context Protocol) Server, a new integration layer that brings Detectify's security testing engines directly into AI-driven development workflows, helping coding agents find and validate exploitable vulnerabilities and interpret attack surface data with greater…...

1+ day, 4+ hour ago  (513+ words) Developers using Microsoft's code editor could hand an attacker full control of their machine by clicking a single install link, with nothing in the confirmation screen to warn them. Microsoft has since patched the flaw. See Also: Know Thy Enemy:…...