Microsoft’s lax policies in PowerShell Gallery provoke supply chain attacks
Microsoft's product PowerShell Gallery contains vulnerabilities that enable supply chain attacks, spoofing and typosquatting attacks. The vulnerabilities arose from the product's lax naming policy for code repository.
PowerShell Gallery constitutes a hugely popular code hosting platform. The pla... Read more
D2iQ CTO: How to breathe easy in air-gapped environments
The drive to finesse software application development practices aligned to specific types of applications and data services continues to expand and diversify. Among the more ‘high-end’ software engineering disciplines is the move to harness air-gapped development practices.
When we talk abou... Read more
GitHub reaches 100 million user milestone
The platform grew from three million to one hundred million users in less than a decade. GitHub is clearly loved.
Exactly ten years ago, three million developers used the platform. That number had grown to 28 million by the time Microsoft acquired GitHub in 2018. Three months ago, the 90 millio... Read more
GitHub simplifies code vulnerability scanning
With only a few clicks, developers can configure code scanning for a repository using the new default setup introduced by GitHub.
Although GitHub's code scanning is powered by the CodeQL code analysis engine, which supports a wide range of languages and compilers, the new option is only availabl... Read more
Slack loses code repositories to unauthorized user
An unauthorized user gained access to Slack's GitHub repositories. The user managed to download the repositories before Slack plugged the leak.
The damage appears limited, as none of the stolen repositories involve Slack's source code or user data. The organization stresses that source code and... Read more
GitHub introduces free secret scanning for all repositories
The new service allows developers to find exposed secrets and credentials.
In a move to secure the global software supply chain, GitHub plans to allow developers to scan their repositories for exposed secrets and credentials for free. The new service was announced in a Tweet this week.
Mariam... Read more
Auth0 warns that its source code repositories may have been breached
Auth0, an authentication service provider and Okta subsidiary, has reported a security incident impacting several of its code repositories.
Over 2,000 business clients from 30 countries utilize Auth0's authentication technology to verify over 42 million daily logins. Notable clients include AM... Read more
Backdoor in public code repository presents a new security threat
A new form of attack has been used to target big tech firms using "dependency confusion"
A professional tester has created a backdoor that researchers found hiding inside open source code targeting four German companies, according to a report in Ars Technica. The tester was checking clients’ r... Read more
Sophisticated malware from PyPI was downloaded more than 41,000 times
PyPI, the open-source repository used by both large and small organizations to download code libraries, was hosting 11 malicious packages that were downloaded more than 41k times in one of the latest reports of an incident of this nature.
JFrog found the software supply chain risk. This security... Read more
PHP compromised: user database leakage prime suspect
Nikita Popov, a PHP maintainer, posted an update regarding how the source code was compromised and corrupted by the insertion of malicious code. Popov blames a user database leak, rather than an issue with the server itself.
The PHP code repository was compromised toward the end of last month, w... Read more