DevOps Security | Breaking Cybersecurity News | The Hacker News

A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account " BufferZoneCorp ," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below - Ruby: knot-activesupport-logger knot-devise-jwt-helper knot-rack-session-store knot-rails-assets-pipeline knot-rspec-formatter-json knot-date-utils-rb (Sleeper gem) knot-simple-formatter (Sleeper gem) Go: github[.]com/BufferZoneCorp/go-metrics-sdk github[.]com/BufferZoneCorp/go-weather-sdk github[.]com/BufferZoneCorp/go-retryablehttp github[.]com/BufferZoneCorp/go-stdlib-ext github[.]com/BufferZoneCorp/grpc-client github[.]com...

The threat actors behind the supply chain attack targeting the popular Trivy scanner are suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages with a previously undocumented self-propagating worm dubbed CanisterWorm . The name is a reference to the fact that the malware uses an ICP canister , which denotes a tamperproof smart contract on the Internet Computer blockchain, as a dead drop resolver . The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said . The list of affected packages is below - 28 packages in the @EmilGroup scope 16 packages in the @opengov scope @teale.io/eslint-config @airtm/uuid-base32 @pypestream/floating-ui-dom The development comes within a day after threat actors leveraged a compromised credential to publish malicious trivy, trivy-action, and setup-triv...

Big companies are getting smaller, and their CEOs want everyone to know it . Wells Fargo has cut its workforce by 23% over five years, Bank of America has shed 88,000 employees since 2010, and Verizon's CEO recently boasted that headcount is "going down all the time." What was once a sign of corporate distress has become a badge of honor, with executives celebrating lean operations and AI-driven efficiency. But while C-suite leaders tout "doing more with less," CISOs are left with fewer resources, while every preventable security incident becomes exponentially costlier. With security teams already stretched thin and developer-to-security ratios reaching unsustainable levels, these workforce reductions push already distressed teams past their breaking point. Against this backdrop of workforce optimization, hardcoded secrets represent a particularly dangerous blind spot that can no longer be managed through manual processes and reactive firefighting. The Number...