software development | Breaking Cybersecurity News | The Hacker News

Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. "Each of these improvements helps mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft," Charlie Bell, Executive Vice President for Microsoft Security, said in a post shared with The Hacker News ahead of publication. Microsoft also noted that 90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by a hardened identity Software Development Kit (SDK) and that 92% of employee pr...

GitGuardian's State of Secrets Sprawl report for 2025 reveals the alarming scale of secrets exposure in modern software environments. Driving this is the rapid growth of non-human identities (NHIs), which have been outnumbering human users for years. We need to get ahead of it and prepare security measures and governance for these machine identities as they continue to be deployed, creating an unprecedented level of security risk. This report reveals an astounding 23.77 million new secrets were leaked on GitHub in 2024 alone. This is a 25% surge from the previous year. This dramatic increase highlights how the proliferation of non-human identities (NHIs), such as service accounts, microservices, and AI agents, are rapidly expanding the attack surface for threat actors. The Non-Human Identity Crisis NHI secrets, including API keys, service accounts, and Kubernetes workers, now outnumber human identities by at least 45-to-1 in DevOps environments. These machine-based credentials...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

There's a virtuous cycle in technology that pushes the boundaries of what's being built and how it's being used. A new technology development emerges and captures the world's attention. People start experimenting and discover novel applications, use cases, and approaches to maximize the innovation's potential. These use cases generate significant value, fueling demand for the next iteration of the innovation, and in turn, a new wave of innovators create the next generation of use cases, driving further advancements. Containerization has become the foundation of modern, cloud-native software development, supporting new use cases and approaches to building resilient, scalable, and portable applications. It also holds the keys to the next software delivery innovation, simultaneously necessitating the evolution to secure-by-design, continuously-updated software and serving as the means to get there. Below, I'll talk through some of the innovations that led to our containerized r...

Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem. The packages in question are ethers-provider2 and ethers-providerz , with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads. "They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. "The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers , installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell." The development marks a new escalation of threat actors...

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret. The activity, linked to North Korea, has been codenamed DeceptiveDevelopment, which overlaps with clusters tracked under the names Contagious Interview (aka CL-STA-0240 ), DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The campaign has been ongoing since at least late 2023. "DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers," cybersecurity company ESET said in a report shared with The Hacker News. In November 2024, ESET confirmed to The Hacker News the overlaps between DeceptiveDevelopment and Contagious Interview, classifying it as a new Lazarus Group activity that operates with an aim to conduc...

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security . "Maintainers can now archive a project to let users know that the project is not expected to receive any more updates," Facundo Tuesca, senior engineer at Trail of Bits, said . In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected. That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues. In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project's status to downstream consumers. PyPI also recommends that package developers release a final version pr...

Microsoft has announced that it's making an "unexpected change" to the way .NET installers and archives are distributed, requiring developers to update their production and DevOps infrastructure. "We expect that most users will not be directly affected, however, it is critical that you validate if you are affected and to watch for downtime or other kinds of breakage," Richard Lander, a program manager on the .NET team, said in a statement last week. The move is the result of the fact that some .NET binaries and installers are hosted on Azure Content Delivery Network (CDN) domains that end in .azureedge[.]net -- dotnetcli.azureedge.net and dotnetbuilds.azureedge.net -- which are hosted on Edgio. Last month, web infrastructure and security company Akamai acquired select assets from Edgio following its bankruptcy. As part of this transition, the Edgio platform is scheduled to end service on January 15, 2025. Given that the .azureedge[.]net domains could ceas...

Having been at ActiveState for nearly eight years, I've seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code. ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows. Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn't producing it in the way they needed it. We began managing builds at scale, and supporting enterprises in understanding what open source they're using and if it's compliant and safe. Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we're unveiling our end-to-end platform to help m...

Artificial Intelligence (AI) is no longer a far-off dream—it's here, changing the way we live. From ordering coffee to diagnosing diseases, it's everywhere. But while you're creating the next big AI-powered app, hackers are already figuring out ways to break it. Every AI app is an opportunity—and a potential risk. The stakes are huge: data leaks, downtime, and even safety threats if security isn't built in. With AI adoption moving fast, securing your projects is no longer optional—it's a must. Join Liqian Lim, Senior Product Marketing Manager at Snyk, for an exclusive webinar that's all about securing the future of AI development. Titled " Building Tomorrow, Securely: Securing the Use of AI in App Development ," this session will arm you with the knowledge and tools to tackle the challenges of AI-powered innovation. What You'll Learn: Get AI-Ready: How to make your AI projects secure from the start. Spot Hidden Risks: Uncover threats you might not see coming. Understand the Ma...

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak , up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone . One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1 , and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk.  Why Does Rotation Take So L...

Microsoft is further delaying the release of its controversial Recall feature for Windows Copilot+ PCs, stating it's taking the time to improve the experience. The development was first reported by The Verge. The artificial intelligence-powered tool was initially slated for a preview release starting in October. "We are committed to delivering a secure and trusted experience with Recall," the company said in an updated statement released Thursday. "To ensure we deliver on these important updates, we're taking additional time to refine the experience before previewing it with Windows Insiders. Originally planned for October, Recall will now be available for preview with Windows Insiders on Copilot+ PCs by December" Microsoft unveiled Recall earlier this May, describing it as a way for users to explore a "visual timeline" of their screens over time and help find things from apps, websites, images, and documents. The search experience was meant...

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a statement on X. "This does not impact our dotlottie player and/or SaaS service." LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It's also the developer behind an npm package named lottie-player , which allows for embedding and playing Lottie animations on websites. According to the company, "a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest ...

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs. The attack, codenamed CrossBarking , could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said. To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack. "This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News. The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not th...

Apple has publicly made available its Private Cloud Compute (PCC) Virtual Research Environment (VRE), allowing the research community to inspect and verify the privacy and security guarantees of its offering. PCC, which Apple unveiled earlier this June, has been marketed as the "most advanced security architecture ever deployed for cloud AI compute at scale." With the new technology, the idea is to offload computationally complex Apple Intelligence requests to the cloud in a manner that doesn't sacrifice user privacy. Apple said it's inviting "all security and privacy researchers — or anyone with interest and a technical curiosity — to learn more about PCC and perform their own independent verification of our claims." To further incentivize research, the iPhone maker said it's expanding the Apple Security Bounty program to include PCC by offering monetary payouts ranging from $50,000 to $1,000,000 for security vulnerabilities identified in it. Th...

Cybersecurity researchers have found that entry points could be abused across multiple programming ecosystems like PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates to stage software supply chain attacks. "Attackers can leverage these entry points to execute malicious code when specific commands are run, posing a widespread risk in the open-source landscape," Checkmarx researchers Yehuda Gelb and Elad Rapaport said in a report shared with The Hacker News. The software supply chain security company noted that entry-point attacks offer threat actors a more sneaky and persistent method of compromising systems in a manner that can bypass traditional security defenses. Entry points in a programming language like Python refer to a packaging mechanism that allows developers to expose certain functionality as a command-line wrapper (aka console_scripts). Alternatively, they can also serve to load plugins that augment a package's features. Checkmarx noted that while en...