#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

software development | Breaking Cybersecurity News | The Hacker News

Category — software development
Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

May 27, 2021
Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important...
Hackers Infecting Apple App Developers With Trojanized Xcode Projects

Hackers Infecting Apple App Developers With Trojanized Xcode Projects

Mar 19, 2021
Cybersecurity researchers on Thursday disclosed a new attack wherein threat actors are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor, adding to a growing trend that involves targeting developers and researchers with malicious attacks. Dubbed "XcodeSpy," the trojanized Xcode project is a tainted version of a legitimate, open-source project available on GitHub called TabBarInteraction that's used by developers to animate iOS tab bars based on user interaction. "XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer's macOS computer along with a persistence mechanism," SentinelOne researchers  said . Xcode is Apple's integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS. Earlier this year, Google's Threat Analysis group  uncovered  a North Korean campaign aimed at security researche...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

Apr 16, 2020
As developers increasingly embrace off-the-shelf software components into their apps and services, threat actors are abusing open-source repositories such as RubyGems to distribute malicious packages, intended to compromise their computers or backdoor software projects they work on. In the latest research shared with The Hacker News, cybersecurity experts at ReversingLabs revealed over 700 malicious gems — packages written in Ruby programming language — that supply chain attackers were caught recently distributing through the RubyGems repository. The malicious campaign leveraged the typosquatting technique where attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead. ReversingLabs said the typosquatted packages in question were uploaded to RubyGems between February 16 and February 25, and that most of them have been designed to secretly steal funds by r...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Jul 18, 2017
Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking. The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application. Dubbed " Devil's Ivy ," the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices. The Devil's Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications. "When exploited, it allows an attacker to remotely access a video ...
NSA Opens Github Account — Lists 32 Projects Developed by the Agency

NSA Opens Github Account — Lists 32 Projects Developed by the Agency

Jun 21, 2017
The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page. The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlu e that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide. The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program ( TTP ), while some of these are 'coming soon.' ...
Bulgaria passes Law that mandates Government Software must be Open Source

Bulgaria passes Law that mandates Government Software must be Open Source

Jul 07, 2016
Do you have any idea what the software you have installed is doing stealthily in the background? If it's not an open source software, can you find out? Usually, the answer is no. After Edward Snowden's revelations, it's clear that how desperately government agencies wants to put secret backdoors in your network, devices, and software. However, Bulgaria has come forward with an all new set of laws that would be appreciated by privacy lovers and open-source community. Also Read:  Top Best Password Managers . The Bulgarian Parliament has passed legislative amendments to its Electronic Governance Act that require all software written for the country's government to be fully open-sourced and developed in the public Github repository . This means that source code of software developed for the Bulgarian government would be accessible to everyone and provided free for use without limitations. Article 58A of the Electronic Governance Act states that administrative...
FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"

FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"

Mar 02, 2016
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code? Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday. The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama. The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone  belonged to San Bernardino shooter Syed Farook . FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone. Comey: Encryption is a Long-Term Threat to Law Enforcement Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an...
Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

Dec 29, 2016
Washington State Department of Corrections (DoC) is facing an investigation after it early released around 3,200 prisoners over the course of 13 years , since 2002, when a bug was introduced in the software used to calculate time credits for inmates' good behavior. The software glitch led to a miscalculation of sentence reductions that US prisoners were receiving for their good behaviour. Over the next 13 years, the median number of days of those released early from prison was 49 days before their correct release date. "This problem was allowed to continue for 13 years is deeply disappointing to me, totally unacceptable and, frankly, maddening," Washington State Governor Jay Inslee said in a statement . "I've [many] questions about how and why this happened, and I understand that members of the public will have those same queries." What's the Bug and How did it Remain Undetected for 13 Years? The issue lies in DoC software that is...
Facebook Opens Free Internet to Developers, But won't Support HTTPS Encryption

Facebook Opens Free Internet to Developers, But won't Support HTTPS Encryption

May 05, 2015
After facing much criticism for violation of Net Neutrality, Facebook has opened up its new Internet.org platform to developers for creating their apps and services in India and other countries. Facebook's Internet.org aims at offering free Internet access to " the next 5 billion " impoverished people around the world who currently don't have it. This current move now would potentially allow any website to be accessed for free via the Internet.org service, but only in the case, if the website ditches the encrypted communications (HTTPS), JavaScript, and other important things. Internet for All: Facebook offers free mobile Internet access to people in India , Zambia , Colombia, Tanzania, Kenya, Ghana, Philippines and Indonesia . However, in order to access the free Internet, users must have special Android apps, Internet.org's website, the Opera Mini web browser or Facebook's Android app. Until now, the Internet.org scheme had been...
Internet Explorer Developer Channel - Early Access to Next-Generation Features For Developers

Internet Explorer Developer Channel - Early Access to Next-Generation Features For Developers

Jun 16, 2014
In an effort to create more open and accessible atmosphere between the Internet Explorer team and the Web development community, Microsoft today announced the launch of The Developer Channel for Internet Explorer . Internet Explorer Developer Channel is a fully-functioning browser designed to provide Web programmers and early adopters an advance and better understanding of the features the team is currently working on and let them offer feedback before it reaches the broader public. " Today we're excited to announce the release of the Internet Explorer Developer Channel, a fully functioning browser designed to give Web developers and early adopters a sneak peek at the Web platform features we're working on, " Microsoft said in a blog post . Thankfully, Internet Explorer Developer Channel runs independently of the user's copy of IE and allows Web programmers to test newest Web technology and browser features without disrupting their current browser set...
Fedora 14 Introduces libjpegturbo for Faster Image Processing

Fedora 14 Introduces libjpegturbo for Faster Image Processing

Nov 05, 2010
Fedora 14, known as "Laughlin," officially launched on Tuesday, offering numerous new features aimed at enhancing the user experience for this open-source desktop operating system. Usability Focus In recent releases, Fedora, sponsored by Red Hat, has concentrated on improving usability. According to DistroWatch, Fedora is the second most popular Linux distribution after Ubuntu. Recent improvements have targeted networking, software management, and hardware support, focusing on bug fixes and stability in the latest release. Enhanced Desktop Environment One significant addition to Fedora 14 is "libjpegturbo," a library that dramatically improves performance for users loading and saving JPEG images. This library "practically halves processing time on most systems," claim the developers, even benefiting those on older hardware. Another notable feature is SPICE (Simple Protocol for Independent Computing Environment), a desktop virtualization framework enha...
New Windows 8 Rumors Highlight Advanced Features and Enhanced Security

New Windows 8 Rumors Highlight Advanced Features and Enhanced Security

Oct 30, 2010 Technology News / IT Updates
Just as you were getting comfortable with Windows 7, Windows 8 seems to be on the horizon for the next two years. Celebrating the one-year anniversary of Windows 7— the fastest-selling OS in history—Microsoft's Dutch website briefly mentioned its successor: "Microsoft is on course for the next version of Windows. But it will take about two years before 'Windows 8' hits the market." Winrumors.com translated and captured this post, and CNET took a screenshot of the text, which unsurprisingly disappeared after making headlines. Now, Microsoft is back to being tight-lipped about Windows 8 and its expected release. Reports from last year suggested Microsoft was developing a 128-bit version of its OS, likely to be Windows 8. Recently, NetworkWorld obtained over 15 confidential slide decks detailing possible features, including body-sensing technology similar to the Xbox Kinect, a desktop app store like Apple's forthcoming Mac App Store, near-instant CPU b...
New Firefox add-on "Firesheep" -  hijacks Facebook, Twitter sessions

New Firefox add-on "Firesheep" - hijacks Facebook, Twitter sessions

Oct 30, 2010 Cybersecurity / Network Security
A new Firefox add-on called "Firesheep," developed by Seattle-based freelance Web application developer Eric Butler, enables almost anyone to scan a Wi-Fi network and hijack others' access to popular services like Facebook, Twitter, and others. Butler unveiled Firesheep at the ToorCon security conference in San Diego, which occurred from October 22-24. Butler explained that he developed Firesheep to highlight the risks associated with accessing unencrypted websites via public Wi-Fi spots. While many sites secure user log-ins with HTTPS or SSL, they often do not encrypt the rest of the traffic. "This leaves the cookie, and the user, vulnerable," Butler stated in a blog post. "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy." Once a hacker obtains a user's cookie, they can perform any action that the user can on the website. Firesheep can hijack sessions on several major sites, includ...
Expert Insights / Articles Videos
Cybersecurity Resources