The Hidden Danger of Dependency Hell: Supply Chain Attacks in Modern Web Apps 📦
submitted by /u/JadeLuxe [link] [comments]
Articles tagged with: #supply-chain
Clear filter
Malicious NuGet Packages Mimic as Popular Nethereum Project to Steal Wallet Keys
A sophisticated supply chain attack has emerged targeting cryptocurrency developers through the NuGet package ecosystem. Cybersecurity researchers have uncovered malicious packages impersonating Nethereum, a widely trusted .NET library for Ethereum blockchain interactions with tens of millions of downloads. The counterfeit packages, identified as Netherеum.All and NethereumNet, employ advanced obfuscation techniques to exfiltrate sensitive wallet credentials
Self-Spreading 'GlassWorm' Infects VS Code Extensions in Widespread Supply Chain Attack
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span
Classport: Designing Runtime Dependency Introspection for Java
arXiv:2510.20340v1 Announce Type: cross Abstract: Runtime introspection of dependencies, i.e., the ability to observe which dependencies are currently used during program execution, is fundamental for Software Supply Chain security. Yet, Java has no support for it. We solve this problem with Classport, a system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime. We evaluate Classport on six real-world projects, demonstrating the...
VU#534320: NPM supply chain compromise exposes challenges to securing the ecosystem from credential theft and self-propagation
Overview A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. At the time of writing, over 500 packages have been affected, and the number continues to grow. The attack involves a self-propagating malware variant dubbed Shai-Hulud , which spreads via credential theft and automated package publishing. The campaign escalated rapidly, including compromise of packages published by CrowdStrike. This notice aims to raise...
![[tl;dr sec] #302 - LLM Honeypot Catches Threat Actor, Supply Chain Compromise Survey, AI-powered Malware](https://beehiiv-images-production.s3.amazonaws.com/uploads/publication/thumbnail/080a561f-2435-4477-a549-ab9f115e047c/landscape_Screenshot_2024-11-21_at_10.48.21_AM.png)
[tl;dr sec] #302 - LLM Honeypot Catches Threat Actor, Supply Chain Compromise Survey, AI-powered Malware
Deceiving attackers with an LLM SSH honeypot, root cause analysis of 2024/2025 supply chain compromises, malware leveraging AI for stealth/better effectiveness
What do you see as the biggest cyber threat right now?
The threat landscape never stands still. AI phishing, ransomware and supply-chain attacks are everywhere. It's getting harder to tell which one deserves the most attention right now. What do you think is the biggest cyber threat at the moment? submitted by /u/ANYRUN-team [link] [comments]
From Path Traversal to Supply Chain Compromise: Breaking MCP Server Hosting
submitted by /u/mabote [link] [comments]
Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys
Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims' cryptocurrency wallet keys. The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and
New GlassWorm Using Invisible Code Hits Attacking VS Code Extensions on OpenVSX Marketplace
Over the past week, cybersecurity professionals have been gripped by the emergence of GlassWorm, a highly sophisticated, self-propagating malware campaign targeting VS Code extensions on the OpenVSX Marketplace. The scale and technical complexity of this attack signal a turning point for supply chain security in developer ecosystems. As of October 2025, over 35,800 installations have
Self-spreading GlassWorm malware hits OpenVSX, VS Code registries
A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times.
131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign
Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users. "
How do we implement top 10 owasp llm attacks.
So my team is building a learning platform for non-experts to understand and practice attacks mapped to the OWASP Top 10 llm attacks for an hackathon . So some of the attack like Supply chain attack is quite hard to demonstrate, Could you guys help us out in ideating on how to build such a tool.( I have checked other resources but none answers my question) submitted by /u/Agitated-Crab5816 [link] [comments]
F5 supply-chain hack endangers more than 600,000 internet-connected devices
The enterprise device vendor has patched several vulnerabilities that hackers discovered after breaching its networks.
North Korean Hackers Using EtherHiding to Deliver Malware and Steal Cryptocurrency
In recent months, a sophisticated malware campaign - dubbed EtherHiding - has emerged from North Korea-aligned threat actors, sharply escalating the cybersecurity risks facing cryptocurrency exchanges and their users worldwide. The campaign surfaced in the wake of heightened regulatory crackdowns on illicit crypto transactions, with attackers shifting tactics to exploit new digital supply chain vulnerabilities. EtherHiding first appeared in
Lexo: Eliminating Stealthy Supply-Chain Attacks via LLM-Assisted Program Regeneration
arXiv:2510.14522v1 Announce Type: new Abstract: Software supply-chain attacks are an important and ongoing concern in the open source software ecosystem. These attacks maintain the standard functionality that a component implements, but additionally hide malicious functionality activated only when the component reaches its target environment. Lexo addresses such stealthy attacks by automatically learning and regenerating vulnerability-free versions of potentially malicious components. Lexo...
Supply Chain Risk in VSCode Extension Marketplaces
submitted by /u/digicat [link] [comments]
SecurityScorecard Reports Record Quarter, Boosts AI Innovation
SecurityScorecard delivers strong growth balanced with profitability, including positive free cash flow and 40% improvement in ARR per FTE. Employee eNPS is rising across departments, showing steady progress toward our +30 goal for 2025. SecurityScorecard, the global leader in Supply Chain Detection and Response (SCDR), today announced record momentum and...
SpyChain: Multi-Vector Supply Chain Attacks on Small Satellite Systems
arXiv:2510.06535v2 Announce Type: replace Abstract: Small satellites are integral to scientific, commercial, and defense missions, but reliance on commercial off-the-shelf (COTS) hardware broadens their attack surface. Although supply chain threats are well studied in other cyber-physical domains, their feasibility and stealth in space systems remain largely unexplored. Prior work has focused on flight software, which benefits from strict security practices and oversight. In contrast, auxiliary...
MCPTotal Launches to Power Secure Enterprise MCP Workflows
MCPTotal, a comprehensive secure Model Context Protocol (MCP) platform, today announced its flagship platform to help businesses adopt and secure MCP servers. MCP has become the standard interface for connecting AI models with enterprise systems, external data sources, and third-party applications. But, uncontrolled adoption has introduced major risks, including supply chain exposures, prompt injection vulnerabilities,