software dependencies – Experimental News Clipping Site

Unit 42: "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

Sep 17, 2025

—

by

Source URL: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ Source: Unit 42 Title: "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack Feedly Summary: Self-replicating worm “Shai-Hulud” has compromised 180-plus software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post “Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack appeared first on Unit…

The Register: Self-propagating worm fuels latest npm supply chain compromise

Sep 16, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://www.theregister.com/2025/09/16/npm_under_attack_again/ Source: The Register Title: Self-propagating worm fuels latest npm supply chain compromise Feedly Summary: Intrusions bear the same hallmarks as recent Nx mess The npm platform is the target of another supply chain attack, with crims already compromising 187 packages and counting.… AI Summary and Description: Yes Summary: The text discusses a…

Anchore: Grant’s Release 0.3.0: Smarter Policies, Faster Scans, and Simpler Compliance

Sep 16, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/ Source: Anchore Title: Grant’s Release 0.3.0: Smarter Policies, Faster Scans, and Simpler Compliance Feedly Summary: Every modern application is built on a foundation of open source dependencies. Dozens, hundreds, sometimes thousands of packages can make up a unit of software being shipped to production. Each of these packages carries its own license…

Anchore: NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users

Sep 11, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://anchore.com/blog/npm-supply-chain-breach-response-for-anchore-enterprise-and-grype-users/ Source: Anchore Title: NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users Feedly Summary: On September 8, 2025 Anchore was made aware of an incident involving a number of popular NPM packages to insert malware. The technical details of the attack can be found in the Aikido blog post: npm…

Slashdot: Google’s New Security Project ‘OSS Rebuild’ Tackles Package Supply Chain Verification

Jul 28, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://news.slashdot.org/story/25/07/28/0254233/googles-new-security-project-oss-rebuild-tackles-package-supply-chain-verification?utm_source=rss1.0mainlinkanon&utm_medium=feed Source: Slashdot Title: Google’s New Security Project ‘OSS Rebuild’ Tackles Package Supply Chain Verification Feedly Summary: AI Summary and Description: Yes Summary: Google’s Open Source Security Team has launched a project called OSS Rebuild aimed at enhancing security and transparency in open-source package ecosystems. This initiative focuses on automating the reconstruction of…

The Register: Not pretty, not Windows-only: npm phishing attack laces popular packages with malware

Jul 24, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/ Source: The Register Title: Not pretty, not Windows-only: npm phishing attack laces popular packages with malware Feedly Summary: The “is" package was infected with cross-platform malware after a scam targeting maintainers The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the…

Simon Willison’s Weblog: Introducing OSS Rebuild: Open Source, Rebuilt to Last

Jul 23, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://simonwillison.net/2025/Jul/23/oss-rebuild/ Source: Simon Willison’s Weblog Title: Introducing OSS Rebuild: Open Source, Rebuilt to Last Feedly Summary: Introducing OSS Rebuild: Open Source, Rebuilt to Last Major news on the Reproducible Builds front: the Google Security team have announced OSS Rebuild, their project to provide build attestations for open source packages released through the NPM,…

Anchore: Beyond Software Dependencies: The Data Supply Chain Security Challenge of AI-Native Applications

Jul 15, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://anchore.com/blog/beyond-software-dependencies-the-data-supply-chain-security-challenge-of-ai-native-applications/ Source: Anchore Title: Beyond Software Dependencies: The Data Supply Chain Security Challenge of AI-Native Applications Feedly Summary: Just as the open source software revolution fundamentally transformed software development in the 2000s—bringing massive productivity gains alongside unprecedented supply chain complexity—we’re witnessing history repeat itself with Large Language Models (LLMs). The same pattern that…

Scott Logic: An SBOM primer with some practical insights

May 16, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://blog.scottlogic.com/2025/05/16/sbom-primer-practical-insights.html Source: Scott Logic Title: An SBOM primer with some practical insights Feedly Summary: We’ve been generating Software Bills of Materials (SBOMs) on client projects for several years now, and we’d like to share insights into the positive impact they’ve had on security, resilience and engineering quality, along with some considerations to bear…

Anchore: Anchore’s SBOM Learning Week: From Reactive to Resilient in 5 Days

May 1, 2025

—

by

Kurt Seifried

in Uncategorized

Source URL: https://anchore.com/blog/anchores-sbom-learning-week-from-reactive-to-resilient-in-5-days/ Source: Anchore Title: Anchore’s SBOM Learning Week: From Reactive to Resilient in 5 Days Feedly Summary: Your software contains 150+ dependencies you didn’t write, don’t maintain, and can’t fully audit—yet you’re accountable for every vulnerability they introduce. Organizations implementing comprehensive SBOM strategies detect supply chain compromises in minutes instead of days—or worse…

Tag: software dependencies