Software Supply Chain
Red Hat Introduces Rekor Monitor for Artifact Signer
Reported by AI
Red Hat has enabled Rekor Monitor for its Trusted Artifact Signer, enhancing software supply chain security through continuous verification. This update allows users to improve transparency log integrity.
Malicious npm packages deliver infostealer malware to developers
Security firm Socket has uncovered ten malicious packages in the npm repository that target developers on Windows, macOS, and Linux systems. These packages, available since July, use typosquatting and sophisticated obfuscation to install infostealer malware. The malware steals credentials from browsers, SSH keys, and configuration files before exfiltrating data to attackers.
Backdoor in XZ Utils exposes Linux security risks
In spring 2024, a sophisticated backdoor was discovered in the XZ Utils data compression library, versions 5.6.0 and 5.6.1, potentially allowing remote code execution via SSH on many Linux systems. The malicious code, injected by a pseudonymous contributor named Jia Tan, was uncovered by Microsoft engineer Andres Freund on March 29, 2024, after noticing unusual CPU usage during testing. This incident highlighted vulnerabilities in open-source software supply chains.