PyPI suspends new projects and users due to malicious activity

The PyPI (Python Package Index) team has temporarily suspended new projects and users on their platform due to malicious activity.

This surge in malicious activity aligns with a larger trend observed across several open-source registries in recent months. Notably, incidents such as the flood of malicious packages on the NPM JavaScript package manager and a similar attack on the Nuget package manager last year, involving over 140,000 malicious packages, have highlighted the...

22 May 2023 | Hacking & Security

ChatGPT-generated code is often insecure

OpenAI's large language model, ChatGPT, is capable of generating code but produces insecure code without alerting users to its inadequacies, according to research by computer scientists from the Université du Québec in Canada.

The researchers asked ChatGPT to generate 21 programs in five programming languages to illustrate specific security vulnerabilities such as memory corruption, denial of service, and improperly implemented cryptography.

ChatGPT produced only five...

21 April 2023 | Development Tools

Visual Studio Marketplace is the latest supply chain attack vector

Aqua Security researchers have found that hackers are using Visual Studio Marketplace to conduct supply chain attacks.

In a new report, the researchers uncovered that attackers could impersonate popular VS Code extensions to trick developers into downloading malicious versions.

VS Code is the most popular IDE, with around 74.48 percent of developers using it. The vast array of extensions available for VS Code is partly what drives its popularity.

Here are some...

9 January 2023 | Development Tools

Hackers compromised Okta’s private GitHub repos

Okta says hackers compromised its private GitHub repos earlier this month and stole its source code.

BleepingComputer got hold of a “confidential” email notification sent by Okta to its “security contacts” about the breach.

The Identity and Access Management (IAM) solutions leader says GitHub alerted Okta to the suspicious access earlier this month.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories," wrote...

21 December 2022 | Git

Malware campaign targets official Python and JavaScript repos

An active malware campaign is targeting official Python and JavaScript repositories.

Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.

Typosquats take advantage of simple typos to install malicious packages.

In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests,...

13 December 2022 | Hacking & Security

PyPI maintainers warn of ongoing phishing attack

The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.

A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:

The...

25 August 2022 | Hacking & Security

Source code for Rust-based malware leaks on hacking forums

The source code for an info-stealing malware based on Rust has leaked on hacking forums.

Security analysts claim the malware is actively used in attacks and it appears to have a high antivirus evasion rate. VirusTotal returns a detection rate of around 22 percent.

The developer claims to have developed the malware in just six hours. Despite being based on Rust, the malware currently only targets Windows machines.

Cybersecurity firm Cyble analysed the malware...

26 July 2022 | Hacking & Security

Web3 projects lost over $2B to hacks in H1 2022

A report from CertiK finds that web3 projects lost over $2 billion to hacks in H1 2022—more than all of 2021 combined.

“2022 is already the most expensive year for web3 by far. From these numbers, 2022 is forecast to see a 223% increase in the funds lost to attacks when compared with 2021,” wrote CeriK in their report.

CertiK’s sobering report highlights the difficulties of an industry that pitches itself as returning to the decentralised ideals of web1 while...

8 July 2022 | Blockchain

HackerOne employee disclosed vulnerabilities ‘for personal gain’ 

An employee of HackerOne was caught accessing security reports and disclosing vulnerabilities “for personal gain”.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.

Following a customer report of a suspicious vulnerability disclosure made outside of the HackerOne platform, the company decided to launch an investigation.

Jober Abma, Co-Founder of HackerOne,...

4 July 2022 | Hacking & Security

GitHub will mandate 2FA to help secure the software supply chain

GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.

Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.

“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity...

4 May 2022 | Git