All news with #software supply chain security tag

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

🔐 A coalition of 21 agencies from 15 countries, led by CISA and the NSA, published joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity on September 3. The document defines SBOM concepts, clarifies roles for producers, choosers and operators, and urges cross-border adoption. It promotes harmonized technical implementations and integration of SBOMs into security workflows to reduce complexity and improve supply chain risk management.

🔒 CISA, the NSA, and 19 international partners published a joint guide outlining the benefits of adopting software bills of materials (SBOM) to increase software component and supply chain transparency. The guide advises software producers, purchasers, and operators to integrate SBOM generation, analysis, and sharing into security processes to better identify and mitigate component risks. It calls for international alignment of SBOM technical approaches to reduce complexity, improve interoperability, and advance secure-by-design software.

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.

🛡️ CISA has released the Software Acquisition Guide: Supplier Response Web Tool to help IT leaders, procurement officers and software vendors strengthen cybersecurity across the acquisition lifecycle. The free, interactive platform digitizes CISA’s existing guidance into an adaptive format that highlights context-specific questions and generates exportable summaries for CISOs, CIOs and other decision-makers. Designed with secure-by-design and secure-by-default principles, the tool supports due diligence without requiring procurement professionals to be cybersecurity experts and aims to simplify risk-aware procurement decisions.

🛡️ CISA released the Software Acquisition Guide: Supplier Response Web Tool, a free, interactive resource to help IT and procurement professionals assess software assurance and supplier risk across the acquisition lifecycle. The Web Tool converts existing guidance into an adaptive, question-driven interface with exportable summaries for CISOs and CIOs. It emphasizes secure-by-design and secure-by-default practices to strengthen due diligence and procurement outcomes.

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

🔐 Google’s Open Source Security Team today announced OSS Rebuild, a new project to reproduce upstream artifacts and supply SLSA-grade provenance for popular package ecosystems. The service automates declarative build definitions and reproducible builds for PyPI, npm, and Crates.io, generating attestations that meet SLSA Build Level 3 requirements without requiring publisher changes. Security teams can use the project to verify published artifacts, detect unexpected embedded source or build-time compromises, and integrate the resulting provenance into vulnerability response workflows. The project is available as a hosted data set and as open-source tooling and infrastructure for organizations to run their own rebuild pipelines.