All news with #supply chain vulnerability tag

⚠️ Trend Micro disclosed two critical authentication-bypass vulnerabilities in Wondershare RepairIt that exposed private user files, AI models, and build artifacts due to embedded overly permissive cloud tokens and unencrypted storage. The flaws, tracked as CVE-2025-10643 (CVSS 9.1) and CVE-2025-10644 (CVSS 9.4), allow attackers to circumvent authentication and potentially execute arbitrary code via supply-chain tampering. Trend Micro reported the issues through ZDI in April 2025 and warns users to restrict interaction with the product until a vendor fix is issued.

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.

🔒 A recent survey by SecurityScorecard found 71% of organizations experienced at least one material third‑party cybersecurity incident in the past year, with 5% reporting ten or more. Rising third‑party involvement — echoed in the 2025 Verizon Data Breach Investigations Report — and sprawling supplier ecosystems expand attackers’ avenues. Experts warn SaaS platforms, open‑source packages, and CI/CD pipelines are increasingly exploited, often via abused OAuth, stolen credentials, or over‑permissioned integrations.

🔒 Unit 42 describes a widespread flaw called Model Namespace Reuse that lets attackers reclaim abandoned Hugging Face Author/ModelName namespaces and distribute malicious model code. The technique can lead to remote code execution and was demonstrated against major platforms including Google Vertex AI and Azure AI Foundry, as well as thousands of open-source projects. Recommended mitigations include version pinning, cloning models to trusted storage, and scanning repositories for reusable references.

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

🔐A DEF CON 33 panel argued that while digital tactics like misinformation and cyberattacks can disrupt systems, they rarely win wars on their own. Panelists emphasised that cyber effects tend to be temporary, whereas kinetic attacks inflict longer-lasting physical damage. Using a Taco Bell supply-chain analogy and real incidents such as Change Healthcare, the discussion urged organisations to map dependencies and build resilience to mitigate third-party risk.