cybersecurity – Coderr.net

Fifty Years of Open Source Software Supply Chain Security

Apr 10 2025

50 Years of Open Source Software Security: Explores the historical challenges in software supply chain security, illustrating via incidents like the 1974 Multics report and the recent xz attack on Debian. It defines open source software supply chain attacks and vulnerabilities, emphasizing the necessity for improved defenses. Key solutions include understanding supply chains, authenticating software with cryptographic signatures, making builds reproducible, quickly identifying and fixing vulnerabilities, and funding open-source projects. The essay stresses the ongoing evolution in software reuse practices and highlights that without proper investments and security measures, risks persist in the open-source ecosystem.

https://queue.acm.org/detail.cfm?id=3722542

How to Gain Code Execution on Millions of People and Hundreds of Popular Apps

ai, cybersecurity, editor

Mar 4 2025

Acquired code execution on popular apps via a vulnerability in todesktop's platform, found insecure Firestore collection, deployed a malicious update gaining RCE, impacting millions of users. Collaborated with todesktop for prompt resolution, received compensation from both todesktop and affected app cursor.

https://kibty.town/blog/todesktop/

Cross-Site Requests

cybersecurity

Mar 3 2025

CSRF (Cross-Site Request Forgery) and CORS (Cross-Origin Resource Sharing) are both security mechanisms addressing cross-site requests. CSRF prevents unauthorized actions by ensuring requests originate from the correct site, while CORS allows specific cross-origin requests via preflight checks. The Same-origin policy typically allows cross-site writes (like POSTs) but restricts reads. The introduction of the SameSite cookie attribute has further affected cross-site requests by limiting cookie transmission. Browsers play a crucial role in enforcing these policies, and current adoption rates for security features vary. In summary, both CSRF and CORS are necessary for maintaining web security amid evolving standards.

https://smagin.fyi/posts/cross-site-requests/

How OWASP Helps You Secure Your Full-Stack Web Applications — Smashing Magazine

cybersecurity

Feb 18 2025

OWASP helps web developers secure full-stack applications by highlighting common vulnerabilities. It offers a curated list of the top 10 vulnerabilities, serving as a crucial resource for understanding and addressing security risks. Key issues include Server-Side Request Forgery (SSRF), authentication failures, insecure design, and injection flaws. Developers are encouraged to implement logging, monitor software integrity, and stay updated on dependencies to enhance security. Understanding and applying OWASP guidelines significantly elevates a developer's ability to mitigate security threats in web applications.

https://www.smashingmagazine.com/2025/02/how-owasp-helps-secure-full-stack-web-applications/

Secure Your Containers With Chainguard

container, cybersecurity, open source

Feb 11 2025

Chainguard offers a secure software platform focusing on container image security, vulnerability remediation, compliance, and risk mitigation. Join their event, “Chainguard Assemble,” for insights from industry leaders. Their solutions minimize CVE management burdens for engineering teams, streamline compliance processes, and support rapid development with secure, maintained open-source software. Trusted by leading companies, Chainguard emphasizes a secure and efficient software development experience that enables innovation while addressing security needs.

https://www.chainguard.dev/

DeepSeek Coding Has the Capability to Transfer Users’ Data Directly to the Chinese Government

ai, cybersecurity

Feb 7 2025

DeepSeek, a popular AI app, may secretly send user data to the Chinese government, raising national security concerns. Experts found hidden code that links user information to Chinese servers, potentially allowing direct access by the state. U.S. officials, including cybersecurity experts and congressional representatives, warn about the risks, urging immediate bans on government devices. DeepSeek's terms imply compliance with Chinese law, further alarming privacy advocates.

https://abcnews.go.com/US/deepseek-coding-capability-transfer-users-data-directly-chinese/story?id=118465451

DeepSeek AI Tools Impersonated by Infostealer Malware on PyPI

ai, cybersecurity, python

Feb 4 2025

DeepSeek AI tools were impersonated by infostealer malware on PyPI. Two malicious packages, “deepseeek” and “deepseekai,” were discovered, which stole sensitive data from developers who downloaded them. The malware, uploaded from an inactive account, exfiltrated user credentials to a command and control server. Despite being reported and taken down quickly, 222 developers downloaded the packages, mostly from the U.S. Affected users are urged to change their API keys and credentials to prevent further compromise.

https://www.bleepingcomputer.com/news/security/deepseek-ai-tools-impersonated-by-infostealer-malware-on-pypi/