Tagged articles

supply chain security

22 articles · Page 1 of 1
IT Services Circle
IT Services Circle
Jun 21, 2026 · Information Security

npm v12 Disables Lifecycle Scripts, Ending a 15‑Year Front‑End Security Flaw

npm v12, releasing in July, will default disable the preinstall, install, postinstall and prepare lifecycle scripts, separating code download from execution to curb the long‑standing supply‑chain vulnerability that let third‑party packages run arbitrary code during npm install, impacting many JavaScript projects and prompting migration.

JavaScriptNode.jsinformation security
0 likes · 10 min read
npm v12 Disables Lifecycle Scripts, Ending a 15‑Year Front‑End Security Flaw
Code Mala Tang
Code Mala Tang
Jun 9, 2026 · Information Security

npm v12 Disables Three Features by Default: What Changes, Why, and How to Prepare

npm v12, scheduled for July 2026, introduces three breaking changes—default‑off allowScripts, --allow-git set to none, and --allow-remote set to none—forcing developers to explicitly approve install scripts, git and remote dependencies, with detailed migration steps and security implications explained.

Breaking Changesallow-gitallow-remote
0 likes · 9 min read
npm v12 Disables Three Features by Default: What Changes, Why, and How to Prepare
Black & White Path
Black & White Path
Jun 1, 2026 · Information Security

OpenAI Enforces Phishing‑Resistant MFA for High‑Privilege AI Accounts Starting June 1 2026

On June 1 2026, OpenAI will require all researchers and defenders using its Trusted Access for Cyber (TAC) program to enable Advanced Account Security—a phishing‑resistant multi‑factor authentication—marking a shift from open model access to identity‑driven protection and reshaping the AI security landscape.

AI model securityAdvanced Account SecurityOpenAI
0 likes · 14 min read
OpenAI Enforces Phishing‑Resistant MFA for High‑Privilege AI Accounts Starting June 1 2026
Geek Labs
Geek Labs
May 31, 2026 · Industry Insights

Top Recent GitHub Open‑Source Projects: Supply‑Chain Security, AI Coding, Satellite Simulation, Model Integration

This article reviews four trending GitHub open‑source projects—Bumblebee for supply‑chain security scanning, GSD Redux for AI‑assisted coding context management, SmartNode for satellite communication simulation, and codex‑shim for flexible model routing in Codex Desktop—detailing their features, usage, and limitations.

AI coding frameworkBumblebeeGSD Redux
0 likes · 20 min read
Top Recent GitHub Open‑Source Projects: Supply‑Chain Security, AI Coding, Satellite Simulation, Model Integration
Black & White Path
Black & White Path
May 18, 2026 · Information Security

Why npm Keeps Getting Compromised: A Deep Dive into the Latest node‑ipc Supply‑Chain Attack

On May 14, 2026 three malicious versions of the node‑ipc package were published to npm, injecting obfuscated payloads that steal cloud credentials, SSH keys, AI tool configurations and other sensitive files, and the article analyses the attack stages, historical repeats, npm's structural flaws, and concrete blue‑team mitigation steps.

Credential Theftdetection rulesnode-ipc
0 likes · 12 min read
Why npm Keeps Getting Compromised: A Deep Dive into the Latest node‑ipc Supply‑Chain Attack
TonyBai
TonyBai
Apr 9, 2026 · Industry Insights

Rust Developers Petition for a Bigger Standard Library: Should Go Be the Model?

A heated community debate sparked by a Rust forum post questions the language’s minimal std library, arguing that reliance on numerous third‑party crates creates supply‑chain risks, and contrasts Rust’s “small core, strong ecosystem” approach with Go’s comprehensive “batteries‑included” standard library, while exploring possible compromises.

Gocrates.iolanguage design
0 likes · 11 min read
Rust Developers Petition for a Bigger Standard Library: Should Go Be the Model?
Alibaba Cloud Native
Alibaba Cloud Native
Mar 26, 2026 · Information Security

How to Defend Against PyPI and Docker Hub Supply‑Chain Attacks with Cloud‑Native API Gateways

The article analyzes recent supply‑chain poisoning of the LiteLLM PyPI package and Docker Hub images, explains why PyPI is an attractive attack vector, and details a three‑layer defense using Alibaba Cloud's cloud‑native API Gateway—including KMS‑encrypted credentials, WAF traffic filtering, and Wasm sandbox plugins—to protect the software supply chain.

API GatewayKMSPyPI poisoning
0 likes · 11 min read
How to Defend Against PyPI and Docker Hub Supply‑Chain Attacks with Cloud‑Native API Gateways
TonyBai
TonyBai
Mar 19, 2026 · Information Security

Why Using go get @latest Can Let Hackers Hijack Your Server

Blindly running `go get @latest` can pull malicious packages into your Go project, as supply‑chain attacks exploit the latest version tag; the article explains the underlying threat, examines Go’s MVS and SumDB defenses, and details the proposed cooldown mechanism to mitigate such risks.

CooldownGoMVS
0 likes · 11 min read
Why Using go get @latest Can Let Hackers Hijack Your Server
TonyBai
TonyBai
Mar 14, 2026 · Information Security

How Go sumdb Defends Against Supply‑Chain Attacks with Transparent Logs and Tiling

The article explains how Go's checksum database (sumdb) uses append‑only transparent logs, Merkle‑tree proofs, and a novel tiling algorithm to provide cryptographic existence and consistency guarantees, protecting developers from covert supply‑chain attacks and fork attacks.

Consistency ProofGoMerkle tree
0 likes · 14 min read
How Go sumdb Defends Against Supply‑Chain Attacks with Transparent Logs and Tiling
Black & White Path
Black & White Path
Feb 9, 2026 · Information Security

Is Traditional Perimeter Defense Dead? 93% of Enterprises Expose Attack Surface via Third‑Party Services

According to SoSafe’s 2025 cybercrime trend report, 93% of organizations rely on third‑party services, 83% have experienced incidents from personal devices, and 95% see a surge in multi‑channel attacks, prompting a shift from perimeter defenses to rigorous supply‑chain scrutiny, BYOD overhaul, and proactive threat‑culture measures.

AI phishingBYODinformation security
0 likes · 8 min read
Is Traditional Perimeter Defense Dead? 93% of Enterprises Expose Attack Surface via Third‑Party Services
21CTO
21CTO
Sep 24, 2025 · Information Security

How GitHub’s New npm Security Measures Aim to Stop Supply‑Chain Worms

GitHub is tightening npm security by removing infected packages, enforcing two‑factor authentication for publishing, shortening token lifespans, and expanding trusted publishing to curb the Shai‑Hulud worm and protect the open‑source supply chain.

GitHubToken ManagementTwo-Factor Authentication
0 likes · 3 min read
How GitHub’s New npm Security Measures Aim to Stop Supply‑Chain Worms
21CTO
21CTO
Jun 7, 2025 · Backend Development

How the Linux Foundation’s FAIR Package Manager Aims to Stabilize WordPress

The Linux Foundation introduced the FAIR package manager to provide a neutral, decentralized way of distributing WordPress plugins and updates, aiming to reduce central‑control risks, improve supply‑chain security, and restore stability to the WordPress ecosystem.

Linux FoundationWordPresspackage manager
0 likes · 7 min read
How the Linux Foundation’s FAIR Package Manager Aims to Stabilize WordPress
Architects' Tech Alliance
Architects' Tech Alliance
Jun 16, 2022 · Information Security

Host Security Capability Construction Guide: Key Capabilities, Industry Priorities, and Implementation Process

The Host Security Capability Construction Guide analyzes evolving threats, categorizes security capabilities into basic, enhanced, and advanced levels, details industry-specific priority requirements, and outlines a comprehensive construction and evaluation process to help enterprises select appropriate solutions and build an effective host security framework.

Host SecurityIntrusion Detectionasset inventory
0 likes · 12 min read
Host Security Capability Construction Guide: Key Capabilities, Industry Priorities, and Implementation Process
Meituan Technology Team
Meituan Technology Team
May 26, 2022 · Information Security

Building and Deploying Software Composition Analysis (SCA) for Enterprise Security

The article analyzes the rising threat of open‑source components, explains Software Composition Analysis (SCA) and SBOM generation, outlines the three‑stage process for building an in‑house SCA capability, discusses practical challenges such as data quality and integration, and looks ahead to future standards and open‑source tools.

DevSecOpsNLPRisk Management
0 likes · 37 min read
Building and Deploying Software Composition Analysis (SCA) for Enterprise Security
IT Services Circle
IT Services Circle
Mar 17, 2022 · Information Security

Malicious npm Packages: The “peacenotwar” Incident and Its Impact on the Frontend Ecosystem

The article exposes a malicious npm package called peacenotwar, injected by a politically motivated author into the node‑ipc dependency of vue‑cli, which creates a hostile file on users in Russia and Belarus, prompting npm to block the package and highlighting the fragility of the frontend supply chain.

Frontend Ecosystemmalicious codenode-ipc
0 likes · 5 min read
Malicious npm Packages: The “peacenotwar” Incident and Its Impact on the Frontend Ecosystem
ITPUB
ITPUB
Feb 15, 2021 · Information Security

How Hackers Exploit Dependency Confusion to Breach Major Tech Companies

This article explains how simple yet powerful dependency‑confusion attacks let attackers upload malicious packages to public registries, exfiltrate data via DNS, and compromise internal systems of companies like PayPal, Shopify, Apple and others, highlighting the methodology, results, root causes and mitigation ideas.

Bug Bountydependency confusionnpm
0 likes · 13 min read
How Hackers Exploit Dependency Confusion to Breach Major Tech Companies