Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Developers. Show all posts
Salesloft
AWS Data Breach Developers GitHub organizations Salesloft

Salesloft Hack Shows How Developer Breaches Can Spread

 



Salesloft, a popular sales engagement platform, has revealed that a breach of its GitHub environment earlier this year played a key role in a recent wave of data theft attacks targeting Salesforce customers.

The company explained that attackers gained access to its GitHub repositories between March and June 2025. During this time, intruders downloaded code, added unauthorized accounts, and created rogue workflows. These actions gave them a foothold that was later used to compromise Drift, Salesloft’s conversational marketing product. Drift integrates with major platforms such as Salesforce and Google Workspace, enabling businesses to automate chat interactions and sales pipelines.


How the breach unfolded

Investigators from cybersecurity firm Mandiant, who were brought in to assist Salesloft, found that the GitHub compromise was the first step in a multi-stage campaign. After the attackers established persistence, they moved into Drift’s cloud infrastructure hosted on Amazon Web Services (AWS). From there, they stole OAuth tokens, digital keys that allow applications to access user accounts without requiring passwords.

These stolen tokens were then exploited in August to infiltrate Salesforce environments belonging to multiple organizations. By abusing the access tokens, attackers were able to view and extract customer support cases. Many of these records contained sensitive information such as cloud service credentials, authentication tokens, and even Snowflake-related access keys.


Impact on organizations

The theft of Salesforce data affected a wide range of technology companies. Attackers specifically sought credentials and secrets that could be reused to gain further access into enterprise systems. According to Salesloft’s August 26 update, the campaign’s primary goal was credential theft rather than direct financial fraud.

Threat intelligence groups have tracked this operation under the identifier UNC6395. Meanwhile, reports also suggest links to known cybercrime groups, although conclusive attribution remains unsettled.


Response and recovery

Salesloft said it has since rotated credentials, hardened its defenses, and isolated Drift’s infrastructure to prevent further abuse. Mandiant confirmed that containment steps have been effective, with no evidence that attackers maintain ongoing access. Current efforts are focused on forensic review and long-term assurance.

Following weeks of precautionary suspensions, Salesloft has now restored its Salesforce integrations. The company has also published detailed instructions to help customers safely resume data synchronization.

The incident underlines the risks of supply-chain style attacks, where a compromise at one service provider can cascade into breaches at many of its customers. It underscores the importance of securing developer accounts, closely monitoring access tokens, and limiting sensitive data shared in support cases.

For organizations, best practices now include regularly rotating OAuth tokens, auditing third-party app permissions, and enforcing stronger segmentation between critical systems.


Read more »
Privacy
Android Compliance Developers Google Play Store Privacy

Google to Confirm Identity of Every Android App Developer

 







Google announced a new step to make Android apps safer: starting next year, developers who distribute apps to certified Android phones and tablets, even outside Google Play, will need to verify their legal identity. The change ties every app on certified devices to a named developer account, while keeping Android’s ability to run apps from other stores or direct downloads intact. 

What this means for everyday users and small developers is straightforward. If you download an app from a website or a third-party store, the app will now be linked to a developer who has provided a legal name, address, email and phone number. Google says hobbyists and students will have a lighter account option, but many independent creators may choose to register as a business to protect personal privacy. Certified devices are the ones that ship with Google services and pass Google’s compatibility tests; devices that do not include Google Play services may follow different rules. 

Google’s stated reason is security. The company reported that apps installed from the open internet are far more likely to contain malware than apps on the Play Store, and it says those risks come mainly from people hiding behind anonymous developer identities. By requiring identity verification, Google intends to make it harder for repeat offenders to publish harmful apps and to make malicious actors easier to track. 

The rollout is phased so developers and device makers can prepare. Early access invitations begin in October 2025, verification opens to all developers in March 2026, and the rules take effect for certified devices in Brazil, Indonesia, Singapore and Thailand in September 2026. Google plans a wider global rollout in 2027. If you are a developer, review Google’s new developer pages and plan to verify your account well before your target markets enforce the rule. 

A similar compliance pattern already exists in some places. For example, Apple requires developers who distribute apps in the European Union to provide a “trader status” and contact details to meet the EU Digital Services Act. These kinds of rules aim to increase accountability, but they also raise questions about privacy, the costs for small creators, and how “open” mobile platforms should remain. Both companies are moving toward tighter oversight of app distribution, with the goal of making digital marketplaces safer and more accountable.

This change marks one of the most significant shifts in Android’s open ecosystem. While users will still have the freedom to install apps from multiple sources, developers will now be held accountable for the software they release. For users, it could mean greater protection against scams and malicious apps. For developers, especially smaller ones, it signals a new balance between maintaining privacy and ensuring trust in the Android platform.


Read more »
Spyware
API Keys Cybersecurity Data Breach Developers malware npm packages open-source phishing Software Supply Chain Spyware

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns

 

A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments.

Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally.

“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”

Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”

Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers.

“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.

These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks.

“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.

The 2025 report highlights early examples:

Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information.

A fake npm extension embedded spyware that enabled complete remote access.

Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively.

A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.
Read more »
python
Crypto Wallets Developers Ethereum malware PyPI python

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.” 

Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets. 

Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account. 

The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly. 

PyPi Targets

PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:

  • Web3 apps and crypto exchanges integrating Ethereum transactions.
  • Users having personal Ethereum wallets via Python automation. 
  • Blockchain developers using the eth-account for wallet creation and handling.
  • People who installed the package may expose their private keys to hackers, causing major financial losses. 

Consequences of PyPi attack

  • Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
  • Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
  • Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring. 
  • Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”

Controlling the damage

For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments. 

According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.”  Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”

Read more »
Technology
Artificial Intelligence Blockchain Developers Healthcare Marketing Technology

AI and Blockchain: Shaping the Future of Personalization and Security

 

The integration of Artificial Intelligence (AI) and blockchain technology is revolutionizing digital experiences, especially for developers aiming to enhance user interaction and improve security. By combining these cutting-edge technologies, digital platforms are becoming more personalized while ensuring that user data remains secure. 

Why Personalization and Security Are Essential 

A global survey conducted in the third quarter of 2024 revealed that 64% of consumers prefer to engage with companies that offer personalized experiences. Simultaneously, 53% of respondents expressed significant concerns about data privacy. These findings highlight a critical balance: users desire tailored interactions but are equally cautious about how their data is managed. The integration of AI and blockchain offers innovative solutions to address both personalization and privacy concerns. 

AI has seamlessly integrated into daily life, with tools like ChatGPT becoming indispensable across industries. A notable advancement in AI is the adoption of Common Crawl's customized blockchain. This system securely stores vast datasets used by AI models, enhancing data transparency and security. Blockchain’s immutable nature ensures data integrity, making it ideal for managing the extensive data required to train AI systems in applications like ChatGPT. 

The combined power of AI and blockchain is already transforming sectors like marketing and healthcare, where personalization and data privacy are paramount.

  • Marketing: Tools such as AURA by AdEx allow businesses to analyze user activity on blockchain platforms like Ethereum. By studying transaction data, AURA helps companies implement personalized marketing strategies. For instance, users frequently interacting with decentralized exchanges (DEXs) or moving assets across blockchains can receive tailored marketing content aligned with their behavior.
  • Healthcare: Blockchain technology is being used to store medical records securely, enabling AI systems to develop personalized treatment plans. This approach allows healthcare professionals to offer customized recommendations for nutrition, medication, and therapies while safeguarding sensitive patient data from unauthorized access.
Enhancing Data Security 

Despite AI's transformative capabilities, data privacy has been a longstanding concern. Earlier AI tools, such as previous versions of ChatGPT, stored user data to refine models without clear consent, raising privacy issues. However, the industry is evolving with the introduction of privacy-centric tools like Sentinel and Scribe. These platforms employ advanced encryption to protect user data, ensuring that information remains secure—even from large technology companies like Google and Microsoft. 
 
The future holds immense potential for developers leveraging AI and blockchain technologies. These innovations not only enhance user experiences through personalized interactions but also address critical privacy challenges that have persisted within the tech industry. As AI and blockchain continue to evolve, industries such as marketing, healthcare, and beyond can expect more powerful tools that prioritize customization and data security. By embracing these technologies, businesses can create engaging, secure digital environments that meet users' growing demands for personalization and privacy.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
Technology Upgrade
AI Apple Cyber Attacks CyberCrime Cybersecurity Developers iOS Technology Upgrade

Apple's AI Features Demand More Power: Not All iPhones Make the Cut

 


A large portion of Apple's developer conference on Monday was devoted to infusing artificial intelligence (AI) technology into its software. Some of the features Apple has rumoured to incorporate are not expected to work on all iPhones. If you read this article correctly, it sounds as if Apple is betting its long-awaited AI features will be enough to make you upgrade your iPhone — especially if the AI requires the latest smartphone. The annual developer conference of Apple, WWDC, is expected to take place on Monday with the announcement of iOS 18. 

According to Bloomberg, the company will release a new version of its artificial intelligence software, dubbed "Apple Intelligence," which will include features that will run directly on the iPhone's processor instead of being powered by cloud servers - in other words, they'll be powered directly from the device itself. According to the report, some of the AI services will still utilize cloud-based computing, however, many won't. The iPhone, iOS18, as well as any of Apple's other products and devices, are set to be updated, and anything short of a full array of AI-based features will likely disappoint developers and industry analysts, not to mention investors, with any changes Apple makes to its operating system. 

The company has turned to artificial intelligence (AI) as a way to revive its loyal fan base of over 1 billion customers and reverse the decline of its best-selling product in the face of choppy consumer spending and resurgent tech rivals. A key selling point that Apple uses to differentiate itself from its competitors is the fact that it is committed to privacy. There are still questions to be answered in regards to how Federighi will make sure that the personal context of a user will be shared across multiple devices belonging to the same user. 

However, he said that all data will be processed on-device and will never be shared across cloud servers. It is widely believed that the move by Apple was an evolution of the generative AI domain that would lead to the adoption of generative AI by enterprises by streamlining the best practices for AI privacy in the industrial sector. Analysts said that the software is likely to encourage a cascade of new purchases, as it requires at least an iPhone 15 or 15 Pro to be able to function. It has been predicted that we will likely see Apple's most significant upgrade cycle since the launch of the iPhone 12 in 2020, when 5G connectivity was part of the appeal for consumers for the device. 

A study from Apple analyst Ming-Chi Kuo published on Medium has claimed that the amount of on-board memory in the forthcoming iPhone 16 range, which is predicted to have 8GB of storage, may not be enough to be able to fully express the large language model (LLM) behind Apple's artificial intelligence (AI). It has been argued by analyst Kuo in a recent post that the iPhone 16's 8GB DRAM limit will likely restrict on-device learning curves from exceeding market expectations. Kuo suggests that eager Apple fans might want to temper their expectations before WWDC this year. 

Although this is true, Apple's powerful mobile chips and efficient iOS operating system can offer market-leading performance, regardless of how much RAM is available to them, on many of their previous iPhone models. As a result, memory has never been much of an issue on revious iPhone models. In the case of notoriously demanding AI tools, such as deep learning, however, the question becomes whether that level of complexity will still be applicable.

Several apps are set to feature AI technology, including Mail, Voice Memos, and Photos, as part of Apple's AI integration, but users will have to opt-in to use the features if they wish to use them. There were rumours that the company would deliver a series of features designed to simplify everyday tasks such as summarizing and writing emails, as well as suggesting custom emojis for emails. Moreover, Bloomberg reports that Siri is also going to undergo an AI overhaul to allow users to be able to do more specific tasks within apps, for instance, deleting an email inside an app will be one of these. According to The Information and Bloomberg, Apple has signed a deal with OpenAI to power some features, including a chatbot that is similar to ChatGPT, one of the most popular chatbots.
Read more »
Technology
AlphaCodium Artifcial Intelligence CodiumAI Developers Secure Coding Technology

AlphaCodium: Your New Coding Assistant

 


Meet AlphaCodium, the latest creation from CodiumAI, taking AI code generation to the next level, leaving Google's AlphaCode in its digital dust. Forget complicated terms; AlphaCodium simply means smarter, more accurate coding. Instead of following a set script, it learns and refines its code through a back-and-forth process, making it work more like how we humans tackle problems. Think of it like a super-smart sidekick for developers, helping them build faster and with zero bugs. So, get ready for a coding revolution – AlphaCodium is here to make programming easier, more efficient, and, most importantly, error-free.

AlphaCodium's success is attributed to its innovative 'flow engineering' method, shifting from a traditional prompt: answer approach to a dynamic iterative process. Unlike its predecessors, it incorporates elements of Generative Adversarial Network (GAN) architecture, developed by Ian Goodfellow in 2014. This includes a model for code generation and an adversarial model ensuring code integrity through testing, reflection, and specification matching.

The process begins with input, followed by pre-processing steps where AlphaCodium reflects on the problem, leading to an initial code solution. Subsequently, it generates additional tests to refine the solution iteratively, ultimately reaching a final functional code.

CodiumAI's mission, as stated on its website, is to "enable developers to build faster with zero bugs." The startup, founded in 2022, raised $10.6 million in March 2023. AlphaCodium's performance, tested on the CodeContests dataset containing 10,000 competitive programming problems, showcased an impressive improvement in accuracy from 19% to 44% compared to GPT-4.

Andrej Karpathy, previously director of AI at Tesla and now with OpenAI, highlighted AlphaCodium's 'flow engineering' as a revolutionary approach to improve code generation. This method not only allows the AI to generate boilerplate code but also ensures the generated code is accurate and functional.


CodiumAI's CEO on AlphaCodium's Significance

CodiumAI's CEO, Itamar Friedman, emphasised that AlphaCodium is not merely a model but a comprehensive system and algorithm facilitating a dynamic 'flow' of communication between a code-generating model and a 'critic' model. This approach, termed 'flow engineering,' distinguishes AlphaCodium as a groundbreaking solution.

Friedman acknowledges OpenAI (developer of Codex) and Google DeepMind as rivals but emphasises that the real competition lies in advancing code integrity technology. He sees AlphaCodium as the next generation of code integrity, aligning not only with specifications but also with cultural documents, beliefs, and guidelines of the developer community. 

Friedman expressed inspiration from DeepMind's work but highlighted the absence of 'flow engineering' in Google DeepMind's AlphaCode. He suggests that the mainstream narrative focused on improving large language models might be overlooking the essential aspect of creating a flow for effective code generation.


To look at it lucidly, AlphaCodium represents a shift in the AI coding mechanism, asserting the importance of a continuous 'flow' in generating not just code but accurate and functional solutions. The implementation of 'flow engineering' marks a significant departure from conventional methods, offering a more dynamic and iterative approach to generate accurate and functional code. 

Read more »
RBI
App Developers Banks CISO Developers RBI

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Read more »
Two Factor Authentication
Blockchain Crypto Crypto Crime Crypto Theft Data Breach. Developers Two Factor Authentication

Over $30 Billion Stolen from Crypto Sector, Reveals SlowMist's

A recent report by cybersecurity firm SlowMist has uncovered a shocking revelation regarding the vulnerability of the crypto sector. According to the report, blockchain hacks have resulted in the theft of over $30 billion from the cryptocurrency industry since 2012. This alarming figure highlights the pressing need for enhanced security measures within the blockchain ecosystem.

The report from SlowMist, a renowned cybersecurity company specializing in blockchain technology, brings to light the magnitude of the problem facing the crypto sector. The findings emphasize the urgent requirement for robust security protocols to safeguard digital assets and protect investors.

The report reveals that hackers have been successful in exploiting vulnerabilities across various blockchain networks, resulting in significant financial losses. SlowMist's research indicates that these attacks have been carried out through a range of methods, including exchange hacks, smart contract vulnerabilities, and fraudulent schemes.

One of the primary areas of concern is the vulnerability of cryptocurrency exchanges. These platforms serve as a vital link between users and their digital assets, making them lucrative targets for hackers. SlowMist's report highlights the need for exchanges to prioritize security measures and implement robust systems to safeguard user funds.

The rise in smart contract-based attacks has also been a cause for concern. Smart contracts, which automate and facilitate transactions on blockchain platforms, have been exploited by hackers who identify vulnerabilities within the code. This highlights the need for thorough security audits and ongoing monitoring of smart contracts to prevent potential breaches.

Industry experts emphasize the significance of preemptive actions to thwart these threats in response to the report's conclusions. Renowned blockchain security expert Jack Smith emphasizes the value of ongoing surveillance and quick response mechanisms. According to him, "It is crucial for crypto companies to prioritize security and adopt a proactive approach to identify and mitigate vulnerabilities before hackers exploit them."

The report also highlights the demand for a greater user understanding of cryptocurrencies. If consumers don't employ prudence when transacting with and holding their digital assets, even the most comprehensive security measures won't be enough. By educating people about best practices, like as using hardware wallets and turning on two-factor authentication, the danger of being a victim of hacking efforts can be greatly decreased.

The cryptocurrency industry has grown rapidly in recent years, drawing both investors and bad actors looking to take advantage of its weaknesses. The SlowMist report is a wake-up call, highlighting the critical need for better security procedures to protect the billions of dollars invested in the sector.

The adoption of more robust security measures must continue to be a primary focus as the blockchain sector develops. The report's conclusions underscore that everyone is accountable for building a secure ecosystem that promotes trust and protects against possible dangers, including blockchain developers, cryptocurrency exchanges, and individual users.



Read more »
Vulnerabilities and Exploits.
data threat Developers JavaScript NPM Package Vulnerabilities and Exploits.

JavaScript Registry npm at Risk

 

The JavaScript registry npm, a vital resource for developers worldwide, has recently come under scrutiny due to a significant vulnerability known as manifest confusion. This flaw allows attackers to exploit the npm ecosystem, potentially compromising the integrity and security of countless JavaScript packages. The repercussions of such abuse are far-reaching and could have severe consequences for the development community.

The exploit, first discovered by security researchers, highlights a fundamental flaw in the way npm handles package manifests. Package manifests contain essential information about dependencies, versions, and other metadata necessary for proper functioning. However, attackers can manipulate these manifests, tricking npm into installing malicious or unintended packages.

The severity of the issue is further exacerbated by the fact that the exploit affects not only a specific package or a handful of packages but has the potential to impact the entire npm ecosystem. With over one million packages available for public use, developers relying on npm must be vigilant in ensuring the integrity of their dependencies.

The vulnerability arises from a lack of strict validation and enforcement mechanisms in npm's package management process. By crafting specially designed manifests, attackers can exploit the confusion arising from naming similarities and version discrepancies, effectively bypassing security measures and injecting malicious code into legitimate packages.

The consequences of a successful manifest confusion attack are wide-ranging. Developers relying on npm could unwittingly introduce compromised packages into their applications, leading to a variety of security vulnerabilities and potential breaches. This could result in the theft of sensitive user data, unauthorized access to systems, or the disruption of critical services.

The npm development team has been made aware of the vulnerability and is actively working to address the issue. In response to the community's concerns, npm has implemented stricter validation checks and is exploring ways to enhance the package management process to prevent future attacks. However, mitigating the risk entirely will require the cooperation and diligence of package maintainers and developers.

Developers are recommended to manage their dependencies carefully in the interim. Before integration, it is critical to ensure that packages are authentic and intact, that they come from reliable sources, and that they have not been tampered with. Keeping packages updated to the most recent versions and signing up for vulnerability alerts can both reduce the chance of exploitation.

The npm ecosystem, which enables quick and effective software development, is a key tenet of the JavaScript development community. However, the integrity and security of this ecosystem are seriously threatened by the manifest confusion vulnerability. It is essential that npm and the larger development community solve this problem right away, working together to fortify the defenses against possible attacks and secure the future of JavaScript development.




Read more »
Unauthorized access
Android devices. Developers Malicious Apps malware Third Party Apps Unauthorized access

Over 60K Adware Apps Target Android Devices

Over 60,000 adware apps disguised as cracked versions of popular apps have been discovered, posing a significant threat to Android device users. These malicious apps have been circulating for the past six months, secretly installing adware and compromising user privacy.

The discovery was made by cybersecurity researchers who found that the adware apps were cleverly designed to imitate cracked versions of popular applications, tempting users with promises of free access to premium features. Once installed, these apps exploit their access to the device, displaying intrusive advertisements, redirecting users to potentially harmful websites, and collecting personal information without user consent.

The impact of these adware apps goes beyond annoying ads and pop-ups. They can significantly compromise user privacy and security, as they often have access to sensitive information such as contact lists, location data, and browsing history. Additionally, these apps can drain device resources and slow down performance, causing frustration for users.

The adware apps were distributed through various unofficial app stores and online forums, taking advantage of users' desire to access premium features without paying. Due to their deceptive nature, they managed to evade security measures and make their way onto unsuspecting users' devices.

To protect themselves from these threats, Android device users are advised to follow best practices for app installation. It is crucial to download apps only from official sources such as the Google Play Store, where apps undergo thorough security checks. Users should also be cautious of downloading cracked versions of apps from unauthorized websites or third-party app stores, as these are often breeding grounds for malware.

Furthermore, keeping devices up to date with the latest security patches and regularly scanning for malware using reputable mobile security solutions can help detect and remove any adware apps that may have infiltrated the system.

This incident serves as a reminder of the persistent threats faced by Android users and the need for heightened vigilance when downloading and installing applications. Users must remain cautious, exercise due diligence, and rely on trusted sources for their app needs.


Read more »
Security
Cyber Security Data data security Developers Industry Public Sector Safety Security

24 Percent of Technology Applications Have High-risk Security Vulnerabilities

 

With a higher proportion of applications to compete with than other industries, technology firms would benefit from improving secure coding training and practices for their development teams. As per Veracode, 24 percent of applications in the technology sector contain high-risk security flaws, which would cause a critical issue for the application if exploited. 

“Giving developers real, hands-on experience of what it takes to spot and exploit a flaw in code—and its potential impact on the application—provides the context and understanding to build their intuition about software security. Our research found that organizations whose developers had completed just one lesson in our hands-on Security Labs training program fixed 50 percent of flaws two months faster than those without such training,” said Chris Eng, Chief Research Officer at Veracode.

The technology industry was discovered to have the second-highest proportion of applications with security flaws, at 79 percent, trailing only the public sector (82 percent). When it comes to the proportion of flaws fixed, the technology sector ranks in the middle of the pack.

The industry still takes up to 363 days to fix 50% of flaws, indicating that there is still plenty of room for improvement.

Eng added, “Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, both of which have a supply chain focus.”

He continued, “To improve performance in the year ahead, technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code, but also put greater emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.”

The most common types of flaws discovered by dynamic analysis of technology applications are server configuration, insecure dependencies, and information leakage, which broadly follows a pattern similar to other industries.

In contrast, the sector has the greatest deviation from the industry average for cryptographic issues and information leakage, possibly indicating that developers in the tech industry are more knowledgeable about data security challenges.
Read more »
User Privacy
Apple Data tracking Developers iOS Privacy Twitter User Privacy

Apple Accused Over Monitoring Users' Behavior Without Consent


According to a lawsuit, despite the fact that settings on Apple's iPhones and other devices are designed to prevent any tracking or sharing of app data, the corporation nonetheless collects, tracks, and monetizes user details even after users have turned off sharing.

When using the App Store app on iOS 14.6, each click users make is recorded and given to Apple, according to the thread posted last week by the Twitter account Mysk, which is maintained by two developers in Canada and Germany. 

The developers assert that this occurs regardless of users’ preferences and settings. The developers claim that "opting out or switching the personalization options off did not decrease the amount of detailed data that the app was transmitting." Apple provides a number of toggles designed to limit tracking.

In a follow-up report by Gizmodo, the developers discovered that although the privacy toggles, a number of additional apps, including Music, TV, Books, the iTunes Store, and Stocks, all transferred data to Apple. The site claims that the majority of the apps that transmitted analytics data shared constant ID numbers, which would allow Apple to follow user behavior across its services like the Health and Wallet apps.

Elliot Libman, the plaintiff, alleged  Apple's assurances that users have control over the data they provide when using iPhone apps are factually false and in violation of the California Invasion of Privacy Act.

The thread also notes how ironic Apple's alleged surveillance appears given that strong controls were introduced in iOS 14.5 to stop third-party developers from tracking users against their own will. Although the iOS 14.6 operating system has been around for more than a year, the researchers said they observed identical apps sending comparable data packets when using iOS 16.

Read more »
Safety
Cyber Security Decryption Key Developers Experiment Hacker Packages python Safety

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

 

An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days. As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI). 

The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python. According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package. 

The bundle included scripts for exploring directories such as Documents, Pictures, and Music. One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype. 

Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it. 

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. 

Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package. According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme. 

"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises. Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.

Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.

According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."
Read more »
threats
BCSC Cyber Security Developers FBI Malicious Apps Security Security and Safety threats

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.
Read more »
Subscribe to: Posts (Atom)