Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label news and trends. Show all posts
news and trends
Cyber Security cybersecurity news news and trends

Fake npm Package Hijacks Postmark Emails in Supply Chain Breach

A single line of malicious code hidden in a counterfeit npm package has exposed potentially thousands of sensitive emails every day, raising fresh alarms about software supply-chain security. 

The package, uploaded to npm under the name postmark-mcp, impersonated the legitimate Model Context Protocol (MCP) server of email delivery service Postmark.

According to investigators at Koi Security, the attacker copied code from Postmark’s official GitHub repository, inserted a backdoor that BCC’d every outgoing message to an external email address, and released it on npm. The deception lasted through 15 versions of the package, with the backdoor introduced in version 1.0.16. During its brief circulation, it was downloaded approximately 1,500 times in a week. 

Koi Security estimates that at least 300 organisations may have integrated it into their workflows, unknowingly diverting between 3,000 and 15,000 emails daily to the attacker’s server. These could have included password resets, authentication codes, invoices, financial data, and internal business correspondence. 

Postmark confirmed the malicious package was unrelated to its own operations, stressing that its infrastructure remained uncompromised. In an advisory, the company urged anyone who had installed the npm module to delete it immediately, review email logs for unusual traffic, and reset credentials transmitted by email. 

Postmark added that only one known customer had used the compromised package. Koi Security’s co-founder, Idan Dardikman, described the incident as a “warning shot” for the wider MCP ecosystem. MCP enables AI assistants to connect with external services, including email servers, granting them broad system-level permissions. 

“We’re effectively giving god-mode access to code from developers we don’t know or trust,” he warned, highlighting how AI-driven automation can magnify risks when malicious packages slip through. 

The case underscores the ongoing dangers of typosquatting and open-source supply chain poisoning, where attackers publish lookalike packages to exploit developer oversight. 

Unlike sophisticated zero-day exploits, this breach required no advanced techniques only the community’s willingness to run unverified code. 

Security experts say the incident reinforces the need for tighter controls around dependency management, stricter verification of open-source modules, and stronger monitoring of automated workflows, particularly those linked with AI systems.
Read more »
trending news
Browser Browser news news and trends Technology trending news

Beyond Google: The Rise of Privacy-Focused Search Engines

 

For years, the search engine market has been viewed as a two-player arena dominated by Google, with Microsoft’s Bing as the backup. But a quieter movement is reshaping how people explore the web: privacy-first search engines that promise not to turn users into products. 

DuckDuckGo has become the most recognisable name in this space. Its interface looks and feels much like Google, yet it refuses to track users, log searches, or build behavioural profiles. Instead, every query stands alone, delivering neutral results primarily sourced from Bing and other partners. 

While this means fewer personalised suggestions, it also ensures a cleaner, unbiased search experience. Startpage, on the other hand, positions itself as a privacy shield for Google. Acting as a middleman, it fetches Google’s results without passing on users’ IP addresses or histories. 

This gives people access to Google’s powerful index while keeping their identities hidden. For those seeking an extra layer of anonymity, Startpage even offers a built-in proxy to browse sites discreetly. 

Mojeek is one of the rare engines to build its own independent index. By crawling the web directly, it offers results shaped by its own algorithms rather than those of industry giants. While sometimes rougher around the edges, Mojeek’s independence appeals to users tired of mainstream filters and echo chambers. 

SearXNG takes yet another approach. As an open-source meta-search engine, it aggregates results from dozens of sources, from Google and Bing to Wikipedia. Crucially, it does this without sharing personal data. Users can even host their own SearXNG instance, tailoring the sources and ranking systems to their preferences, an unmatched level of control, though the experience varies by setup. Finally, Swisscows distinguishes itself with both privacy and family-friendly results. 

It blocks tracking, filters explicit content, and now runs on a subscription model of around $4.4 per month. While no longer free, its positioning makes it attractive for parents and classrooms seeking a safe and secure search option. 

Taken together, these alternatives highlight that Google is not the only gateway to the internet. From DuckDuckGo’s simplicity to SearXNG’s transparency and Mojeek’s independence, privacy-first search engines prove that it’s possible to browse the web without surrendering personal data.
Read more »
Subscribe to: Comments (Atom)