PyPI maintainers warn of ongoing phishing attack

The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.

A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:

The...

InAppBrowser tool reveals hidden JavaScript injections

A tool created by developer Felix Krause reveals hidden JavaScript injections through in-app browsers.

In-app browsers offer a convenient way for developers to let users browse specific websites without leaving their apps. However, they can be used to invade users’ privacy.

A JavaScript injection can be used via an in-app browser to collect data about users including their taps on a webpage, keyboard inputs, and more.

Armed with this data, a “digital...

PyPI package installs cryptominer on Linux systems

A malicious PyPI package was used to install a Monero cryptominer on Linux systems.

The package in question, secretslib, was pushed to the official third-party software repo for Python on 6th August 2022. The package was described as “secrets matching and verification made easy”.

Sonatype’s automated malware detection system flagged secretslib as potentially malicious. Further analysis proved its suspicions to be correct.

“The package covertly runs...

Xcode 14 beta practically confirms iPhone 14 Pro will get an AOD

The latest beta of Xcode 14 all but confirms that an always-on display (AOD) will arrive with the iPhone 14 Pro lineup.

AODs have featured on numerous Android devices since around 2016. Over in the Apple garden, the only device to feature an AOD is the Apple Watch (Series 5+)

Rather than have to fully wake up your display to obsessively check for information, AODs enable data to be seen at-a-glance.

AODs require very low refresh rates to preserve battery. The...

Source code for Rust-based malware leaks on hacking forums

The source code for an info-stealing malware based on Rust has leaked on hacking forums.

Security analysts claim the malware is actively used in attacks and it appears to have a high antivirus evasion rate. VirusTotal returns a detection rate of around 22 percent.

The developer claims to have developed the malware in just six hours. Despite being based on Rust, the malware currently only targets Windows machines.

Cybersecurity firm Cyble analysed the malware...

Snowflake boosts native python support and data access

A green tree python.

Snowflake, the Data Cloud company, has unveiled new enhancements that improve programmability for data scientists, data engineers, and application developers

The company announced the update this week at its annual user conference, Snowflake Summit 2022, in Las Vegas.

Snowflake’s latest innovations bring Python to the forefront, with the launch of Snowpark for Python, now in public preview, and a native integration with Streamlit for rapid application development and...

Xcode Cloud is now available to all developers

Apple has announced that Xcode Cloud is now available to all developers.

Xcode Cloud was first announced during WWDC 2021. Over the past year, it’s gradually been rolling out in beta to lucky developers.

A year (and a WWDC) later, Xcode Cloud is leaving beta.

Xcode Cloud is a continuous integration and delivery service that’s built into Xcode. The solution accelerates the development and delivery of apps by bringing together cloud-based tools that help...

80% of Spring framework downloads are exploitable versions

Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions.

Spring is a mighty popular framework—often ranking in the top three most-used Java frameworks. That’s why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher ahead of an official CVE publication.

Spring4Shell allows unauthenticated remote code execution. This week, the US...

Spring4Shell vulnerability could have ‘a larger impact’ than Log4j

A newly-discovered zero-day vulnerability known as Spring4Shell could have “a larger impact” than Log4j.

Log4j made waves in recent months as the vulnerability in the popular open-source logging library enabled attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

However, attention is now shifting to the Spring4Shell exploit.

Spring4Shell is a zero-day remote code execution (RCE)...

Apps will soon need to be submitted to the App Store using Xcode 13

Apple has reminded developers that apps will soon need to be submitted to the App Store using Xcode 13.

From 25 April 2022, Apple will only accept the submission of apps that are built using the latest version of its IDE.

“iOS, iPadOS, and watchOS apps submitted to the App Store must be built with Xcode 13, which includes the SDKs for iOS 15, iPadOS 15, and watchOS 8,” wrote Apple on its developer site.

Apple goes on to tout how Xcode 13 enables developers...