CocoaPods flaws highlight growing supply chain risks

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities potentially expose millions of Apple devices to supply chain attacks, highlighting the growing risks associated with open-source software dependencies.

CocoaPods, used in over three million mobile apps, plays a crucial role in the iOS and macOS development ecosystem. The discovered...

Critical OpenSSH vulnerability threatens millions of Linux systems

A severe vulnerability in OpenSSH's server (sshd) has been uncovered by Qualys’ Threat Research Unit (TRU), potentially affecting over 14 million Linux systems worldwide. The flaw, designated as CVE-2024-6387, allows for remote unauthenticated code execution (RCE) with root privileges on glibc-based Linux systems.

This vulnerability, stemming from a signal handler race condition, impacts sshd in its default configuration. Qualys researchers have identified approximately 700,000...

GitLab’s DevSecOps report highlights AI challenges

GitLab's 8th annual Global DevSecOps Report has unveiled a complex landscape of software development, highlighting disparities between executive perceptions and developer realities. The survey, conducted in April 2024, gathered insights from over 5,300 professionals across the software development spectrum.

While 69% of CxOs report shipping software at least twice as fast as last year, AI adoption remains low, with only 26% of respondents implementing AI in their workflows. This...

Optus breach is a wake-up call for secure coding practices

A “coding error” in Optus Mobile's systems led to a massive data breach affecting over nine million customers, sparking a lawsuit from the Australian Communications and Media Authority (ACMA).

The case, filed under number VID429/2024 in the Federal Court of Australia, highlights the severe consequences of software vulnerabilities in large-scale systems.

The breach, which affected over nine million Optus users, was caused by a seemingly simple coding error—a stark...

Encryption under fire: Signal and rights groups oppose EU law

In a strongly worded statement, Meredith Whittaker, President of Signal, has called out the EU’s latest attempts to weaken end-to-end encryption under the guise of new terminology.

Her comments come in response to ongoing discussions surrounding the EU's chat control legislation, which has seen some European countries pushing for measures that could potentially compromise user privacy.

Whittaker's concerns are echoed by a joint statement issued in May by several...

Hackers are increasingly exploiting packers to spread malware

Cybersecurity researchers from Check Point have uncovered an increasing trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute various malware strains. Over the past year, a significant surge in the abuse of BoxedApp products has been observed, particularly in attacks targeting financial institutions and government organisations.

BoxedApp offers a range of commercial packers – including BoxedApp Packer and BxILMerge – which provide...

Phylum uncovers targeted malware disguised in Python package

Phylum’s cybersecurity experts have detected a malicious payload embedded within a popular Python package on the PyPI repository. The package, named requests-darwin-lite, is an unauthorised variant of the widely-used requests library.

The requests-darwin-lite package was cleverly designed to emulate its legitimate counterpart but included a Go binary concealed within an oversized image file pretending to be a simple logo. This file – a PNG labelled as a sidebar image –...

Open letter criticises ‘flawed’ CSAM scanning plan

An open letter signed by 270 scientists and researchers across 33 countries has raised major technical concerns about the EU's proposed regulation mandating the scanning of messaging apps for child sexual abuse material (CSAM). The signees argue the techniques are fundamentally flawed and will "completely undermine communications and systems security."

"From a technical standpoint, to be effective, this new proposal will also completely undermine communications and systems...

CISA sounds alarm on critical GitLab flaw under active exploit

The US Cybersecurity and Infrastructure Security Agency (CISA) has labelled a critical vulnerability affecting the popular Git-based repository manager GitLab as a Known Exploited Vulnerability (KEV). The move comes in response to active exploitation attempts detected in the wild, underscoring the urgency for organisations to promptly apply security updates.

Tracked as CVE-2023-7028, the severe flaw (CVSS score: 10.0) could enable adversaries to take over user accounts by sending...

Google blocked 2M malicious apps from the Play Store in 2023

Google blocked 2.28 million policy-violating apps from being published on the Play Store in 2023, thanks to improved security measures and tighter developer vetting processes. The company rejected or had developers remediate almost 200,000 app submissions to prevent abuse of sensitive permissions like location tracking and SMS access.  

The company says providing a safe and trusted Play Store experience is its top priority, underpinned by principles to "safeguard users",...