supply chain

This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack , which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look....

GitHub Repository xz (Suspended) Source Code https://git.tukaani.org/?p=xz.git Threat Actor Jia Tan (GitHub) CVE Number CVE-2024-3094 (CVSS 10.0) Vulnerability Type Remote Code Execution Attack Category Social Engineering, Supply Chain Attack What does xz module do? XZ Utils is a set of free and open-source data compression utilities that provide high compression ratios and fast decompression....

While perusing StackOverflow's 2023 Developer Survey (yes, we developers have our own version of celebrity gossip), I couldn’t help but notice that our trusty VSCode is still riding high as the undisputed IDE champ. With a whopping 73% of the developer vote, it’s safe to say that VSCode has firmly planted its flag. But, like any superstar, it’s not immune to the spotlight’s glare, especially when it comes to security. And in this blog, we’ll explore the security aspects that every VSCode user should consider....