The Liberty Phone delivers uncompromising security for government communications- No Surveillance.

https://puri.sm/products/liberty-phone/

Yikes, just stumbled upon some news about new Go modules floating around GitHub that can seriously wreck Linux systems!

So, here’s the scoop: Three particularly nasty Go modules have been spotted. When executed, they're designed to completely trash the system. How? Basically, they use obfuscated code to fetch a payload, and *that* payload proceeds to overwrite `/dev/sda` (your primary hard drive!) with zeros. Poof! Your data is gone. Keep an eye out for these repos: `github[.]com/truthfulpharm/prototransform`, `github[.]com/blankloggia/go-mcp`, and `github[.]com/steelpoor/tlsproxy`.

The really scary part? This is a stark reminder of how supply-chain attacks can turn even code you *think* you trust into a major threat.

And honestly, this isn't an isolated incident. Think about those malicious npm packages caught stealing crypto keys, or PyPI packages abusing Gmail for data exfiltration. Unfortunately, the list goes on.

What steps can you take?
* **Always** double-check package authenticity. Look into the publisher's history and verify GitHub links.
* Make it a habit to regularly review your dependencies. What are you *really* pulling into your project?
* Implement strict access controls, especially for private keys. Don't make it easy for attackers.
* Keep tabs on unusual outbound network connections, *particularly* SMTP traffic.
* Don't just blindly trust a package because it's been around for a while. Age isn't always a guarantee of safety.

Speaking as a pentester, these supply-chain attacks are genuinely tricky and folks often underestimate the danger. Sure, automated scans can catch some things, but nothing beats staying vigilant and truly understanding the risks involved. I see it all the time – clients sometimes get a false sense of security just because something is "open source."

Have you encountered anything similar? What tools or strategies are you using to lock down your supply chain? Drop your thoughts below!

Threat alert: AI-generated code is overwhelming software supply chains

Three vendors — Endor Labs, Lineaje, and Cycode — are responding with agentic AI tools that move AppSec from detection to autonomous action.

New capabilities include:
Reviewing and remediating pull requests with security context
Explaining vulnerabilities in plain English
Automatically fixing risks in containers and source code
Monitoring CI/CD memory for secrets theft
Mapping risk across entire dev pipelines

What leaders need to consider:
• AI agents must be trained, governed, and secured — like any supply chain actor
• Tools should integrate at the code level, not just report level
• Runtime guardrails, policy engines, and visibility are non-negotiable

We're past “SBOMs only” — software supply chain security is now a full-stack discipline, and agentic AI is driving that shift.

#CyberSecurity #SupplyChainSecurity #AI #DevSecOps #AgenticAI #AppSec #CICDSecurity

https://www.techtarget.com/searchitoperations/news/366623140/Software-supply-chain-security-AI-agents-take-action

Ex-US Customs Chief: AI Platform Critical for National Security https://www.byteseu.com/948858/ #AI #AISecuritySolutions #ArtificialIntelligence #BorderProtectionInnovation #BorderSecurityTechnology #CustomsModernization #CustomsScreeningAI #CustomsTraceAI #STAI #SupplyChainSecurity #TradeComplianceAutomation

Taming the tangled web of JS dependencies? Our guide shows developers how to easily generate SBOMs for JavaScript projects using the free, open-source tool Syft.
Read now: https://anchore.com/blog/javascript-sbom-generation/
#JavaScript #SBOM #DevSecOps #SupplyChainSecurity #OpenSource #Syft

I am curating the Supply Chain Security track at #Rootconf2025!

Got stories, tools, or lessons from the trenches? Come speak — or just show up and learn.

hasgeek.com/rootconf/2025/

With this “trusted publishing” uploading packages from GitHub to PyPI really became easy… Just enter project details and workflow filename and poof it works. No API key management any more! PyPI even links all binaries to the commits and even verifies the project URLs. Together with setuptools-scm, new releases are just created by tagging them.

It leaves a sour feeling that this is all proprietary though… You can't configure it for your own CI/CD platform for example.

Abandoned S3 Buckets are a goldmine for hackers!

Last week, we shared new research revealing the alarming risks of abandoned S3 buckets. Now, cybersecurity experts @sherridavidoff and @MDurrin share more details on this new threat and provide advice on how to reduce your risk from this attack tactic that can expose you to supply chain compromises and remote code execution attacks.

Read our latest blog to learn how to protect your organization: https://www.lmgsecurity.com/abandoned-s3-buckets-a-goldmine-for-hackers/

Remember 1969? Landing on the Moon, Woodstock, the Birth of the Internet—So Many Hopes and Dreams… And ‘Come Together’ by The Beatles Playing in the Background.

Well, we are talking about the internet and Supply Chain Security here

Here we go:

From Trust to Zero Trust: How the Internet’s Original Vision Became a Global Security Risk

The #internet was built on #trust. The first message sent over ARPANET in 1969 linked #UCLA and #Stanford with the idea of open collaboration, a network designed to connect—not defend. That trust-based foundation worked when networks were small and closed. Today, it has become a critical vulnerability.

Supply chains are no longer just about moving goods—they are digital, global, and deeply embedded in every part of modern life. From the #software updates we install to the #infrastructure that keeps our world running, trust is now the attack surface. And the reality is simple: when trust is exploited, society pays the price.

At #ZeroTrustWorld2025 - aka #ztw25 organized by ThreatLocker - Sean Martin and I were on location to explore this shift. Bradford Bleier delivered a wake-up call on how supply chains have become a #cybersecurity battlegrounds, why trust relationships are the weakest link, and why #ZeroTrust isn’t just an #infsecurity framework—it’s a necessity for the world we live in.

When a pipeline attack disrupts fuel supply, a ransomware hit leaves grocery shelves empty, or a compromised vendor shuts down hospitals, this isn’t just a cybersecurity issue. It’s a societal issue.

In my latest article for ITSPmagazine Podcasts' Coverage, I break down how we got here, why trust-based #networks no longer work, and what this means for the future of society, technology, and security.

READ IT HERE: https://www.itspmagazine.com/event-coverage-posts/from-trust-to-zero-trust-how-a-hyperconnected-world-turned-supply-chains-into-a-global-security-risk

Event Coverage Page: https://www.itspmagazine.com/zero-trust-world-2025-cybersecurity-and-zero-trust-event-coverage-orlando-florida

On Location Coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage

Subscribe to Musing on Society & Technology: https://www.linkedin.com/newsletters/7079849705156870144

What do you think—can trust still exist in a hyperconnected world? Or is Zero Trust the only way forward?

David Coovert

The public sector faces unique #SupplyChainSecurity challenges—but open source can help!

In this blog, Daniel Moch (Lockheed Martin) explores how transparency, SLSA, & OpenVEX strengthen security for critical infrastructure.

Read more: https://openssf.org/blog/2025/02/06/securing-public-sector-supply-chains-is-a-team-sport/

https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
#github #infosec #cachepoisoning #supplychainsecurity #supplychainattack

Towards the end of 2024, OpenSSF proudly hosted the inaugural #SOSSCommunity Day India, and we’re excited to share that it was a tremendous success!

Check out the wrap-up blog to relive the highlights and explore the key takeaways. https://openssf.org/blog/2025/01/03/soss-community-day-india-2024-wrap-up/

I'm mind blown you can compromise a release CI/CD system with two malicious branch names. Like how.

https://github.com/ultralytics/ultralytics/issues/18027

Part 2 is live! Dive into the evolution of SBOMs from Release to Production in our final installment. Enhance your software security today. Read here https://anchore.com/blog/the-evolution-of-sboms-in-the-devsecops-lifecycle-part-2/ #SBOM #DevSecOps #SupplyChainSecurity

Security researchers at Kaspersky discovered two packages on the Python Package Index (@pypi) that contain malware: https://www.kaspersky.com/blog/jarkastealer-in-pypi-packages/52640/
#Python #PyPI #ITSecurity #SupplyChainSecurity

We are happy to announce that OpenForum Europe is an Ecosystem Partner of the new GitHub Secure Open Source Fund!

We are proud to help improve open source security and to collaborate with other industry leaders to make an impact. Open source security is crucial and we are committed to creating a safer ecosystem for everyone.

Read the full announcement:
https://lnkd.in/eqsARhhu

#GitHub #GitHubSecure #SupplyChainSecurity #CyberSecurity
#opensource

We are excited to announce that OpenSSF is an Ecosystem Partner of the new GitHub Secure Open Source Fund.

We are proud to help improve open source security and to collaborate with other industry leaders to make an impact. Open source security is crucial and we are committed to creating a safer ecosystem for everyone.

Read the blog: https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/

We are excited to announce that the Open Source Initiative is an Ecosystem Partner of the new GitHub Secure Open Source Fund: https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/

We have extended our tutorial for publishing Python packages to include the digital attestations signed by PyPI:
https://python-basics-tutorial.readthedocs.io/en/latest/packs/upload-install.html#digital-attestations
This significantly increases supply-chain security.
#Python #PyPI #SupplyChainSecurity