🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

⚠️ Malicious Package Discovered ⚠️: Exfiltration of /etc/passwd. After reporting this, the package has been removed from npm

Trusty ingests and analyzes data on thousands of open source packages to calculate supply chain risk scores. We started with a monolithic architecture, processing package data in sequence based on a state manager—but hit challenges as Trusty expanded. Staff Engineer Yolanda Robla

⚠️ Malicious Package Detected ⚠️ 📷: Contains obfuscated code calling suspicious URL's. Appears to be typo attacking bugsnag-js: trustypkg.dev/npm/bugsnagmw

Love what I am seeing from the trustypkg team. Real-time tracking of package feeds, with increasingly rich checks that identify and initiate removal of malicious material from community repos. What started as an intelligence engine is becoming a service for public good.

Via trustypkg , we found a malicious JavaScript #oss package minutes after it was published to npm last week. "bugsnagmw" was advertised as useful middleware for an Express web application, but actually opened a shell in your app server for an attacker to exploit. Here's

Some thoughts on the XV vulnerability (CVE 2024-3094) and implications for the OSS ecosystem. stacklok.com/blog/the-good-…

2,791 packages published by a single user within 72 hours, all sharing the same 132 external dependencies, while depending on each other. I am curious where this all ends up.

Quick teardown of the XZ situation. youtube.com/watch?v=DWkQHF…

Researchers from Proofpoint & Team Cymru have teamed up to provide a comprehensive overview of Latrodectus, an up-and-coming downloader with various sandbox evasion functionality, which is likely created by the same developers as IcedID. proofpoint.com/us/blog/threat…

Trustations! What do you feel is the most dangerous and low effort software supply chain attack?

First they came for our 💾 , now they are coming for our 🍞 !

💔 woah! Heartbleed was ten years ago!?!

What's up dog, I mean Marmot.

⚠️ Malicious Package Detected and reported by Trusty 📷 has the ability to upload users home directory to a remote server: osv.dev/vulnerability/…