c{api}tal (Checkmarx API Training and Learning) is a purpose-built vulnerable API application based on the OWASP API Top 10 risks. It is built with Python (FastAPI – a quick and easy to use web framework for developing RESTful APIs in
A few hours ago, PyPi disclose information on the first seen phishing attack aimed at a Python contributor. Right now, we are aware of hundreds of malicious packages that were related to this attack based on the known indicator. During
Automatic code execution is triggered upon downloading approximately one third of the packages on PyPi. A worrying feature in pip/PyPi allows code to automatically run when developers are merely downloading a package. Also, this feature is alarming due to the
2021 was a year where cyberattacks exploded, and if you did not know about the dangers of the cyber world, you probably do now. The pandemic got everyone into their homes and focused on their IT devices, so there was
Intro Researchers at Checkmarx found that the Ring Android app could have allowed a malicious application installed on the user’s phone to expose their personal data, geolocation, and camera recordings. Ring by Amazon operates in the home security space and
A known malicious contributor has published two new Python packages trying to mimic popular ones to lure developers into downloading them and infect their machines with Cobalt Strike. This account was not disabled after the first attack, allowing the attacker
On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. The PyPi user account devfather777 published a dozen malicious Typosquatting packages under the names of popular projects
Today, as it was revealed by Stephen Lacy in his tweet, he shared his findings of a large-scale campaign targeting random GitHub repositories with project clones containing credential stealing malware and remote shell execution on top of the original code.
An alarming software supply chain attack technique allows threat actors to trick developers into using potentially malicious code. By leveraging the ability to spoof and forge commits’ metadata on GitHub, an attacker can deceive users and lure them into using
Over a thousand packages and users were created on NPM using an automated process in the past few days. Is it a phase one of an upcoming attack? Checkmarx SCS team detected over 1200 npm packages released to the registry
©2022 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified
