Today, as it was revealed by Stephen Lacy in his tweet, he shared his findings of a large-scale campaign targeting random GitHub repositories with project clones containing credential stealing malware and remote shell execution on top of the original code.
An alarming software supply chain attack technique allows threat actors to trick developers into using potentially malicious code. By leveraging the ability to spoof and forge commits’ metadata on GitHub, an attacker can deceive users and lure them into using
Over a thousand packages and users were created on NPM using an automated process in the past few days. Is it a phase one of an upcoming attack? Checkmarx SCS team detected over 1200 npm packages released to the registry
Our research team at Checkmarx found that the Amazon Photos Android app could have allowed a malicious application, installed on the user’s phone, to steal their Amazon access token. The Android app has over 50 million downloads. The Amazon access
2 security issues found on spring function cloud. The Spring Framework application provides a flexible and comprehensive method for programming and configuring Java-based enterprise applications. One of the main purposes of Spring is to relieve developers from many infrastructural tasks
NPM, the package manager for Node.js, is an open source project that serves as a critical part of the JavaScript community and helps support one of the largest developer ecosystems. According to its website, “npm is relied upon by more
Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection. This novel technique tries to avoid being detected by security scanners or AppSec platforms, which sometimes
A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published, making it highly
What Happened? Multiple supply chain attacks from the same attacker were reported today by s0md3v. (1) PHP package hautelook/phpass with over 2.5 million installations was hijacked using the RepoJacking technique. (2) Python package “ctx” with over 700,000 downloads was compromised
Malicious packages in multiple programming languages that went undetected for years were revealed by the Checkmarx Supply Chain Security team using advanced threat hunting techniques. The fact that the packages stayed undetected for such a long period of time is
Intro A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts.After our publication, we
Checkmarx supply chain security has recently found a malicious PyPi package with more than 70,000 downloads using a technique we dubbed StarJacking - a way to make an open source package instantly look popular by abusing the lack of validation between the
On March 29th, 2022, two separate RCE (Remote Code Execution) vulnerabilities related to different Spring projects were published and discussed all over the internet. In addition, a third vulnerability in a Spring project was disclosed – this time a DoS
Does Protestware undermine the trustworthiness of OSS ecosystems? Two popular packages, “styled-components” and “es5-ext”, with millions of weekly downloads and thousands of dependent projects, released new Protestware versions. The new versions verify that the infected machine belongs to a Russian
SpringShell is a new vulnerability in Spring, the world’s most popular Java framework, which enables remote code execution (RCE) using ClassLoader access to manipulate attributes and setters. This issue was unfortunately leaked online without responsible disclosure before an official patch
Checkmarx Supply Chain Security (SCS) team has uncovered hundreds of malicious packages attempting to use a dependency confusion attack. Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks. As it seems this time, the attacker
Intro A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. This package has over a million weekly downloads and hundreds of direct other dependent packages, including the
Intro Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload
According to their privacy policy, “Zenly is an app that makes it fun and easy to know what your friends and family are up to and keep memories of your real life interactions. With Zenly, you can keep up with
Recent NPM package takeover incidents such as “coa” and “ua-parser-js” have affected organizations by the thousands and have emphasized the need for a monitoring system, alerting developers and the open source community of suspicious activities that might hint of an
Oppia Foundation aims to offer free, engaging, and effective quality education for everyone. In pursuit of its mission, Oppia Foundation develops and maintains an open-source online learning platform with strong support from the open-source community. Oppia is run by the
This is the MOST RECENT update to our previous research blog: APACHE LOG4J REMOTE CODE EXECUTION – CVE-2021-44228 On December 9th the most critical zero-day exploit in recent years was disclosed, affecting most of the biggest enterprise companies. This critical
Log4j is a highly popular logging package in Java that is used widely by developers, companies such as Google, Steam, Apple, Minecraft, and even on one of NASA’s Mars rovers utilize this package. On December 9th, the most critical zero-day
On December 9th, the most critical zero-day exploit in recent years was discovered affecting most of the biggest enterprise companies. This critical 0-day exploit was discovered in the extremely popular Java logging library log4j which allows RCE (Remote code execution)
Malicious Python Packages with Self-spreading Capabilities Caught Stealing Browser Credentials, Discord Tokens, and System Information. The malicious package is able to steal the user’s password from their Chrome browser, along with Discord tokens and system information, and exfiltrate this data
Researchers at Checkmarx and Intezer have found a way to take over Git repositories, which could be potentially exploited by threat actors and puts popular admin tools at risk. Joint research between Checkmarx and Intezer points to ChainJacking, a new
A new attempt to compromise a popular NPM package had occurred in the past few hours. The popular COA (Command-Option-Argument) package is a parser for command line options with around 9 million weekly downloads, and a long list of dependent
A few days ago, CISA published an alert regarding malicious code discovered in an NPM package with close to 8 million weekly downloads, ”ua-parser-js”. A few days before, security researchers from Sonatype published a blog post reporting 3 malicious NPM package. A few connecting lines between these two incidents seems to suggest they are related. Looking
According to its official documentation, “FileBrowser” is an open source file managing interface within a specified directory that can be used to upload, delete, preview, rename, and edit your files. It allows the creation of multiple users, and each user can
For those who don’t know me, I am a mother to two brilliant children who are better at the game of chess than an average kid their age, and their chess teacher advised them to find suitable chess opponents online.
According to its official documentation, “RaspAP” is a wireless router software for many popular Debian-based devices, including the Raspberry Pi. It has a mobile-ready interface that gives the user control over the relevant services and networking options which include advanced DHCP
In a year where “remote everything” became the norm, on-demand and e-learning courses, and the vendors powering these services, saw exponential growth. With this and as part of our ongoing mission to help organizations develop and deploy more secure software
In recent years, cross-site history manipulation (or XSHM for short) has garnered rising attention from our customers. With this and our team being inspired by this recent CSO article exploring legacy software bugs, we decided to take a closer look
According to its official documentation, Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets for some protocols (e.g. SMB1-3 and MSRPC), and for others, the protocol
CKEditor 4 is a popular WYSIWYG editor, widely used in websites, web frameworks, and content management systems (CMS) such as Drupal and Backdrop. According to its website, the editor is “approved by millions, fully customizable, and the #1 rich text
Introduction When I previously wrote the original Dubbo publication, we disclosed that issue as it was mitigated by the vendor. While the Dubbo “HTTP” protocol in that disclosure was trivially vulnerable to the most common Java deserialization attacks (as evidenced
Deskpro is a multichannel helpdesk software solution that helps thousands of world-leading organizations manage their customer communications and userbase across multiple channels including email, live chat, voice, and social media. The Deskpro solution can be deployed on organizations’ own server
In my previous blog, I walked you through the reasoning and importance of the Exploitable Path feature in the Checkmarx CxSCA solution. We discussed the challenges of prioritizing vulnerabilities in open source dependencies and defined what it means for a
Being part of the Checkmarx SCA Research Team who supports our next-gen Software Composition Analysis (SCA) solution, my team members and I often participate in Capture the Flag (CTF) types of competitions to hone our skills and share our knowledge
If you look at the way code is written today vs. a few years back, one of the major changes is the transition to open source. What was once considered an unsafe methodology has grown and matured, and now almost
According to its official documentation, “twitter-server” is a Twitter OSS project used to provide a template from which servers at Twitter are built. It provides common application components such as an administrative HTTP server, tracing, stats, and more, and is
As you may recall, back in June, Checkmarx disclosed multiple cross-site scripting (XSS) vulnerabilities impacting Drupal Core, listed as CVE-2020-13663, followed by a more technical breakdown of the findings in late November. Today, we’re releasing details surrounding additional, new vulnerabilities
Earlier this year, the Checkmarx Security Research Team conducted an investigation of the new version of Drupal Core (Drupal 9) – a content management system (CMS) written in PHP – uncovering several interesting issues whose technical details are worth discussing
“Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors’ data and help personalize customers experiences,” according to its website. Unomi can be used to integrate personalization and profile management
The automation and integration of Application Security Testing (AST) is essential for building out a true DevSecOps program. Automation is the easy part. Invoke a security scanners’ REST API or a command line interface inside a pipeline and you can
Overview The Go Programming Language (also known as Golang) is an open source programming language created by Google. Go is compiled and is statically typed as in C (with garbage collection). It has limited structural typing, memory safety features, and
“I think Node (.js) is not the best system to build a massive server web. I would use Go for that. And honestly, that’s the reason why I left Node. It was the realization that: oh, actually, this is not
When beginning to utilize any new programming language, a frequent obstacle developers face is the sheer lack of secure coding education and training about common pitfalls and coding errors during the language-learning process. The subject of security is often neglected
The Checkmarx Security Research Team recently audited the security of several high-profile websites, including Meetup.com. For those who are not familiar with Meetup.com, it allows users to create an event where people with similar interests gather. Events can be in
As part of the beta testing phase that took place earlier this year for our recently launched Software Composition Analysis solution, CxSCA, the Checkmarx Security Research Team investigated Mozilla-Bleach, finding multiple concerning security vulnerabilities. Patches were released in mid-March 2020,
As part of our ongoing mission to help organizations develop and deploy more secure software and applications, and in light of Checkmarx’s expanded insight into the open source security landscape with its recently launched SCA solution, the Checkmarx Security Research
In 2018, we performed our initial research about the current state of security in the context of Smart Contracts, focusing on those written in Solidity “a contract-oriented, high-level language for implementing smart contracts“. At that time, we compiled a Top
There is little doubt that today’s consumers have a tendency to choose convenience over security. When a shiny new gadget designed to make our lives easier finds its way to the consumer market, buyers often jump at the opportunity to
Executive Summary Having developed a high level of interest in serialization attacks in recent years, I’ve decided to put some effort into researching Apache Dubbo some months back. Dubbo, I’ve learned, deserializes many things in many ways, and whose usage
.tbl20200211 td{border:1px solid black;} Recently, the Checkmarx Security Research team investigated the online music platform SoundCloud. According to their website, “As the world’s largest music and audio platform, SoundCloud lets people discover and enjoy the greatest selection of music from
Last year, the Checkmarx Security Research Team decided to investigate Kubernetes due to the growing usage of it worldwide. For those who are not too familiar with this technology, you can find more information at the official site here. Kubernetes
Survival of the Fastest Today, everything is getting faster. With social media and our smartphones, we expect immediate responses to our messages. When searching for the answer to a question, the internet can deliver it in seconds. Even Amazon’s one-
Quoting the official documentation, Solidity “is a contract-oriented, high-level language for implementing smart contracts.” It was proposed back in 2014 by Gavin Wood and developed by several people, most of them being core contributors to the Ethereum platform, to enable
Due to the widespread usage of APIs, and the fact that attackers realize APIs are a new attack frontier, the OWASP API Security Top 10 Project was launched. From the beginning, the project was designed to help organizations, developers, and
As a result of a broadening threat landscape and the ever-increasing usage of APIs, the OWASP API Security Top 10 Project was launched. From the start, the project was designed to help organizations, developers, and application security teams become more
Introduction Security Aspects of Android Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux isolates applications
Protecting our children from the dangers on the internet is something all parents strive for and struggle with. When you find a toy that you think is safe, and will educate and entertain your child, you buy it. Right? That’s
A friend of mine offered me a Lenovo Watch X – which costs around €60 – in return for helping him with a security project. I was impressed with the design and the quality of the watch. Of course, I
These days IoT devices are an easy entry point for malicious users to invade users‘ privacy. With that in mind, we tested the AEG Smart Scale PW 5653 BT, specifically the Bluetooth security (Bluetooth Low Energy or BLE). We also tested
WebViews are very common on the Android applications. There are clear WebView security best practices, but are they being implemented? With our previous blog post in mind, Android WebView: Secure Coding Practices, we wanted to understand how security best practices in
Near-field communication (NFC) is a set of protocols that enables two electronic devices to establish communication by bringing them very close together. Usually the devices must be within less than 4cm. Contactless payment systems use NFC devices, including smartphones, and
Security researchers started talking about vulnerabilities in the Android InApp Billing API years ago, but we found it worthwhile to take another look to see how it has improved (or not) and verify the best way to build security into the application.
Smart bulbs are widely known as a successful offering in home automation and IoT products, as they are internet-capable light bulbs that allow home users to customize the colors, schedule on and off times, and control them remotely. Some even
In the United States alone, 84% of adults are using navigation applications, according to a recent Gallup poll. Whether they’re downloading it in an app store or the navigation capability is already built into the car, these navigation tools are
In my post last week I shared common security mistakes developers make when building Swift applications – covering insecure data storage, symmetric key algorithms, insecure communication and more. If you haven’t read it, please take a few minutes to review
Overview: Data Storage and Communication Security Swift was first introduced in 2014 at Apple’s Worldwide Developers Conference (WWDC) as the iOS, macOS, watchOS and tvOS de facto programming language. Designed by Chris Lattner and many others at Apple Inc., Swift is
Air-gapping means physically isolating a secure computer from unsecured networks, such as the public Internet or an unsecured local area network. The concept of air-gapping represents just about the maximum protection one network can have from another, other than actually
Address Risk from Third-party Resources with Subresource Integrity (SRI) In most real-life web apps there’s a need to include third-party resources. Whether it is for advertisements, A/B testing, analytics or other purposes, third-party resources provide important functional or business value.
Extensions have become a must-have on every user’s browser. Since most users are not aware of the power of browser extensions, the responsibility for creating secure browser extensions belongs to you, the developer. Browser vendors also share some responsibility, and
Go Programming Language (also known as Golang) is an open source programming language created by Google. Go is compiled, is statically typed as in C (with garbage collection), with limited structural typing, memory safety features and CSP-style concurrent features. In this … Read More
©2022 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified
