appsec.fyi · Sources

devops.com

5 curated AppSec resources from devops.com across 2 topics on appsec.fyi.

devops.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-07-08.

Date Added Resource Excerpt
2026-07-08 2026North Korea Expands the Reach of PolinRider Supply Chain Attack CampaignSupply ChainNorth Korea is expanding its PolinRider supply chain attack campaign. This sophisticated operation targets software updates to distribute malware. The campaign's reach has grown, indicating a persistent effort by North Korean state-sponsored actors to compromise systems through trusted software channels. The provided link offers further details on the campaign's evolution and technical aspects.
2026-06-22 2026Homebrew to Packages: No ID No ServiceSupply ChainLibrary update details Homebrew 6.0.0's new supply-chain security measures, which mimic npm's approach by requiring explicit user trust for third-party repositories and blocking untrusted installation scripts. This includes a "Guestlist" of pre-approved remote URLs and a `trusted` flag for state management, alongside Bubblewrap integration for sandboxing builds on Linux. Package maintainers and CI/CD pipelines may need to update installation instructions and scripts.
2026-06-10 2026GitHub Takes Down 73 Microsoft Repos After Miasma Worm AttackSupply ChainWriteup of the Miasma worm attack on Microsoft repositories, detailing its infiltration of 73 GitHub projects, including Azure and MicrosoftDocs. The worm, a variant of Mini Shai-Hulud, leveraged compromised contributor accounts to inject malicious commits that executed credential-harvesting payloads when code was opened in IDEs and AI coding tools like Claude Code, Gemini CLI, Cursor, and VS Code. This attack signifies a shift in software supply chain threats, targeting the developer environment itself as an attack surface rather than just installed packages.
2026-05-22 2026Attackers Can Exploit a Claude Code RCE Flaw to Take Command of SystemRCELibrary for securing developer models, this entry details a critical RCE vulnerability in Anthropic's Claude Code (version 2.1.118). Attackers could exploit a parsing flaw in the `eagerParseCliFlag` function via crafted deeplinks to inject arbitrary commands, bypassing trust prompts and taking control of a victim's system. The vulnerability was discovered by Joernchen of 0day.click and has since been patched.
2026-04-21 2026Critical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: TenableSupply ChainCritical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: Tenable https://ift.tt/nvuCc9x