infoq.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-15.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-15 2026 | Spring Boot 4.1 Adds gRPC Auto-Configuration SSRF Mitigation and Kotlin 2.3 SupportSSRF | Spring Boot 4.1 introduces significant updates, including auto-configuration for gRPC, enhancing its integration capabilities. The release also addresses security by implementing Server-Side Request Forgery (SSRF) mitigation, making applications more robust. Furthermore, it now offers support for Kotlin 2.3, allowing developers to leverage the latest features of the Kotlin programming language. |
| 2026-05-20 2026 | Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain AttacksSupply Chain | Library update, Pip 26.1, introduces dependency cooldowns to mitigate supply chain attacks by enforcing installation delays for new packages, drawing on analysis of past incidents like those affecting Essential Plugin and XZ Utils. It also adds experimental support for PEP 751 pylock.toml lockfiles, expanding adoption beyond uv. The release addresses CVE-2026-3219 and CVE-2026-6357, and updates vendored urllib3 to resolve three additional CVEs. |
| 2026-04-06 2026 | Axios npm Package Compromised in Supply Chain AttackSupply Chain | Library compromised in a supply chain attack affecting axios@1.14.1 and axios@0.30.4 via the malicious plain-crypto-js@4.2.1 package. The attack, originating from a hijacked maintainer account, poisoned both the 1.x and 0.x branches of the popular npm HTTP client. Mitigation strategies include rolling back to unaffected versions, pinning dependencies, or using alternative HTTP clients like the native fetch API, got, or ky. |
| 2026-04-03 2026 | Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"Secrets | Tool, Force Push Scanner, identifies and scans orphaned Git commits for leaked secrets, including GitHub PATs and AWS credentials. Developed by Truffle Security and Sharon Brizinov, this open-source utility leverages GH Archive data and TruffleHog scanning to uncover sensitive information like MongoDB credentials and API tokens potentially exposed in force-pushed or deleted commits, mitigating supply-chain attack risks. |
| 2026-04-03 2026 | Open Source Security Tool Trivy Hit by Supply Chain Attack Prompting Urgent Industry ResponseSupply Chain | Tool Trivy was compromised in a supply chain attack, with malicious release v0.69.4 briefly distributed, exfiltrating sensitive data and executing malicious code. Attackers leveraged compromised credentials and manipulated release processes, impacting downstream systems and related tooling like GitHub Actions. This incident highlights the vulnerability of trusted open source scanners and CI/CD pipelines, prompting calls for artifact integrity verification, credential scoping, and zero-trust principles in software supply chains. |