infoq.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-19 2026 | VS Code 1.123 Adds Two-Hour Extension Update Delay to Limit Supply Chain AttacksSupply Chain | Library introducing a two-hour delay for VS Code extension auto-updates to mitigate supply chain attacks, following similar cooldown mechanisms in package managers like Pip and npm. While this new protection aims to provide a window for detecting malicious updates, it notably exempts "trusted publishers." Critics suggest the delay is too short, with alternative proposals including sandboxing extensions and staged rollouts. The change offers teams disabling auto-updates more control via policy-based allowlists or internal marketplaces. |
| 2026-06-15 2026 | Spring Boot 4.1 Adds gRPC Auto-Configuration SSRF Mitigation and Kotlin 2.3 SupportSSRF | Library provides gRPC auto-configuration for server and client applications, enabling centralized exception handling and custom observation intercepts. It introduces HTTP client SSRF mitigation through an InetAddressFilter, blocking outbound requests to specified address ranges. The update also enhances Kotlin baseline to 2.3, supports lazy datasource connections, propagates @Async context automatically, and improves OpenTelemetry integration with OTLP exemplars and SSL bundle support. Additional features include asynchronous Spring Data JPA bootstrap and configurable Jackson property behavior. |
| 2026-05-20 2026 | Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain AttacksSupply Chain | Library update, Pip 26.1, introduces dependency cooldowns to mitigate supply chain attacks by enforcing installation delays for new packages, drawing on analysis of past incidents like those affecting Essential Plugin and XZ Utils. It also adds experimental support for PEP 751 pylock.toml lockfiles, expanding adoption beyond uv. The release addresses CVE-2026-3219 and CVE-2026-6357, and updates vendored urllib3 to resolve three additional CVEs. |
| 2026-04-06 2026 | Axios npm Package Compromised in Supply Chain AttackSupply Chain | Library compromised in a supply chain attack affecting axios@1.14.1 and axios@0.30.4 via the malicious plain-crypto-js@4.2.1 package. The attack, originating from a hijacked maintainer account, poisoned both the 1.x and 0.x branches of the popular npm HTTP client. Mitigation strategies include rolling back to unaffected versions, pinning dependencies, or using alternative HTTP clients like the native fetch API, got, or ky. |
| 2026-04-03 2026 | Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"Secrets | Tool, Force Push Scanner, identifies and scans orphaned Git commits for leaked secrets, including GitHub PATs and AWS credentials. Developed by Truffle Security and Sharon Brizinov, this open-source utility leverages GH Archive data and TruffleHog scanning to uncover sensitive information like MongoDB credentials and API tokens potentially exposed in force-pushed or deleted commits, mitigating supply-chain attack risks. |
| 2026-04-03 2026 | Open Source Security Tool Trivy Hit by Supply Chain Attack Prompting Urgent Industry ResponseSupply Chain | Tool Trivy was compromised in a supply chain attack, with malicious release v0.69.4 briefly distributed, exfiltrating sensitive data and executing malicious code. Attackers leveraged compromised credentials and manipulated release processes, impacting downstream systems and related tooling like GitHub Actions. This incident highlights the vulnerability of trusted open source scanners and CI/CD pipelines, prompting calls for artifact integrity verification, credential scoping, and zero-trust principles in software supply chains. |