therecord.media
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-11.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-11 2026 | Microsoft calls zero-day releases never justifiable as researcher threatens to drop moreBug Bounty | Microsoft strongly condemns the public release of zero-day vulnerabilities, deeming it "never justifiable." This statement comes after a security researcher publicly disclosed a zero-day exploit, threatening to release further exploits if their demands are not met. Microsoft emphasizes that responsible disclosure to vendors is crucial for protecting users and enabling prompt patching. The researcher's actions, however, bypass this process, potentially exposing individuals and organizations to significant risks. The specific payout amount for this vulnerability was not mentioned in the provided content. |
| 2026-06-02 2026 | Red Hat removes tainted packages after software pipeline compromiseSupply Chain | Writeup of Red Hat's response to a supply chain attack involving the Mini Shai-Hulud worm variant, Miasma, which was distributed via a compromised GitHub account. The attack affected 32 packages and targeted developers with credential-stealing malware. This incident follows a series of similar supply chain compromises, including attacks on LiteLLM, the axios JavaScript library, and breaches affecting GitHub and OpenAI employees via malicious extensions. |
| 2026-05-14 2026 | OpenAI asks macOS users to update after TanStack npm supply chain attackSupply Chain | Library for securing applications against supply chain attacks, exemplified by the TanStack npm compromise. This incident involved credential stealers and self-propagation targeting popular npm, PyPI, and other packages, impacting companies like OpenAI and Mistral AI. The attack, attributed to TeamPCP, highlights the risks associated with interconnected software ecosystems and the need for rigorous security controls to validate legitimate software and prevent unauthorized modifications. |
| 2026-05-06 2026 | Hackers compromise Daemon Tools in global supply-chain attack researchers saySupply Chain | Library installers for Daemon Tools were compromised in a global supply-chain attack, impacting users in over 100 countries. Attackers embedded backdoors, including Quic RAT, into versions 12.5.0.2421 through 12.5.0.2434 of the free Daemon Tools Lite, observed since early April. The campaign appears targeted, with initial data collectors deployed broadly and more advanced payloads reserved for specific organizations. Disc Soft has addressed the issue, recommending users update to the latest version. |
| 2021-09-07 2021 | CISA adds single-factor authentication to its catalog of 'Bad Practices'AuthN | Catalog entry detailing CISA's addition of single-factor authentication to its "Bad Practices" list. This entry highlights the inadequacy of single-factor authentication for remote or administrative access, contrasting it with CISA's recommended multi-factor authentication approach. The catalog also includes practices like using unsupported software and default credentials, and is open to community submissions for additional detrimental configurations. |