Disappointing Outcomes in NPM Supply Chain Attack

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Apple ruins exploit developers’ week with fresh memory corruption mitigations
• Feross Aboukhadijeh drops by to talk about the big, dumb npm supply chain attack
• Salesloft says its GitHub was the initial entry point for its compromise
• Sitecore says people should “patch” its using-the-keymat-from-the-documentation “zero day”
• Rogue certs for 1.1.1.1 appear to be just (stupid) testing
• Jaguar Land Rover ransomware attackers are courting trouble

This week’s episode is sponsored by open source cloud security tool, Prowler. Founder Toni de la Fuente joins to discuss their new support for Microsoft 365. Time to point Prowler at your OneDrive and Sharepoint!

This episode is also available on Youtube.

Show notes

• Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
• Venezuela's president thinks American spies can't hack Huawei phones | TechCrunch
• 18 Popular Code Packages Hacked, Rigged to Steal Crypto – Krebs on Security
• Software packages with more than 2 billion weekly downloads hit in supply-chain attack - Ars Technica
• Salesloft platform integration restored after probe reveals monthslong GitHub account compromise | Cybersecurity Dive
• CISA orders federal agencies to patch Sitecore zero-day following hacking reports | The Record from Recorded Future News
• SAP warns of high-severity vulnerabilities in multiple products - Ars Technica
• The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. - Ars Technica
• Cyberattack on Jaguar Land Rover threatens to hit British economic growth | The Record from Recorded Future News
• Cyberattack forces Jaguar Land Rover to tell staff to stay at home | The Record from Recorded Future News
• Bridgestone Americas continues probe as it looks to restore operations | Cybersecurity Dive
• Qantas penalizes executives for July cyberattack | The Record from Recorded Future News
• Cyber Command, NSA to remain under single leader as officials shelve plan to end 'dual hat' | The Record from Recorded Future News
• GOP Cries Censorship Over Spam Filters That Work – Krebs on Security
• Risky Bulletin: APT report? No, just a phishing test! - Risky Business Media
• Post by @patrick.risky.biz — Bluesky