home.social

#supplychainsecurity — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #supplychainsecurity, aggregated by home.social.

  1. Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

    ⚠️ Vendors can pass audits while exposing live risk
    ⚠️ Attackers rank vendors by exposure paths, not spend
    ⚠️ AI is worsening noise and confidence problems in cyber datasets

    “Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

    technadu.com/why-attackers-und

    #CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

  2. Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

    ⚠️ Vendors can pass audits while exposing live risk
    ⚠️ Attackers rank vendors by exposure paths, not spend
    ⚠️ AI is worsening noise and confidence problems in cyber datasets

    “Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

    technadu.com/why-attackers-und

    #CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

  3. Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

    ⚠️ Vendors can pass audits while exposing live risk
    ⚠️ Attackers rank vendors by exposure paths, not spend
    ⚠️ AI is worsening noise and confidence problems in cyber datasets

    “Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

    technadu.com/why-attackers-und

    #CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

  4. Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

    ⚠️ Vendors can pass audits while exposing live risk
    ⚠️ Attackers rank vendors by exposure paths, not spend
    ⚠️ AI is worsening noise and confidence problems in cyber datasets

    “Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

    technadu.com/why-attackers-und

    #CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

  5. Müzeyyen Gökçen Arslan Tapkan of Black Kite says organizations still confuse compliance with actual security.

    ⚠️ Vendors can pass audits while exposing live risk
    ⚠️ Attackers rank vendors by exposure paths, not spend
    ⚠️ AI is worsening noise and confidence problems in cyber datasets

    “Saying HITL in TPCRM is easy. Designing for it, vendor by vendor, signal by signal, decision by decision, this is the real work.”

    technadu.com/why-attackers-und

    #CyberSecurity #TPRM #SupplyChainSecurity #AI #Compliance

  6. 🥶 A contractor for CISA posted AWS GovCloud admin keys to a public GitHub repo! The repo was named "Private-CISA." Not an accident, the contractor actively disabled GitHub's built-in secret scanner to do it. That's a choice. Not a typo, not a misconfiguration. Someone turned off the guardrail and then stored plaintext credentials in a file called "importantAWStokens." That should make every security leader lose their 💩 AND the exposed keys stayed valid for 48 hours after CISA was notified. The agency responsible for protecting the country's critical infrastructure took two days to rotate credentials sitting in a public repo. 🤬 One researcher called this "the worst leak I've witnessed in my career." The exposed files included credentials to CISA's internal software build environment. Anyone who found those keys first could have backdoored the packages CISA builds and deploys. Every new build would carry that backdoor forward. CISA has lost nearly a third of its workforce since January. The oversight that might have caught this sooner is gone.

    Two questions worth taking back to your own team:
    ・ When did you last verify that secret scanning is actually enabled across every repo your contractors touch?
    ・ If you got the call today that credentials were public, how long would it take to rotate them?

    krebsonsecurity.com/2026/05/ci
    #CISA #CloudSecurity #SupplyChainSecurity #CyberGovernance #security #privacy #cloud #infosec

  7. 🥶 A contractor for CISA posted AWS GovCloud admin keys to a public GitHub repo! The repo was named "Private-CISA." Not an accident, the contractor actively disabled GitHub's built-in secret scanner to do it. That's a choice. Not a typo, not a misconfiguration. Someone turned off the guardrail and then stored plaintext credentials in a file called "importantAWStokens." That should make every security leader lose their 💩 AND the exposed keys stayed valid for 48 hours after CISA was notified. The agency responsible for protecting the country's critical infrastructure took two days to rotate credentials sitting in a public repo. 🤬 One researcher called this "the worst leak I've witnessed in my career." The exposed files included credentials to CISA's internal software build environment. Anyone who found those keys first could have backdoored the packages CISA builds and deploys. Every new build would carry that backdoor forward. CISA has lost nearly a third of its workforce since January. The oversight that might have caught this sooner is gone.

    Two questions worth taking back to your own team:
    ・ When did you last verify that secret scanning is actually enabled across every repo your contractors touch?
    ・ If you got the call today that credentials were public, how long would it take to rotate them?

    krebsonsecurity.com/2026/05/ci
    #CISA #CloudSecurity #SupplyChainSecurity #CyberGovernance #security #privacy #cloud #infosec

  8. 🥶 A contractor for CISA posted AWS GovCloud admin keys to a public GitHub repo! The repo was named "Private-CISA." Not an accident, the contractor actively disabled GitHub's built-in secret scanner to do it. That's a choice. Not a typo, not a misconfiguration. Someone turned off the guardrail and then stored plaintext credentials in a file called "importantAWStokens." That should make every security leader lose their 💩 AND the exposed keys stayed valid for 48 hours after CISA was notified. The agency responsible for protecting the country's critical infrastructure took two days to rotate credentials sitting in a public repo. 🤬 One researcher called this "the worst leak I've witnessed in my career." The exposed files included credentials to CISA's internal software build environment. Anyone who found those keys first could have backdoored the packages CISA builds and deploys. Every new build would carry that backdoor forward. CISA has lost nearly a third of its workforce since January. The oversight that might have caught this sooner is gone.

    Two questions worth taking back to your own team:
    ・ When did you last verify that secret scanning is actually enabled across every repo your contractors touch?
    ・ If you got the call today that credentials were public, how long would it take to rotate them?

    krebsonsecurity.com/2026/05/ci
    #CISA #CloudSecurity #SupplyChainSecurity #CyberGovernance #security #privacy #cloud #infosec

  9. 🥶 A contractor for CISA posted AWS GovCloud admin keys to a public GitHub repo! The repo was named "Private-CISA." Not an accident, the contractor actively disabled GitHub's built-in secret scanner to do it. That's a choice. Not a typo, not a misconfiguration. Someone turned off the guardrail and then stored plaintext credentials in a file called "importantAWStokens." That should make every security leader lose their 💩 AND the exposed keys stayed valid for 48 hours after CISA was notified. The agency responsible for protecting the country's critical infrastructure took two days to rotate credentials sitting in a public repo. 🤬 One researcher called this "the worst leak I've witnessed in my career." The exposed files included credentials to CISA's internal software build environment. Anyone who found those keys first could have backdoored the packages CISA builds and deploys. Every new build would carry that backdoor forward. CISA has lost nearly a third of its workforce since January. The oversight that might have caught this sooner is gone.

    Two questions worth taking back to your own team:
    ・ When did you last verify that secret scanning is actually enabled across every repo your contractors touch?
    ・ If you got the call today that credentials were public, how long would it take to rotate them?

    krebsonsecurity.com/2026/05/ci
    #CISA #CloudSecurity #SupplyChainSecurity #CyberGovernance #security #privacy #cloud #infosec

  10. 🥶 A contractor for CISA posted AWS GovCloud admin keys to a public GitHub repo! The repo was named "Private-CISA." Not an accident, the contractor actively disabled GitHub's built-in secret scanner to do it. That's a choice. Not a typo, not a misconfiguration. Someone turned off the guardrail and then stored plaintext credentials in a file called "importantAWStokens." That should make every security leader lose their 💩 AND the exposed keys stayed valid for 48 hours after CISA was notified. The agency responsible for protecting the country's critical infrastructure took two days to rotate credentials sitting in a public repo. 🤬 One researcher called this "the worst leak I've witnessed in my career." The exposed files included credentials to CISA's internal software build environment. Anyone who found those keys first could have backdoored the packages CISA builds and deploys. Every new build would carry that backdoor forward. CISA has lost nearly a third of its workforce since January. The oversight that might have caught this sooner is gone.

    Two questions worth taking back to your own team:
    ・ When did you last verify that secret scanning is actually enabled across every repo your contractors touch?
    ・ If you got the call today that credentials were public, how long would it take to rotate them?

    krebsonsecurity.com/2026/05/ci
    #CISA #CloudSecurity #SupplyChainSecurity #CyberGovernance #security #privacy #cloud #infosec

  11. Introducing wormbox!

    Transparent sandbox + pre-install audit for the macOS Node.js toolchain (npm, pnpm, yarn, bun). Every install runs under sandbox-exec; the audit reads tarballs first and flags the shapes seen in chalk, debug, Shai-Hulud: window.ethereum proxies, atob+eval lifecycle scripts, decoded payloads fed to Function(). AWS_*/GH_TOKEN never reach postinstall.

    codeberg.org/head1328/wormbox

    #SupplyChainSecurity #SandboxExec #NodeJS #PackageSecurity

  12. Introducing wormbox!

    Transparent sandbox + pre-install audit for the macOS Node.js toolchain (npm, pnpm, yarn, bun). Every install runs under sandbox-exec; the audit reads tarballs first and flags the shapes seen in chalk, debug, Shai-Hulud: window.ethereum proxies, atob+eval lifecycle scripts, decoded payloads fed to Function(). AWS_*/GH_TOKEN never reach postinstall.

    codeberg.org/head1328/wormbox

    #SupplyChainSecurity #SandboxExec #NodeJS #PackageSecurity

  13. We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

    Slides at glaubinix.github.io/talks/2026

    #php #phpc #phpday #composerphp #supplychainsecurity #malware

  14. We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

    Slides at glaubinix.github.io/talks/2026

    #php #phpc #phpday #composerphp #supplychainsecurity #malware

  15. We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

    Slides at glaubinix.github.io/talks/2026

    #php #phpc #phpday #composerphp #supplychainsecurity #malware

  16. We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

    Slides at glaubinix.github.io/talks/2026

    #php #phpc #phpday #composerphp #supplychainsecurity #malware

  17. We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

    Slides at glaubinix.github.io/talks/2026

    #php #phpc #phpday #composerphp #supplychainsecurity #malware

  18. Dear opensource developers,

    I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

    github.com/kpcyrd/repro-env#ad

    #reproducible #reproduciblebuilds #supplychainsecurity #rust

  19. Dear opensource developers,

    I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

    github.com/kpcyrd/repro-env#ad

    #reproducible #reproduciblebuilds #supplychainsecurity #rust

  20. Dear opensource developers,

    I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

    github.com/kpcyrd/repro-env#ad

    #reproducible #reproduciblebuilds #supplychainsecurity #rust

  21. Dear opensource developers,

    I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

    github.com/kpcyrd/repro-env#ad

    #reproducible #reproduciblebuilds #supplychainsecurity #rust

  22. Dear opensource developers,

    I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

    github.com/kpcyrd/repro-env#ad

    #reproducible #reproduciblebuilds #supplychainsecurity #rust

  23. OpenAI says the recent TanStack npm supply-chain attack did not compromise production systems or user data, though 2 employee devices were impacted.

    The company isolated systems, restricted deployments, and rotated code-signing certificates.

    technadu.com/openai-addresses-

    #CyberSecurity #SupplyChainSecurity #DevSecOps #InfoSec

  24. OpenAI says the recent TanStack npm supply-chain attack did not compromise production systems or user data, though 2 employee devices were impacted.

    The company isolated systems, restricted deployments, and rotated code-signing certificates.

    technadu.com/openai-addresses-

    #CyberSecurity #SupplyChainSecurity #DevSecOps #InfoSec

  25. OpenAI says the recent TanStack npm supply-chain attack did not compromise production systems or user data, though 2 employee devices were impacted.

    The company isolated systems, restricted deployments, and rotated code-signing certificates.

    technadu.com/openai-addresses-

    #CyberSecurity #SupplyChainSecurity #DevSecOps #InfoSec

  26. OpenAI says the recent TanStack npm supply-chain attack did not compromise production systems or user data, though 2 employee devices were impacted.

    The company isolated systems, restricted deployments, and rotated code-signing certificates.

    technadu.com/openai-addresses-

    #CyberSecurity #SupplyChainSecurity #DevSecOps #InfoSec

  27. TeamPCP claims it breached Mistral AI while the company confirms impact from the TanStack supply chain attack involving malicious NPM and PyPI packages.

    Mistral says there’s currently no evidence of an internal infrastructure breach.

    technadu.com/teampcp-claims-mi

    #Cybersecurity #SupplyChainSecurity #AI #Infosec

  28. Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

    More details here: ostechnix.com/debian-linux-rep

    #Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

  29. Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

    More details here: ostechnix.com/debian-linux-rep

    #Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

  30. Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

    More details here: ostechnix.com/debian-linux-rep

    #Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

  31. Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

    More details here: ostechnix.com/debian-linux-rep

    #Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

  32. Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

    More details here: ostechnix.com/debian-linux-rep

    #Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

  33. OSSGuard — one CLI to scan your project and tell you exactly which OpenSSF security practices are missing: Scorecard, SLSA, SBOM, Sigstore, and more.

    Works with Python, Go, JS, Rust, Java, C/C++.

    pip install ossguard
    brew install kirankotari/tap/ossguard
    npx ossguard

    github.com/kirankotari/ossguard

    #OpenSSF #SupplyChainSecurity #DevSecOps #OpenSource #DevOps #Python #Node #Golang #Community

  34. Open source malicious package detections went from 20,000 a day to 100,000 in twelve months🤯

    Aikido Security has been watching and building for exactly this.

    Proud to have them as a Gold Sponsor for this year!

    aikido.dev/?utm_source=appsec-

    #AppSec #SupplyChainSecurity

  35. NOAA Milestone And US Japan Pact Reframe TMC Deep Sea Metal Story

    Get insights on thousands of stocks from the global community of over 7 million individual investors at Simply Wall St. NOAA confirmed that TMC the metals’ consolidated application for a deep sea exploration lice…
    #Japan #JP #JapanNews #criticalminerals #environmentalreview #news #NOAA #polymetallicnodules #supplychainsecurity #TMC
    alojapan.com/1481698/noaa-mile

  36. NOAA Milestone And US Japan Pact Reframe TMC Deep Sea Metal Story

    Get insights on thousands of stocks from the global community of over 7 million individual investors at Simply Wall St. NOAA confirmed that TMC the metals’ consolidated application for a deep sea exploration lice…
    #Japan #JP #JapanNews #criticalminerals #environmentalreview #news #NOAA #polymetallicnodules #supplychainsecurity #TMC
    alojapan.com/1481698/noaa-mile