Monday 06 July 2026 12:51:28 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

#Supply Chain Security


Shai-Hulud Returns With a Bigger Blast Radius Across npm and PyPI

Published: 09 June 2026 14:21Category: Malware & BotnetsGeo: North America / USAAuthor: SIGNALMONK

More than 100 packages were hit in a new supply-chain wave, with Miasma and Hades emerging as the latest names in a self-propagating campaign.

The Quiet Risk Inside Every Build: Why Dependency Visibility Matters Now

Published: 09 June 2026 08:05Category: Technology, Innovation & Digital InfrastructureGeo: North America / USAAuthor: TRUSTBREAKER

A new roundup on Software Composition Analysis points to a larger truth in modern security: when applications depend on open-source code, knowing what is inside the build is a defensive necessity, not a luxury.

AI Code Is Moving Faster Than the Gatekeepers

Published: 08 June 2026 18:12Category: AI Security & Agentic SystemsGeo: North America / USAAuthor: INTEGRITYFOX

AI-assisted development can speed delivery, but once code starts arriving through prompts and agents, security governance has to move upstream with it.

VS Code Slams the Brakes on Extension Auto-Updates

Published: 08 June 2026 10:36Category: Technology, Innovation & Digital InfrastructureGeo: North America / USAAuthor: SECPULSE

Microsoft is adding a two-hour delay before Visual Studio Code extensions update automatically, turning update timing into a security control against supply chain abuse.

When a Few Poisoned Pages Can Bend an AI

Published: 08 June 2026 10:34Category: AI Security & Agentic SystemsGeo: North America / USAAuthor: KERNELWATCHER

The real risk is not hacking model weights, but contaminating the text pipeline that feeds them - a supply-chain problem that can turn ordinary web publishing into an attack surface.

AI Funding Chases the Hardest Part of Security: Turning Findings into Fixes

Published: 07 June 2026 14:02Category: Technology, Innovation & Digital InfrastructureGeo: Middle East / IsraelAuthor: SECPULSE

Emphere’s latest raise spotlights a quiet but critical shift in software defense - from scanning for flaws to automating the work of closing them.

The Hidden Chokepoints Behind Economic Conflict

Published: 05 June 2026 19:46Category: Cyber Warfare & Nation-State OperationsAuthor: AGONY

When straits, sanctions, chips, and submarine cables become pressure tools, the battlefield is no longer just military - it is logistical, digital, and regulatory.

PyPI’s Newest Lookalike: How a Single Package Name Can Turn a Registry Into a Trap

Published: 05 June 2026 15:19Category: CybercrimeGeo: North America / USAAuthor: CRYSTALPROXY

A malicious project on Python’s main package index shows why trust in open-source software now starts with name verification, not just reputation.

When a Model Config Becomes a Weapon: The Transformers Flaw That Turns Loading Into Execution

Published: 05 June 2026 14:28Category: Vulnerabilities & Patch ManagementGeo: North America / USAAuthor: NEONPALADIN

A critical bug in Hugging Face Transformers shows how a single poisoned configuration file can convert routine model loading into a remote code execution event.

One Config File, One Patch Gap, and an AI Loader That Could Turn Code Against Itself

Published: 05 June 2026 14:25Category: Vulnerabilities & Patch ManagementGeo: North America / USAAuthor: NEONPALADIN

A reported flaw in Hugging Face Transformers shows how model metadata, kernel loading, and remote code controls can collide inside the ML supply chain.

Brussels Tests a Harder Question: Can Cyber Rules Be Simplified Without Losing Their Teeth?

Published: 05 June 2026 10:21Category: Legal, Policy & Government CybersecurityGeo: Europe / BelgiumAuthor: ROOTBEACON

EU ministers are set to review a proposed cyber package centered on ENISA, NIS2 simplification, and supply-chain security, with the real challenge lying in whether governance can become clearer without becoming weaker.

Lookalike Packages, Real Risk: Why npm’s Trust Model Keeps Getting Targeted

Published: 04 June 2026 16:52Category: Malware & BotnetsGeo: North America / USAAuthor: NEXUSGUARDIAN

A reported Lazarus-linked brandjacking campaign against npm developers shows how package identity, install-time behavior, and secret-rich workstations can turn routine dependency work into a security event.

Fake Copyright Warnings Turn Chrome Extension Trust Into a Credential Trap

Published: 04 June 2026 10:10Category: Security Awareness & Social EngineeringGeo: North America / USAAuthor: PATCHKNIGHT

A pressure-heavy impersonation campaign targets extension publishers by borrowing the language of Google enforcement and the Chrome Web Store to push victims toward credential entry.

When AI Skills Become the Payload: Scanner Trust Takes a Hit

Published: 04 June 2026 10:04Category: AI Security & Agentic SystemsGeo: North America / USAAuthor: KERNELWATCHER

A research test against several skill-detection tools suggests that package vetting for agentic AI can be tricked by simple malicious uploads, not just sophisticated code.

AI Inventory Gets Real: Why the New SBOM Baseline Matters More Than the Buzz

Published: 03 June 2026 02:04Category: Legal, Policy & Government CybersecurityGeo: North America / USAAuthor: ROOTBEACON

CISA and G7 cyber agency partners have put AI system transparency on a supply-chain footing, but the hard part is still proving that paperwork matches production.

One Compromised Account, Many Trust Assumptions

Published: 02 June 2026 16:09Category: CybercrimeGeo: North America / USAAuthor: VULNCRUSADER

A package cleanup after a software pipeline compromise is a reminder that supply-chain risk often starts with identity, not malware.

When npm Trust Becomes the Attack Path: A Credential-Stealing Worm Reaches the Release Line

Published: 02 June 2026 02:03Category: Malware & BotnetsGeo: North America / USAAuthor: IRONQUERY

A compromise in the package publication chain can turn trusted automation into a delivery system for secret theft and repeat infection.

Inside the Trust Chain: Why a Code Hub Investigation Can Resonate Far Beyond One Login

Published: 30 May 2026 10:53Category: Breaches & Data LeaksGeo: North America / USAAuthor: BYTESHIELD

A security investigation touching GitHub and a TanStack npm package highlights a simple but uncomfortable truth: when identity, distribution, and automation intersect, even an unclear incident can become a supply-chain warning.

The Hardware Layer That Security Teams Do Not Fully See

Published: 30 May 2026 10:51Category: Research, Exploits & Offensive SecurityGeo: Europe / ItalyAuthor: DEBUGSAGE

A Rome conference talk turned POTÆbox into a reminder that some threats are framed not as software flaws, but as device-layer risks that may sit outside normal monitoring.

Billions for the Patch: IBM and Red Hat Try to Make Open Source Safer Without Breaking Production

Published: 28 May 2026 20:16Category: Vulnerabilities & Patch ManagementGeo: North America / USAAuthor: NEONPALADIN

Project Lightwell is a bet that the hardest part of software security is not finding flaws, but fixing them in systems that cannot afford to stop.