This week's articles
s1ngularity: supply chain attack leaks secrets on GitHub
Multiple malicious versions of the widely used "Nx" build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more.
#attack
#supply-chain
Canary tokens: Learn all about the unsung heroes of security at Grafana Labs
This article explains how Grafana Labs uses canary tokens for threat detection, their placement strategy in GitHub secrets, integration with Thinkst platform for alerting, and best practices learned from catching a real attacker including metadata management and avoiding false positives.
#ci/cd
#defend
#monitor
How to Create a Secure CI/CD Pipeline Using Okta Terraform
This article demonstrates how to create a secure CI/CD pipeline using Terraform, AWS, and GitHub Actions to manage Okta resources. It covers authentication, state management, secrets handling, and automated deployment workflows.
#build
#ci/cd
#iac
#terraform
A new type of long-lived key on AWS: Bedrock API keys
AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions.
#aws
#iam
Safeguarding VS Code against prompt injections
When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user's explicit consent. This post explains which VS Code features may reduce these risks.
#ai
#defend
AWS CDK and SaaS Provider Takeover
This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.
#attack
#aws
WebSocket authentication bypass in Claude Code extensions
A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers, potentially enabling remote command execution.
#ai
#attack
#supply-chain
|