Andy Caine
@andycaine.bsky.social
AppSec, threat modeling, DevSecOps and cloud.
We need to have a whip round and buy all maintainers of popular open source projects a FIDO key.
In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising maintainers' accounts in a phishing attack.
Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack
In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising maintainers' accounts in a phishing attack.
www.bleepingcomputer.com
September 8, 2025 at 7:02 PM
We need to have a whip round and buy all maintainers of popular open source projects a FIDO key.
Credit to Cloudflare for running a public CT log but maybe they should actually monitor them? arstechnica.com/security/202...
Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet
The three certificates were issued in May but only came to light Wednesday.
arstechnica.com
September 4, 2025 at 7:40 PM
Credit to Cloudflare for running a public CT log but maybe they should actually monitor them? arstechnica.com/security/202...
Nice to see a tech leader talking sense, rather than spouting the usual AI hype www.theregister.com/2025/08/21/a...
AWS CEO says AI replacing junior staff is 'dumbest idea'
: They're cheap and grew up with AI … so you're firing them why?
www.theregister.com
August 21, 2025 at 9:04 AM
Nice to see a tech leader talking sense, rather than spouting the usual AI hype www.theregister.com/2025/08/21/a...
Reposted by Andy Caine
Marks & Spencer cyber incident linked to ransomware group
📖 Read more: www.helpnetsecurity.com/2025/04/29/m...
#cybersecurity #cybersecuritynews #ransomware
📖 Read more: www.helpnetsecurity.com/2025/04/29/m...
#cybersecurity #cybersecuritynews #ransomware
Marks & Spencer cyber incident linked to ransomware group - Help Net Security
The "cyber incident" that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack.
www.helpnetsecurity.com
April 29, 2025 at 12:42 PM
Marks & Spencer cyber incident linked to ransomware group
📖 Read more: www.helpnetsecurity.com/2025/04/29/m...
#cybersecurity #cybersecuritynews #ransomware
📖 Read more: www.helpnetsecurity.com/2025/04/29/m...
#cybersecurity #cybersecuritynews #ransomware
Clever attack - can't help but think that Google's validation of that OAuth app name could have been a little stricter... 🤣 thehackernews.com/2025/04/phis...
Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials
Phishers abused Google Sites and DKIM replay to send valid-signed emails, bypassing filters and stealing credentials.
thehackernews.com
April 22, 2025 at 6:37 PM
Clever attack - can't help but think that Google's validation of that OAuth app name could have been a little stricter... 🤣 thehackernews.com/2025/04/phis...
Reposted by Andy Caine
Big props to those behind the new CVE Foundation (www.thecvefoundation.org) - amazing to be able to announce this so quickly after the news about MITRE's funding expiring broke yesterday. I hope private sector & government folks are investigating how they can support the Foundation going forward.
CVE Foundation
FOR IMMEDIATE RELEASE
April 16, 2025
CVE Foundation Launched to Secure the Future of the CVE Program
[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term ...
www.thecvefoundation.org
April 16, 2025 at 10:18 AM
Big props to those behind the new CVE Foundation (www.thecvefoundation.org) - amazing to be able to announce this so quickly after the news about MITRE's funding expiring broke yesterday. I hope private sector & government folks are investigating how they can support the Foundation going forward.
Reposted by Andy Caine
I haven’t been operationally involved in #cve for a long time and I’m sorry for what the team is going through.
I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the […]
I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the […]
Original post on infosec.exchange
infosec.exchange
April 15, 2025 at 8:27 PM
I haven’t been operationally involved in #cve for a long time and I’m sorry for what the team is going through.
I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the […]
I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the […]
Reposted by Andy Caine
CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between […]
Original post on infosec.exchange
infosec.exchange
April 15, 2025 at 10:37 PM
CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between […]
No app in 2025 should force you to enter a password on a foreign device. Just had to type in a 40 character long random password in Google Family Link to add a card to my son's device 🥵 🤬
April 12, 2025 at 9:50 AM
No app in 2025 should force you to enter a password on a foreign device. Just had to type in a 40 character long random password in Google Family Link to add a card to my son's device 🥵 🤬
Reposted by Andy Caine
"Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize."
#AI #sbom #cicd
socket.dev/blog/slopsqu...
#AI #sbom #cicd
socket.dev/blog/slopsqu...
The Rise of Slopsquatting: How AI Hallucinations Are Fueling...
Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.
socket.dev
April 12, 2025 at 6:08 AM
"Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize."
#AI #sbom #cicd
socket.dev/blog/slopsqu...
#AI #sbom #cicd
socket.dev/blog/slopsqu...
More evidence of DeepSeek’s shocking security practices. Wide open databases, obsolete encryption algorithms, hard-coded encryption keys, sensitive data sent over unencrypted channels arstechnica.com/security/202...
DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers
Apple’s defenses that protect data from being sent in the clear are globally disabled.
arstechnica.com
February 10, 2025 at 9:34 AM
More evidence of DeepSeek’s shocking security practices. Wide open databases, obsolete encryption algorithms, hard-coded encryption keys, sensitive data sent over unencrypted channels arstechnica.com/security/202...
Great example of why you should implement a data perimeter in AWS to make sure you only load resources from S3 buckets from within your own AWS Organization www.theregister.com/2025/02/04/a...
Reused AWS S3 buckets a weak link in supply chain security
When cloud customers don't clean up after themselves, part 97
www.theregister.com
February 5, 2025 at 8:46 AM
Great example of why you should implement a data perimeter in AWS to make sure you only load resources from S3 buckets from within your own AWS Organization www.theregister.com/2025/02/04/a...
Why is Amazon Q so bad? You'd think it would be relatively easy to optimize it for answering questions on AWS services, given the quality of the docs. But in my experience it consistently gets stuff wrong e.g. making up settings that don't exist.
January 23, 2025 at 10:30 AM
Why is Amazon Q so bad? You'd think it would be relatively easy to optimize it for answering questions on AWS services, given the quality of the docs. But in my experience it consistently gets stuff wrong e.g. making up settings that don't exist.
Reposted by Andy Caine
We need someone to build a trusted privacy aware service to verify things like age … www.bbc.co.uk/news/article...
All porn sites must 'robustly' verify UK user ages by July
Ofcom is issuing industry guidance which sets out the tech adult websites must use to check ages.
www.bbc.co.uk
January 17, 2025 at 10:46 AM
We need someone to build a trusted privacy aware service to verify things like age … www.bbc.co.uk/news/article...
“…one must assume that if an LLM is supplied with untrusted input, it will produce arbitrary output. When that input includes private information, one must also assume that the model will output private information." 😬 www.theregister.com/2025/01/17/m...
Microsoft AI Red Team says security work will never be done
If you want a picture of the future, imagine your infosec team stamping on software forever
www.theregister.com
January 17, 2025 at 8:29 AM
“…one must assume that if an LLM is supplied with untrusted input, it will produce arbitrary output. When that input includes private information, one must also assume that the model will output private information." 😬 www.theregister.com/2025/01/17/m...
Shame but not a massive surprise given EV sales and financials www.theguardian.com/environment/...
BT axes EV charger scheme after installing just one out of 60,000
Telecoms company hoped to convert roadside cabinets into charge points but will now shut down its sole installation
www.theguardian.com
January 16, 2025 at 2:59 PM
Shame but not a massive surprise given EV sales and financials www.theguardian.com/environment/...
This is why you use the 'sub' claim, and not the email address, as the unique ID for users in your system when integrating with OIDC thehackernews.com/2025/01/goog...
Google OAuth Vulnerability Exposes Millions via Failed Startup Domains
Attackers exploit a Google OAuth flaw, recycling domains to access SaaS accounts and sensitive HR data.
thehackernews.com
January 15, 2025 at 10:26 AM
This is why you use the 'sub' claim, and not the email address, as the unique ID for users in your system when integrating with OIDC thehackernews.com/2025/01/goog...
Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed www.theregister.com/2024/11/20/g...
Google's AI bug hunters sniff out two dozen-plus code flaws
OSS-Fuzz is making a strong argument for LLMs in security research
www.theregister.com
November 21, 2024 at 8:35 AM
Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed www.theregister.com/2024/11/20/g...
NIST finalizes post-quantum encryption standards. ML-KEM for "general encryption" (in hybrid schemes replacing e.g. ECDH) and 2 for digital signatures www.theregister.com/2024/08/14/n...
NIST finalizes trio of post-quantum encryption standards
Nicely ahead of that always-a-decade-away moment when all our info becomes an open book
www.theregister.com
August 14, 2024 at 12:54 PM
NIST finalizes post-quantum encryption standards. ML-KEM for "general encryption" (in hybrid schemes replacing e.g. ECDH) and 2 for digital signatures www.theregister.com/2024/08/14/n...