NPM、PyPI、crates.ioで34パッケージ100バージョンに及ぶ新たなサプライチェーン攻撃
NPM、PyPI、crates.ioの3つの主要なパッケージレジストリで、34のパッケージ、計100バージョンに影響を及ぼす新たなサプライチェーン攻撃が確認された。これらの悪意のあるパッケージは「トラップドア」型の暗号通貨スティーラーを仕込んでおり、開発者の環境に侵入して機密情報を窃取しようとする。
関連記事
Patrick McKenzie notes that an LLM-produced blog post analyzing supply chain attack clusters, published by msuiche, is the first AI-generated public artifact he finds professionally relevant and complete enough that the lack of a human author does not materially compromise its utility.
A user reports receiving an Amber Alert from the California Highway Patrol containing a bit.ly link that redirected to a spammy 3gp file converter site, not legitimate information. Despite the suspicious link, the alert was real and matched a listing on missingkids.com. The issue was likely a copy-paste error, as a corrected alert was sent 39 minutes later.
The Bhutanese government, through its Computer Incident Response Team (BtCIRT), has joined Have I Been Pwned's free government service as the 45th government onboarded. BtCIRT now monitors Bhutanese government domains against the data in HIBP.
exe.dev is a cloud service designed for the agent era, offering pools of VMs with SSH, root access, and web authentication by default. It injects secrets at the network edge to keep them out of LLM hands, and supports persistent servers, internal tools, vibe coding, and disposable devboxes.