Notice about upcoming new format for GitHub App installation tokens - GitHub Changelog
Notice about upcoming new format for GitHub App installation tokens Starting April 27th 2026 and over the coming weeks, we will begin a staged rollout that updates the format of newly minted GitHub App installation tokens, making them more performant and improving the reliability of our API surface. If your application expects or relies on installation tokens being exactly 40 characters long, it m
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain ...
Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The open source password manager serves more than 10 million users and over 50,000 businesses, and ranks among among the top three password managers by enterprise adoption. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was publishe
Introducing a new spam policy for "back button hijacking" | Google Search Central Blog | Google for Developers
Subscribe to our RSS feed Follow us on X Subscribe to our YouTube Channel SEO fundamentals Introduction Search Essentials SEO Starter Guide How Google Search Works Do you need an SEO? Crawling and indexing Sitemaps robots.txt Meta tags Crawler management Removals Canonicalization Redirects JavaScript SEO Ranking and search appearance Visual Elements gallery Title links Snippets Images Videos Struc
GitHub - betterleaks/betterleaks: A Better Secrets Scanner built for configurability and speed
Betterleaks is a tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and whatever else you wanna throw at it via stdin. If you wanna learn more about how the detection engine works check out this blog: Regex is (almost) all you need. Betterleaks development is supported by Aikido Security ➜ ~/code(master) betterleaks git -v ○ ○ ● ○ Betterleaks v1.0.0 Finding: "expo
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack - StepSecurity
It has been a week since the axios compromise, and we wanted to take some time to reflect. We published a detailed technical analysis during the incident and have been continuously updating it. But the human story, the frantic evening, the deleted GitHub issues, the community rallying together at midnight, that part hasn't been told yet. This is that story. axios is the most popular HTTP client in
Summary of CVE-2026-23869 - Vercel – Vercel
Link to headingSummaryA high-severity vulnerability (CVSS 7.5) in React Server Components can lead to Denial of Service. We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. Link to heading
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity
StepSecurity hosted a community town hall on this incident on April 1st at 10:00 AM PT - YouTube recording: https://youtu.be/3Hku_svFvos axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4. The ma
distrolessコンテナイメージの中を覗いて「なんか軽くてセキュアらしい」より理解を深める - エムスリーテックブログ
この記事はセキュリティチームブログリレー3日目 兼 AIチームブログリレー3日目の記事です。 こんにちは、セキュリティチーム 兼 AIチームの横本(@yokomotod)です。 今回は distroless コンテナイメージについて自由研究してみました。 エムスリーでもよく使われている gcr.io/distroless/static などの distroless イメージ、「シェルもパッケージマネージャもない最小限のイメージ」「軽量!なにもないから安全!」といった説明がされますが、今回は実際にその中身を確かめてみようと思います。 ブログリレーの前回記事はこちら www.m3tech.blog www.m3tech.blog コンテナベースイメージのおおまかな選択肢 scratch だけだと何が足りないか scratch で動かしてみる CGO_ENABLED=0 にしてみる distro
Attackers Are Hunting High-Impact Node.js Maintainers in a C...
Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the np
Node.js — Security Bug Bounty Program Paused Due to Loss of Funding
The Node.js project's security bug bounty program is being paused due to the discontinuation of its external funding source. Background Since 2016, the Node.js project has participated in the Internet Bug Bounty (IBB) program through HackerOne, offering monetary rewards to security researchers who responsibly disclosed vulnerabilities in Node.js. The program was a meaningful part of our security e
Introducing EmDash — the spiritual successor to WordPress that solves plugin security
Introducing EmDash — the spiritual successor to WordPress that solves plugin security2026-04-01 The cost of building software has drastically decreased. We recently rebuilt Next.js in one week using AI coding agents. But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up. WordPress powers over 40%
dockerfile-pin: DockerfileやComposeのイメージをSHA256でピン留めするCLIツールを作った
DockerfileやComposeファイルのイメージ参照に@sha256:<digest>を自動で追加するCLIツール dockerfile-pin を作りました。 GitHub: azu/dockerfile-pin なぜ作ったか trivyへのサプライチェーン攻撃などの事件を見ていると、次に狙われるのはDocker Hubかなと思ったのがきっかけです。 CIでDocker Hubへのpushをしているケースは多いので、そこに悪意あるコードが混入する事件は今後も起きるだろうと思っています。 Dockerイメージのタグ(例:node:20)はデフォルトで可変(mutable)です。同じタグ名で中身を上書きできるため、悪意ある第三者がレジストリへのアクセスを得た場合、既存タグに対して改竄されたイメージをpushできます。 Can a Docker Hub tag have its cont
Security Update: Suspected Supply Chain Incident | liteLLM
Status: Active investigation Last updated: March 27, 2026 Update (March 30): A new clean version of LiteLLM is now available (v1.83.0). This was released by our new CI/CD v2 pipeline which added isolated environments, stronger security gates, and safer release separation for LiteLLM. Update (March 27): Review Townhall updates, including explanation of the incident, what we've done, and what comes
GitHub - sashiko-dev/sashiko: Agentic review of Linux Kernel code changes
Sashiko (刺し子, literally "little stabs") is a form of decorative reinforcement stitching from Japan. Originally used to reinforce points of wear or to repair worn places or tears with patches, here it represents our mission to reinforce the Linux kernel through automated, intelligent patch review. Sashiko is an agentic Linux kernel code review system. It uses a set Linux kernel-specific prompts and
OpenTitan shipping in production
The latest news from Google on open source releases, major projects, events, and outreach programs for early career developers. by Cyrus Stoller & Miguel Osorio, OpenTitan Last year, we shared the exciting news that fabrication of production OpenTitan silicon had begun. Today, we're proud to announce that OpenTitan® is now shipping in commercially available Chromebooks. The first OpenTitan part is
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Malicious Checkmarx Artifacts Found in Official KICS Docker ...
Identifying and Handling Transient or Special Data on the Clipboard
Release 4.18.0 · lodash/lodash
GitHub - azu/dockerfile-pin: A CLI tool for digest pinning — adds @sha256:<digest> to Dockerfile, docker-compose.yml, and GitHub Actions to prevent supply chain attacks.
Update: Ongoing Investigation and Continued Remediation