sora_hのブックマーク - はてなブックマーク

Shai Hulud Strikes Again (v2) - Socket
Shai Hulud Strikes Again (v2)Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected. Update: November 26, 2025 PostHog has published a detailed post mortem describing how one of its GitHub Actions workflows was abused as an initial access vector for Shai Hulud v2. An attacker briefly opened a pull request that modified a script executed via pull_requ
sora_h 2025/11/25
リンク
Popular Tinycolor npm Package Compromised in Supply Chain At...
Update (September 16, 2025): This campaign has expanded significantly. Our follow up documents nearly 500 affected npm packages, including several open source CrowdStrike packages. Read the latest analysis and guidance: https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packagesA malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a b
sora_h 2025/09/18
リンク
https://socket.dev/blog/password-manager-clickjacking
sora_h 2025/08/20
リンク
cURL Project and Go Security Teams Reject CVSS as Broken - S...
The CVSS (Common Vulnerability Scoring System) is facing significant pushback as both the cURL project and Go security teams are publ icly distance themselves from the framework. While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which operates across diverse environments and bi
sora_h 2025/01/27
リンク
1