The attack used code from the Shai-Hulud worm, published by malware outfit TeamPCP, which can extract secrets from memory used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack's use of the pull_request_target feature, causing the malicious code to be built and run by a GitHub Action, poisoning a cache used across the entire repository.
New account registrations on RubyGems.org, the official Ruby gem hosting service, have been suspended after threat actors published hundreds of malicious packages. RubyGems maintainers announced on May 12 that registrations have been temporarily disabled due to a "DDoS attack". Nearly 24 hours later, registrations are still disabled and will likely remain closed for another 2-3 days until account creation rate limiting can be tightened and WAF protection is enabled.
Supposedly, Anthropic refused to give the Pentagon unrestricted access to Claude, its frontier AI model, the only one currently running on classified military networks. They wanted guarantees that there would be zero mass surveillance and no autonomous weapons without a human in the loop, making the final decisions of life or death. The Department of War's message was 'remove those restrictions or lose everything.'
From the very beginning, this has been about one fundamental principle: the military being able to use technology for all lawful purposes. The military will not allow a vendor to insert itself into the chain of command by restricting the lawful use of a critical capability and put our warfighters at risk.
The Pentagon put its ultimatum in writing on Wednesday night, reiterating its demand that Anthropic agree to let the military use its technology for "all lawful purposes." Anthropic CEO Dario Amodei responded with a public statement laying out the company's concerns and stating "we cannot in good conscience accede to their request."
The push reflects a broader Pentagon effort to field large numbers of low-cost drones quickly without creating new dependencies that could backfire in a fight. The Blue UAS [Uncrewed Aerial Systems] List provides service branches and federal agencies with a catalog of approved drones they can buy.
Lema AI, a cybersecurity startup focused on agentic AI-powered third-party risk management, on Monday emerged from stealth mode with $24 million raised across Series A and seed funding rounds. Founded in 2023 by Eddie Dovzhik (CEO), Omer Yehudai (CPO), and Tomer Roizman (CTO), Lema AI has developed an enterprise supply chain security platform that replaces manual spreadsheets and questionnaires with continuous, AI-driven analysis of vendor behavior and risk exposure.
But after decades of outsourcing tungsten production, the federal government has now begun restricting imports. United States Tungsten founders Stacy Hastie and Randy Waterfield saw this coming. They're reviving what was once America's largest tungsten mine, the Tungsten Queen. It's a site holding an estimated 1 million tons of tungsten with an in-ground value approaching $450 million, the company says. And it says it is already in talks with the U.S. Government.
saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.
Europe faces increasingly sophisticated hybrid attacks on every area of its infrastructure, the EC claims. The revised Cybersecurity Act looks to address this with union-level risk assessments, combined with targeted mitigation measures that will include bans on IT components from "high-risk suppliers." The suggested timeframe for this could leave member states with as little as three years to remove non-compliant kit.
Midway through a decade that is coming to be defined by the runaway acceleration of technological change, the threat of ransomware attacks seems to be dropping down the agenda in boardrooms around the world, with C-suite executives more concerned about growing risks arising from artificial intelligence (AI) vulnerabilities, cyber-enabled fraud and phishing attacks, disruption to supply chains, and exploitation of software vulnerabilities.
The European Commission has launched a fresh consultation into open source, setting out its ambitions for Europe's developer communities to go beyond propping up US tech giants' platforms. In a "Call for Evidence" published this week, Brussels says the EU's reliance on non-European technology suppliers (read: US tech giants) has become a strategic liability, limiting choice, weakening competitiveness, and creating supply chain risks across everything from cloud services to critical infrastructure.
Charlie Marsh announced the Beta release of ty on Dec 16 "designed as an alternative to tools like mypy, Pyright, and Pylance." Extremely fast even from first run Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
As organizations operate across cloud infrastructure, distributed endpoints, and complex supply chains, security has shifted from a collection of point solutions to a question of architecture, trust, and execution speed. This report examines how core areas of cybersecurity are evolving in response to that shift. Across authentication, endpoint security, software supply chain protection, network visibility, and human risk, it explores how defenders are adapting to adversaries that move faster, blend technical and social techniques, and exploit gaps between systems rather than weaknesses in any single control.
The first seafood vanished on Nov. 22 in Falmouth, Maine, where authorities suspect someone stole 14 cages full of oysters from an aquaculture site in Casco Bay. Many of the oysters were full-grown and ready for sale, and together with the cages were worth $20,000, according to the Maine Marine Patrol. "This is a devastating situation for a small businessman," said Marine Patrol Sgt. Matthew Sinclair.
The chairman of the Senate Intelligence Committee asked National Cyber Director Sean Cairncross in a Wednesday letter to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies. Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia.
"The scripts automate the process of downloading, building, and installing the required libraries and tools," security researcher Vladimir Pezo said. "Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org - a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue."
Logitech believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. The zero-day vulnerability was patched by Logitech following its release by the software platform vendor. The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system.
A lawsuit brought by the US Securities & Exchange Commission (SEC) against SolarWinds has been dropped. The legal fire was also directed at the company's CISO, Timothy G. Brown. Brown's alleged personal responsibility will now not be determined in court. It therefore appears that CISOs have less to fear from the law than previously thought. CISOs are responsible for securing their company's IT infrastructure.
This represents a "new operational model that's neither traditional cyber attack nor conventional warfare," Amazon Chief Security Officer Steve Schmidt told The Register. "The targeting data collected through cyber means flows directly into kinetic decision making."
Slopsquatting is an attack method in which hackers exploit common AI hallucinations to trick engineers into mistakenly installing malicious packages. In short, hackers track non-existent packages hallucinated by AI coding tools and then publish malicious packages under these names on public repositories such as . The seemingly legitimate packages are then installed by victims who trust their AI code suggestions.
An influential bipartisan congressional commission is urging lawmakers to create a new economic statecraft office to enforce U.S. sanctions, limit Chinese influence in the electrical grid, and release funding to maintain dominance in cyber and quantum technologies - warning that the national security threat from Beijing has escalated over the past year and could threaten the United States in a future conflict.
I think the big cyber incidents happening in the Middle East and Europe in recent months, particularly ransomware as a service, so big names like Jaguar Land Rover and others, have kind of given this meeting an extra buzz just before we met. Quite a few people flew in from that have been affected by the supply chain attack on baggage handling software. So it was very relevant and topical.
Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems which could be exploited to affect buses while in transit.
