India demonstrates its security-focused ‘BharOS’

India has demonstrated its security-focused homegrown mobile operating system, BharOS.

Government officials teased a homegrown mobile OS earlier this month. Local media outlet Business Standard initially reported it would be called ‘IndOS’ and will be a collaboration between the government, academia, and startups.

"India is one of the largest mobile device markets in the globe. Our objective is to create a secure Indian mobile operating system that could also create...

25 January 2023 | App Stores

Visual Studio Marketplace is the latest supply chain attack vector

Aqua Security researchers have found that hackers are using Visual Studio Marketplace to conduct supply chain attacks.

In a new report, the researchers uncovered that attackers could impersonate popular VS Code extensions to trick developers into downloading malicious versions.

VS Code is the most popular IDE, with around 74.48 percent of developers using it. The vast array of extensions available for VS Code is partly what drives its popularity.

Here are some...

9 January 2023 | Development Tools

Malware campaign targets official Python and JavaScript repos

An active malware campaign is targeting official Python and JavaScript repositories.

Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.

Typosquats take advantage of simple typos to install malicious packages.

In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests,...

13 December 2022 | Hacking & Security

Syntax error breaks KmsdBot cryptomining botnet

A syntax error broke an otherwise advanced cryptomining botnet called KmsdBot.

The malware, which could also be used for distributed denial-of-service (DDoS) attacks, was discovered by Akamai Security Research.

Akamai’s researchers witnessed the authors “accidentally crash” KmsdBot after observing the malware stopped sending attack commands after receiving:

!bigdata www.bitcoin.com443 / 30 3 3 100 

The lack of a space between the website and the...

6 December 2022 | Hacking & Security

Security leaders believe companies should face consequences for releasing insecure software

Someone sitting at a computer screen.

Organisations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown.

In a recent survey conducted by the Neustar International Security Council (NISC), 93% of participating information technology and security professionals reported that DevSecOps would be a significant budgeting priority in the coming year, with 55% emphasising it would be a very significant priority with their organisation.

Additionally, 86% of respondents agree that...

2 November 2022 | Developer

Better app security cannot start with tools

There is a common trope in science fiction movies where robots start to think for themselves and launch a war with humans for control of Earth.

These storylines come from a familiar place. We continue to see robots, machines, and technological tools replace many traditional jobs requiring a human touch. Many industries, such as manufacturing, rely heavily on these devices, with automation a growing threat to the workforce.

Technological tools remain critical to software...

20 September 2022 | Development Tools

PyPI maintainers warn of ongoing phishing attack

The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.

A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:

The...

25 August 2022 | Hacking & Security

InAppBrowser tool reveals hidden JavaScript injections

A tool created by developer Felix Krause reveals hidden JavaScript injections through in-app browsers.

In-app browsers offer a convenient way for developers to let users browse specific websites without leaving their apps. However, they can be used to invade users’ privacy.

A JavaScript injection can be used via an in-app browser to collect data about users including their taps on a webpage, keyboard inputs, and more.

Armed with this data, a “digital...

19 August 2022 | Hacking & Security

PyPI package installs cryptominer on Linux systems

A malicious PyPI package was used to install a Monero cryptominer on Linux systems.

The package in question, secretslib, was pushed to the official third-party software repo for Python on 6th August 2022. The package was described as “secrets matching and verification made easy”.

Sonatype’s automated malware detection system flagged secretslib as potentially malicious. Further analysis proved its suspicions to be correct.

“The package covertly runs...

15 August 2022 | Hacking & Security

GitHub now sends Dependabot alerts for vulnerable Actions

GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.

GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.

When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted...

11 August 2022 | Git