• March 21

  Julien Malka proposes method for detecting XZ-like backdoors [LWN.net]

  

  lwn.net

  Julien Malka has called for the NixOS project to use build-reproducibility to detect when a program...

  Julien Malka has called for the NixOS project to use build-reproducibility to detect when a program has a maintainer-generated tarball that results in a different artifact than building from source. There are good reasons for projects to release maintainer-generated tarballs, but since the materials included in them are usually documentation, extra build scripts, and so on, it makes sense to check that they don't...

  1

More like this (3)

• May 5

  Hundreds of E-Commerce Sites Hacked In Supply-Chain Attack - Slashdot

  

  slashdot.org

  An anonymous reader quotes a report from Ars Technica: Hundreds of e-commerce sites, at least one...

  An anonymous reader quotes a report from Ars Technica: Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday. The infections are the result of a supply-chain attack that compromised at least three...

  1
• April 14

  sanitizer-fun

  

  keithp.com

  Both GCC and Clang support the -fsanitize=undefined flag which instruments the generated code to detect places...

  Both GCC and Clang support the -fsanitize=undefined flag which instruments the generated code to detect places where the program wanders into parts of the C language specification which are either undefined or implementation defined. Many of these are also common programming errors. It would be great if there were s...

  2
• April 14

  New Vulnerability in GitHub Copilot, Cursor: Hackers Can Weaponize Code Agents

  

  pillar.security

  Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File...

  Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File Backdoor." This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the...

  1