Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc. > The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets > that had previously been used across commercial and open source software > products, governments, and infrastructure deployment/update pipelines—and then > abandoned...

Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: > On December 4, a malicious version 8.3.41 of the popular AI library > ultralytics ­—which has almost 60 million downloads—was published to the > Python Package Index (PyPI) package repository. The package contained > downloader code that was downloading the XMRig coinminer. The compromise of > the project’s build environment was achieved by exploiting a known and > previously reported GitHub Actions script injection. Lots more details at that link. Also ...