Ami Luttwak of Wiz discusses how AI is transforming cyberattacks by expanding the attack surface, enabling attackers to use AI tools for exploits, and highlighting the importance of security from the start for startups. The rapid integration of AI into enterprise workflows and security tools presents new challenges and opportunities in cybersecurity, emphasizing the need for faster industry responses and secure architecture design.
Over 15,000 Go module repositories on GitHub are vulnerable to repojacking, an attack technique that takes advantage of account username changes and deletions to create repositories with the same name and stage open-source software supply chain attacks. These repositories account for at least 800,000 Go module-versions. Go modules are particularly susceptible to repojacking due to their decentralized nature. GitHub has implemented countermeasures, but they are not effective for Go modules. The responsibility to mitigate repojackings lies with Go or GitHub, and in the meantime, Go developers are advised to be cautious about the modules they use. Additionally, 1,681 exposed API tokens on Hugging Face and GitHub have been discovered, potentially enabling supply chain attacks, training data poisoning, and model theft.
Researchers at Lasso Security discovered over 1,500 exposed API tokens on the Hugging Face platform, including tokens from tech giants Meta, Microsoft, Google, VMware, and more. These exposed tokens granted write permissions, allowing potential attackers to modify files in account repositories. The researchers were able to gain access to 723 organizations' accounts, including those of Meta, EleutherAI, and BigScience Workshop. If exploited, these tokens could have led to data theft, poisoning of training data, and stealing of models, impacting over 1 million users. The exposed tokens have since been revoked and the vulnerabilities closed.
The popular Rust (de)serialization project, Serde, has faced pushback from developers after deciding to ship its serde_derive macro as a precompiled binary. Concerns have been raised about the legal and technical implications, as well as the potential for supply chain attacks if the maintainer's account is compromised. Some developers have requested that precompiled binaries be kept optional and separate from the original crate, while others have likened the move to a controversial code change in the Moq .NET project. The decision has sparked a debate about the security risks and the need for an opt-out option.
Google has introduced a new security measure called Pixel Binary Transparency for Pixel phones, allowing users to verify that their devices are running official, untampered factory images. This helps protect against supply chain attacks that could compromise user data. The feature utilizes a public cryptographic log and Merkle tree to provide mathematical proof of the authenticity of the device's software. Google plans to expand this security measure to include checks for other executed code on the device in the future.
