We’re delighted to announce our recent achievement of Premier tier status in HashiCorp’s partner ecosystem – a significant milestone in helping our mutual customers automate security and compliance as part of the cloud journey, and more effectively manage risk by shifting security left, securing the software supply …
Application security teams are challenged today with the need for a centralized view of exposure to security issues like Log4j and Spring4Shell. But an exploding set of artifacts and security tools makes it prohibitively difficult to secure the development life cycle. A universal scanner drastically reduces this …
Software supply chain attacks have an enormous blast radius and affect multiple targets by compromising a single, shared resource. And these types of attacks are on the rise: Aqua research showed an increase of 300% year-over-year.
The Center for Internet Security (CIS) has recently released the Software Supply Chain Security Guide, a set of practical, community-developed best practices for securing software delivery pipelines. As an initiator and one of the main contributors to this comprehensive and much-needed guidance, we at Aqua aim to help …
Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability to escalate their privileges and establish persistence in a target …
In its recent Innovation Insight for SBOMs report,* Gartner highlights the benefits of using software bills of materials (SBOMs) to secure modern, fast-paced DevOps pipelines. SBOMs shed light on blind spots in the software supply chain by enumerating all proprietary and open source components and enable the effective …
![Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?](https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/04-22-Package-Planting-npm-blog-image.jpg?height=205&name=04-22-Package-Planting-npm-blog-image.jpg)
Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent. Since you …
Trivy is an easy-to-use, comprehensive open source scanner that helps developers gain visibility into the software components used in their applications. With the growing awareness about supply chain security, software bills of materials (SBOMs) have become the standard for creating software inventory lists. To …
For the past few years, cybercriminals have been hijacking popular npm packages by taking over maintainers’ accounts. As part of our research at Team Nautilus, we discovered two flaws in the npm platform related to two-factor authentication (2FA). An attacker can use these flaws to target npm packages for account …
As CI/CD pipelines have become an increasingly popular attack vector, 2021 saw a huge rise in software supply chain attacks. With their number more than tripling in the past year, securing the software delivery process is one of the most urgent needs. In our latest study, we examine the top supply chain security …