Since the beginning of 2023, Snyk has documented around 6800 malicious packages across PyPI and the npm registry, which requires little to no interaction, almost 860 of which were discovered by us.

Rubrik is a security company that specializes in cloud data management services. The company helps store and secure information for customers, and it's vital that it is able to keep that data safe. This is why hearing about a possible cyber-attack on the company is alarming. Rubrik was hit by the same GoAnywhere security vulnerability that dozens of other companies suffered from.

Once written off as a failed CMS incapable of generating a significant user base, Microsoft’s SharePoint has continually defied expectations to become one of the most widely-used ECM and Collaboration products ever. It caters to over 200 million users and 250,000 organizations, including 85% of Fortune 500 companies. SharePoint is a user-friendly intranet portal and provides a consolidated center for document sharing, tracking, and overall project management.

Penetration Testing (also known as pentesting or ethical hacking) is a simulation of an attack on a computer system, network, or web application to identify potential security vulnerabilities and gauge the effectiveness of existing security measures. These are typically performed by cybersecurity professionals with specialised knowledge and experience in identifying and exploiting system vulnerabilities.

As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861). Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.

Are you or your development team tired of using application security tools that generate countless results, making it difficult to identify which vulnerabilities pose actual risks? Do you struggle with inefficient or incorrect prioritization due to a lack of context? What adds insult to injury is that traditional CVSS scoring methods ignore critical details like software configurations and security mechanisms.

Cybersecurity is no longer the exclusive domain of computers, servers, and handheld devices. As wireless connectivity grows, it makes many daily activities more convenient, but it also means that cars may be vulnerable to cyberattacks. Connected, Autonomous, Shared and Electric vehicles are starting to dominate the auto market, but they often carry significant cybersecurity risks.

A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by the exploit. Once a user receives a malicious calendar invite, the attacker can gain a user’s Active Directory credentials. Microsoft has released a security update that can be found here. Cato Research strongly encourages updating all relevant systems as proof-of-concept exploits have already appeared online.

A now fixed zero-day elevation of privilege (EoP) vulnerability in Microsoft Outlook (CVE-2023-23397) allows attackers to send craft emails to exploit Outlook. The vulnerability does not require user interaction to be exploited and runs even before the email is visualized in the preview pane of Outlook, which makes this vulnerability even more dangerous.

The not-so-distant memories of security events like Log4Shell and the SolarWinds attack keep software supply chain attacks front of mind for developers. There are things organizations can do to detect and deter malicious supply chain attacks, including the recently mandated (as per the U.S. federal government) software bill of materials (SBOM).