A new malicious package has been detected on the Node Package Manager (npm) repository that poses a significant threat to users who may unknowingly install it. Named ‘Vibranced,’ the package has been carefully crafted to mimic the popular ‘colors’ package, which has over 20 million weekly downloads.
Today’s attackers aren’t just exploiting vulnerabilities — research from Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities illustrates the growing threat of malicious packages. According to the report, the number of malicious packages published to npm and rubygems alone grew 315 percent from 2021 to 2022.
The Food and Drug Administration (FDA) recently implemented new guidance regarding medical device cybersecurity. It’s not a moment too soon, as new cases arise in which healthcare technology is compromised by vulnerabilities that escalate risks, which could threaten patients’ lives. In a recent survey, over 20% of healthcare organizations said that after a cyberattack, their patient mortality rates had risen, and another 57% reported that cyberattacks led to poorer outcomes for patients.
Two new sets of regulations introduced by the European Union (EU) indicate that the public sector is taking increased interest in improving cybersecurity and resilience. The EU is introducing the Digital Operational Resilience Act (DORA) for financial institutions and the Cyber Resilience Act (CRA) for software and hardware providers, both designed to enforce software security and secure delivery of services.
If your application development environment is like most, you’re using more code and you’ve accelerated the development of applications and software. That’s great for productivity, but it presents a big challenge for security, as your developers come under increasing pressure to ship code quickly — while also ensuring that their code is secure. They need to find a sweet spot between speed and security, and scanning at the repository level is the way to go. Here’s why.
“Well, yeah, I can give the devs a new security tool, but I can’t make them use it.” I was mid-way through dinner with an old college friend when he dropped this into the conversation. I’d told him I wanted to pick his brain about security issues and tools, but told him no matter what, I wouldn’t start to deliver a pitch. Well, I kept my promise, but I think I must have given my tongue a bruise from biting it.
Everybody’s doing it: shifting applications to the cloud. More flexibility. More storage. More scalability. But how does this affect application security? What challenges does it present?
The business impact of critical open source vulnerabilities such as Spring4Shell and Log4j illustrate the crucial importance of detecting remediating such vulnerabilities as fast as possible, This is particularly important for the financial technology, which handles vast volumes of sensitive financial data for investors. That was certainly the case for MSCI, who deployed Mend to speedily thwart any potential threats posed by Spring4Shell.
