Hacker News with Generative AI: Software Security

Remote Prompt Injection in Gitlab Duo Leads to Source Code Theft (legitsecurity.com)
A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses. GitLab patched the issue, and we’ll walk you through the full attack chain — which demonstrates five vulnerabilities from the 2025 OWASP Top 10 for LLMs.

Cybersecurity, GitLab, Software Security

214 points by chillax 36 days ago | 54 comments

Destructive malware available in NPM repo went unnoticed for 2 years (arstechnica.com)
Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.

Cybersecurity, Malware, Open Source, Software Security

7 points by jaredwiener 36 days ago | 0 comments

Demonstrably Secure Software Supply Chains with Nix (nixcademy.com)
Maintaining secure software development environments, especially those that require high levels of integrity guarantees, often comes with significant overhead.

Software Security, Nix, DevOps

118 points by todsacerdoti 46 days ago | 76 comments

Backdoor found in popular ecommerce components (sansec.io)
Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.

Cybersecurity, E-commerce, Software Security, Vulnerabilities

45 points by mooreds 47 days ago | 6 comments

AI-generated code could be a disaster for the software supply chain (arstechnica.com)
AI-generated computer code is rife with references to non-existent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows.

Artificial Intelligence, Software Security, Cybersecurity, Supply Chain, Software Development

7 points by kiyanwang 47 days ago | 0 comments

The Path to Memory Safety Is Inevitable (hardenedlinux.org)
In recent years, memory safety has become a hot topic. However, when discussing “memory safety,” it is important to first clarify what exactly is being addressed and what the goals are.

Memory Safety, Programming, Software Security, Operating Systems

6 points by hardenedlinux 51 days ago | 0 comments

Wget to Wipeout: Malicious Go Modules Fetch Destructive Payload (socket.dev)
A single line of obfuscated Go code wiped entire disks clean. Could your project be next?

Cybersecurity, Go Programming, Software Security, Malicious Code

10 points by feross 57 days ago | 0 comments

Does using Rust make your software safer? (tweedegolf.nl)
We keep saying that Rust is how we make software safer. In this blog, we'll tackle a real-world vulnerability, 'rewrite it in Rust', and show you the results of our empirical research, both as a high-level overview and a tech deep-dive.

Rust, Software Security, Empirical Research, Programming Languages

19 points by folkertdev 65 days ago | 6 comments

CISA's Secure by Design initiative in limbo after key leaders resign (cybersecuritydive.com)
The future of the federal government’s software-security advocacy campaign is in doubt following the departure of the two Cybersecurity and Infrastructure Security Agency officials who oversaw the program.

Cybersecurity, Government, Software Security, Leadership

6 points by johnshades 66 days ago | 0 comments

CVE program faces swift end after DHS fails to renew contract [updated] (csoonline.com)
In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.

Cybersecurity, Government, Software Security, Non-profit Organizations

1934 points by healsdata 73 days ago | 1094 comments

New Vulnerability in GitHub Copilot, Cursor: Hackers Can Weaponize Code Agents (pillar.security)
Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File Backdoor." This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.

Cybersecurity, Software Security, AI, GitHub Copilot

233 points by pseudolus 75 days ago | 135 comments

AI can't stop making up software dependencies and sabotaging everything (theregister.com)
The rise of AI-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process.

Artificial Intelligence, Software Development, Software Security, Cybersecurity

189 points by cmsefton 76 days ago | 170 comments

Delivering Malware Through Abandoned Amazon S3 Buckets (schneier.com)
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.

Cybersecurity, Software Security

14 points by mhb 135 days ago | 10 comments

Nvidia Security Team: “What if we just stopped using C?” (2022) (adacore.com)
Today I want to share a great story about why many NVIDIA products are now running formally verified SPARK code. This blog post is in part a teaser for the case study that NVIDIA and AdaCore published today.

Software Security, Programming Languages, Formal Verification, Case Studies

306 points by transpute 138 days ago | 179 comments

Data-Oriented Exploits via Programming Language Synthesis [pdf] (ilyasergey.net)

Cybersecurity, Software Security, Programming Languages, Exploits

36 points by matt_d 146 days ago | 1 comments

Sigstore: Making sure your software is what it claims to be (sigstore.dev)
Loading...

Software Security, Code Signing, Open Source, Trust, Digital Signatures

119 points by saikatsg 157 days ago | 45 comments

Snyk Security Labs Testing Update: Cursor.com AI Code Editor (snyk.io)
Snyk’s Security Labs team aims to find and help mitigate vulnerabilities in software used by developers around the world, with an overarching goal to improve the state of software security.

Software Security, Code Editors, AI, Testing, Security Research

6 points by ksbrooksjr 164 days ago | 1 comments

Syzygy: Dual Code-Test C to Rust Translation Using LLMs and Dynamic Analysis (arxiv.org)
Despite extensive usage in high-performance, low-level systems programming applications, C is susceptible to vulnerabilities due to manual memory management and unsafe pointer operations.

Rust, C, Programming Languages, Software Security, AI

7 points by belter 179 days ago | 2 comments

OpenOffice security issues unfixed in over 365 days, security status Amber (apache.org)
This was extracted (@ 2024-12-18 21:10) from a list of minutes which have been approved by the Board. Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

Cybersecurity, Apache, Software Security, Vulnerability

8 points by mksaunders2 183 days ago | 3 comments

Yearlong supply-chain attack targeting security pros steals 390K credentials (arstechnica.com)
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.

Cybersecurity, Data Breaches, Software Security

36 points by rntn 196 days ago | 4 comments

Fault Injection – Down the Rabbit Hole (humanativaspa.it)
This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated.

Cybersecurity, Software Security, Fault Injection, Attack Techniques

69 points by voxadam 226 days ago | 4 comments

Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)

Web Security, Browser Extensions, Software Security, Malware

14 points by josephcsible 229 days ago | 0 comments

Bad software keeps cyber security companies in business (dogesec.com)
Despite countless frameworks, best practices, blog posts… so many developers still hardcode credentials into their code.

Cybersecurity, Software Development, Software Security

38 points by aquastorm 235 days ago | 12 comments

Google: 70% of exploited flaws disclosed in 2023 were zero-days (bleepingcomputer.com)
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.

Cybersecurity, Zero-Day Vulnerabilities, Google, Software Security, Threat Intelligence

8 points by thepuppet33r 254 days ago | 0 comments

A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs (arxiv.org)
The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations.

Generative AI, Software Security, Programming Languages, Code Generation

31 points by rntn 270 days ago | 9 comments

PC Floppy Copy Protection: Vault Prolok (blogspot.com)
This is Part 4 of a series on PC floppy copy protection methods. You can read the previous parts here:

Retro Computing, Hardware, History, Software Security, Copy Protection

63 points by GloriousCow 271 days ago | 8 comments

Unsafe Impedance: Safe Languages and Safe by Design Software (arxiv.org)
In December 2023, security agencies from five countries in North America, Europe, and the south Pacific produced a document encouraging senior executives in all software producing organizations to take responsibility for and oversight of the security of the software their organizations produce.

Software Security, Programming Languages, Software Engineering, Government Regulations

7 points by dan353hehe 274 days ago | 1 comments

Eliminating Memory Safety Vulnerabilities at the Source (googleblog.com)
Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning to memory-safe languages.

Software Security, Memory Safety, Programming Languages

330 points by coffeeaddict1 275 days ago | 190 comments

Malware Developers Increasingly Use V8 JavaScript for Evasion (cyberinsider.com)

Cybersecurity, Malware, JavaScript, Software Security

4 points by thunderbong 353 days ago | 0 comments

Ampere: Making Future Software Memory-Safe, a Path Towards Secure Cloud (amperecomputing.com)

Software Security, Cloud Computing, Memory Safety, Hardware

4 points by pjmlp 356 days ago | 0 comments