Finite State is heading to #RSAC2025

The team will be in the AppSec village, discussing the latest in software supply chain security, & sharing insights on #SBOMs, vuln management, & compliance.

Attending? Drop by and say hi!

#NPM: Two malicious packages were discovered on npm (#NodeJS package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor:
#SoftwareSupplyChainSecurity

https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/

Any experienced C developers among my followers? #BoostsWelcome.

Expat, arguably the world's most popular #XML parser, is understaffed and without funding. As #xz has shown, situations like this are dangerous.

Last month, maintainer Sebastian Pipping put up a plea for help at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

(I would help myself, but my C skills barely surpass "Hello, World".)

Found via @timbray - https://cosocial.ca/@timbray/112203547801373427

#libexpat
#SoftwareSupplyChainSecurity #OpenSource #OpenSourceMaintainer
#C

Anyone have a copy of the comporised xz source code for analysis purposes? #security #SoftwareSupplyChainSecurity #softwareengineering

Up next in my SBOM Skills series: 99% of the news is not on the front page! What are you missing by not tracking your "Below the Fold" SBOMS?

How and why you should find and manage the containers, infrastructure and middleware pieces that most SBOMs are missing.

Read more here:
https://zebracatzebra.com/sbom-skills/the-importance-of-below-the-fold-sboms/ #oss #opensource #softwaresupplychainsecurity #sbom

What lessons can we learn from 20 years of managing invisible cut and pastes of Open Source code and how can we apply them to managing code generated by AI tools?
https://zebracatzebra.com/oss/what-20-years-of-stolen-snippets-teaches-about-managing-ai-generated-code/ #ai #sbom #softwaresupplychainsecurity #opensource