A self-replicating worm that hijacks GitHub Actions pipelines to publish malicious npm packages has struck again, compromising AntV, echarts-for-react, and Microsoft’s durabletask SDK. Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads The Mini Shai-Hulud campaign, attributed to the threat group Team PCP, does not work the way most supply chain attacks do […]
Many years ago, Microsoft created a handy hub for its Office suite: type office.com into your browser, and you’d see a web page where you could launch the various Office apps — Word, Excel, PowerPoint, and so on — or access recently used documents in those apps. This hub’s appearance changed a bit over time as the Office suite was rebranded as Office 365 and then Microsoft 365, but it still served as a launch pad for your M365 files and apps.
Now, however, Microsoft has deeply integrated its Copilot generative AI assistant throughout Microsoft 365, and the hub has been transformed. Currently called the M365 Copilot app, the page puts the Copilot Chat interface front and center. You can still get to your M365 files or apps by clicking Search or Apps in the sidebar on the left, but the main purpose of the hub these days is to let you chat with Copilot.
The old Microsoft Office hub has been taken over by Copilot Chat.
Howard Wen / Foundry
With the rollout of new Word, Excel, and Pow
Firefox chief Ajit Varma explains how Mozilla is betting on privacy, optional AI tools, and its nonprofit structure to compete against browsers from Google, Apple, and Microsoft.
Sprouts.ai, a US-based artificial intelligence startup founded in 2023, has secured $9 million in pre-Series A funding led by True Global Ventures and Accel, bringing its total raised to $14 million. The company builds AI-powered Revenue Agents that autonomously handle B2B sales tasks — including prospecting, contact enrichment, and multi-channel outreach — integrating with platforms such as Salesforce, Microsoft […]
GitHub has confirmed that thousands of its internal repositories were accessed without authorization, prompting fresh warnings from Binance founder Changpeng “CZ” Zhao for crypto developers to immediately rotate API keys stored in code repositories. According to a statement published by…
The world’s largest open-source registry, node package manager (npm), has been hit by another fast-moving malware attack, this time targeting the widely-used AntV enterprise data visualization tool.
Unlike last week’s high-profile npm attack on TanStack, which exploited a complex GitHub Actions cache poisoning weakness, the latest incident early on May 19 took the more conventional route of compromising the credentials of a high-value npm maintainer account.
According to analysis by SafeDep, the account in question, atool (i@hust.cc), which publishes the timeago.js JavaScript library, had rights to a large catalog of packages, including popular tools such as size-sensor (4.2 million downloads per month), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million).
This privilege level allowed the attacker to publish at least 637 malicious versions across 317 different npm packages in a single 22-minute burst. This resulted in the compromise of a big chunk
This incident underscores the critical need for robust security practices in managing cloud credentials, highlighting potential supply chain vulnerabilities.
The post CISA exposed plaintext passwords and cloud keys on GitHub for six months appeared first on Crypto Briefing.
Faced with the growing volume of submission to its bug bounty program, GitHub is replacing cash bounties with swag rewards for reports with low security impact — and asking researchers to stop submitting reports that are low quality or about things that aren’t its fault.
The cloud-based code repository platform has seen a sharp increase in submissions that don’t demonstrate real security impact over the past year due to newer tools such as generative AI.
“Not every valid submission represents a meaningful security risk. Some reports identify hardening opportunities or documentation gaps,” Jarom Brown, a senior security researcher at GitHub, wrote in a blog post.
On top of that, he said, many of the reports GitHub receives describe out-of-scope scenarios in which someone experiences an “undesirable” outcome after interacting with malicious content in GitHub.
“These reports are often well-written and technically accurate in their observations, but they misunderstand where the security bo
