A confusion between two similar NPM commands, ‘npm add user’ and ‘npm adduser,’ has led to a significant number of developers inadvertently installing a benign ‘user’ package. This typo, exploited by the similarities in commands, highlights a potential supply chain risk. The package, currently benign, could be updated with malicious code, exposing developers who have made this common error.
Researchers have identified critical BIOS/UEFI vulnerabilities in the Illumina iSeq 100 DNA gene sequencer. The device uses an outdated BIOS implementation with CSM mode enabled, lacking Secure Boot and standard firmware write protections. This allows attackers with system access to overwrite the firmware, potentially bricking the device or installing a persistent firmware implant. The vulnerabilities highlight significant supply chain security risks due to the re-use of commodity hardware and outdated firmware. This issue also underscores the need for stringent configuration management and integrity checking for devices handling genomic data. This shows that even devices in a non-traditional tech sector are vulnerable to attack.
Multiple reports highlight the growing threat of supply chain attacks using large language models (LLMs). Attackers are increasingly using stolen credentials to jailbreak existing LLMs for spear phishing and social engineering campaigns. This evolution poses significant risks to organizations relying on software and services provided via supply chains, and new security measures are needed to mitigate these threats.