FlagThis

Researchers have identified critical BIOS/UEFI vulnerabilities in the Illumina iSeq 100 DNA gene sequencer. The device uses an outdated BIOS implementation with CSM mode enabled, lacking Secure Boot and standard firmware write protections. This allows attackers with system access to overwrite the firmware, potentially bricking the device or installing a persistent firmware implant. The vulnerabilities highlight significant supply chain security risks due to the re-use of commodity hardware and outdated firmware. This issue also underscores the need for stringent configuration management and integrity checking for devices handling genomic data. This shows that even devices in a non-traditional tech sector are vulnerable to attack.

A new feature called digital attestations has been released on PyPI, the Python Package Index, to bolster supply chain security for Python packages. These attestations essentially function as digital signatures, cryptographically linking packages published on PyPI to the specific source code used for their creation, thus offering stronger assurance that packages downloaded from PyPI haven’t been tampered with or injected with malicious code. This feature utilizes a mechanism that proves a trustworthy build system was used to generate and publish the package, starting with its source code on GitHub. This development significantly enhances the reliability and trust in Python package distribution by providing concrete evidence of package origin and authenticity, mitigating risks associated with malware injection or tampering within the Python ecosystem. While this feature is already available to those using the PyPI Trusted Publishers mechanism in GitHub Actions, a new API has been introduced for consumers and installers to verify published attestations, allowing for broader adoption and increased confidence in package provenance across the Python community.