Dependabot supports vcpkg for C++ projects

Day 16 of #100DaysOfTryHackMe Explored the OWASP API Security Top 10 (Part 2) room in TryHackMe today — a deep dive into how modern APIs can be exploited and how to defend them. Key takeaways: Understanding Mass Assignment and Security Misconfigurations Strengthening API monitoring and logging Building a security-first mindset in API design Every challenge reinforces the importance of secure architecture and continuous learning in cybersecurity. #TryHackMe #CyberSecurity #APISecurity #LearningInPublic #InfoSec

Recent waves of package compromises and GitHub mention scams show the same pattern. Attackers aim for your attention and your CI at the same time. Quick hardening checklist: 1) Keep your lockfile clean and only allow publishing packages through CI 2) Monitor critical dependencies for owner or behavior changes 3) Enforce 2FA and provenance on package publishing 4) Treat unsolicited repo mentions and “issue” links as phishing 5) Use automated secret scanning on commits and build logs Security is a product capability. It protects your users and your roadmap. Start with the parts that break quietly. #Security #SupplyChain #OpenSource #DevOps #AppSec https://lnkd.in/eJX-KpqE

Recent npm supply-chain hacks are a reminder: your npm install is only as safe as the last maintainer’s 2FA. ✅ Lock dependencies (npm ci + commit lockfile) ✅ Disable install scripts in CI (--ignore-scripts) ✅ Enforce 2FA & least-privilege tokens ✅ Review diffs before bumping packages Don’t let “silent” package updates ship malware to prod. Harden your pipeline now. #DevSecOps #npm #SupplyChainSecurity #DevOps

4 x VULNERABILITY ALERTS Jenkins has released critical updates addressing four security flaws that unauthenticated and low-privileged attackers could exploit to disrupt service or glean sensitive configuration details. Information for these vulnerabilities, including fixes, can be found at SecAlerts: CVE-2025-5115, CVSS 7.7: https://lnkd.in/gjJrMCSa CVE-2025-59474, CVSS 5.3: https://lnkd.in/gBNSYVMD CVE-2025-59475, CVSS 4.3: https://lnkd.in/gE-ZPbZv CVE-2025-59476, CVSS 5.3: https://lnkd.in/gthYST-7 #ciso #cio #cto #vulnerabilities #cybersecurity #secalerts #jenkins #CVE20255115 #CVE202559474 #CVE202559475 #CVE202559476 https://lnkd.in/gJ5xXE-T

🚨 Software supply chain attacks are on the rise. Just this week, cybersecurity researchers flagged a fresh npm registry attack affecting more than 40 packages. The compromised versions included malicious code that could automatically trojanize downstream packages — putting countless developers and organizations at risk. This is yet another reminder that detecting vulnerabilities, malware, and secrets early in development is no longer optional. 👉 For our Trend Micro customers, we recommend using the TMAS (Trend Micro Artifact Scanner) GitHub Action for Code Security and Container Security to strengthen your software supply chain. 🔍 What it delivers: ✅ Continuous visibility from code creation to cloud deployment ✅ Faster deployment of TMAS in GitHub CI/CD ✅ Automated scans of repositories and build artifacts ✅ Results directly in PR comments — simple, clear, and actionable ✅ Policy enforcement via Code Security for stronger guardrails Check it out here: Trend Micro TMAS GitHub Action: https://lnkd.in/gNy4weFX Code Security: https://lnkd.in/gR2F4qwM What We Know About the NPM Supply Chain Attack and IoCs: https://lnkd.in/gMPV5_9B Now more than ever, security must be built into the development lifecycle. #DevSecOps #GitHubActions #SoftwareSupplyChainSecurity #ApplicationSecurity #TrendMicro #npm #ioc

Zero Trust has never been that important. From Repositories, Supply Chain Attacks are leveraging Developers laptops as well. Having a continuous monitoring across different attack vectors has never been that critical as today! #CodeSecurity #XDR #CNAPP #ShifLeft

Secure Your Codebase: The Importance of Git Commit Signing As a Head of Department, you're responsible for the integrity and security of your team's work. A simple but powerful tool for maintaining this integrity is Git commit signing. I have been managing its adoption into organisations for almost a decade. Unsigned commits can be a security risk. They can be spoofed, meaning a malicious actor could push code under someone else's name. This creates a false sense of trust and makes it difficult to track who actually contributed what. By signing commits with a cryptographic key (GPG or SSH), you can verify the author's identity and ensure the code hasn't been tampered with since the commit was made. It's a digital signature for your code. Why should this matter to you? 1. Auditability & Compliance: Signed commits provide a verifiable trail of who authored code, which is crucial for internal audits and compliance with industry standards. 2. Trust & Security: It builds confidence in the integrity of your codebase, preventing unauthorised code injections and protecting against impersonation. 3. Accountability: It holds developers accountable for their contributions, as their identity is cryptographically linked to their work. Encourage your teams to adopt this practice. It's a small change with a significant impact on security and trust. It's not about micromanagement; it's about building a robust and secure foundation for your software. How are you ensuring the integrity of your codebase? Share your thoughts below. #DevSecOps #CyberSecurity #SoftwareDevelopment #GPG #SSH #CodeIntegrity

Here’s a practical playbook you can share (or even use for your clients) to defend against the Shai-Hulud malware and npm supply-chain threats: 🔑 Recommended Practices 1. Dependency Hygiene Regularly run npm audit or yarn audit and patch quickly. Lock dependencies with package-lock.json / yarn.lock to avoid silent updates. Use allowlists for approved packages. 2. Zero-Trust for Code Treat all external code as untrusted. Pin versions instead of using latest. Remove unused dependencies. 3. Credential Protection Immediately rotate npm & GitHub tokens if compromised. Switch to phishing-resistant MFA (YubiKey / FIDO2). Avoid storing credentials in code or .env files. 4. Secure GitHub / GitOps Enable branch protection rules (PR reviews required). Use Dependabot / Renovate for vetted dependency updates. Turn on secret scanning and alerts. 5. Continuous Monitoring Watch for unusual npm downloads, commits, or GitHub workflow changes. Log all package installation activities in CI/CD pipelines. 🛠️ Tools to Use SCA (Software Composition Analysis): Snyk – scans npm deps & CI/CD npm-audit-resolver – fixes known issues OWASP Dependency-Check – flags vulnerable libs Runtime Protection: Falco – detects suspicious container activity Aqua Trivy – vulnerability & misconfiguration scanning Secrets & Credential Security: GitGuardian – scans secrets in repos Vault by HashiCorp – manages API keys/secrets securely Monitoring & Alerts: Enable npm token activity alerts Configure GitHub Dependabot security updates Use SIEM/SOAR integration (Splunk, Wazuh, ELK) for anomaly detection 💡 Expert Advise: Combine policy plus automation for winning combat. For e.g. Block builds in CI/CD if new, unapproved dependencies are detected. Feel Free to connect with me for any further assistance from my side. #CyberSecurity #AppSec #DevSecOps #Startups #npm #SupplyChainSecurity #CERTIn #RiskManagement #TechLeadership #Infosec

Critical GraphQL Vulnerabilities in Chaos Mesh Allow Remote Code Execution and Kubernetes Cluster Takeover Critical Vulnerabilities in Chaos Mesh: What You Need to Know Overview of the Recent Security Findings Recent disclosures by cybersecurity experts have highlighted significant security vulnerabilities within Chaos Mesh, a widely used open-source platform that facilitates Chaos Engineering in Kubernetes environments. These vulnerabilities, if exploited, could potentially enable attackers to take control of the entire […]  To read more, visit https://lnkd.in/d-KzbH93 #Global

🚨🐳🔒 Your "secure" container image? It's probably still leaking secrets. The problem isn't just runtime vulnerabilities; it's the unchecked sprawl of build-time artifacts and ephemeral dependencies creating a much wider attack surface than you realize. We often forget that what's built into the image is just as critical as what runs from it. The Deep Dive: Want to know what lurks beneath the surface of your latest image? This is your quick sanity check: trivy image --severity HIGH --ignore-unfixed your-org/your-app:latest This uses Trivy to scan your image for HIGH-severity vulnerabilities, ignoring those without a fix available. It's a quick win to prioritize your patching efforts. Advanced Tactic: For true runtime protection, go beyond static scans. Implement Falco (or similar tools like Cilium's network policies for network-based enforcement). It acts like a behavioral firewall, detecting anomalous syscalls, file access, or network activity within your containers. It's the difference between locking the door and having a security guard inside. My hardest lesson? Watching an otherwise "secure" container get popped because a former colleague left a commented-out credential in a build layer. It was visible via docker history, and no amount of multi-stage build wizardry would fix it if the context was polluted. My pro tip? Enforce strict COPY --from=... discipline in multi-stage Dockerfiles. Treat your build context not as a junk drawer, but as a vault. Every file copied must be explicitly justified, and intermediate layers purged aggressively. And for the love of all that's secure, lint your Dockerfiles like your life depends on it. What's the sneakiest container vulnerability you've ever had to hunt down, and how did you finally squash it? Share your war stories! #DevOps #ContainerSecurity #Kubernetes #Docker #CloudNative #SecurityBestPractices #CICD #PlatformEngineering #InfoSec #Cybersecurity #ApplicationSecurity #ShiftLeft #Falco #Trivy #DevSecOps #SecOps