Get ready to shine on stage! 
Don't miss the chance to showcase your skills at #OWASP Global #AppSec USA in Washington, DC this November. Submit your presentations now for an incredible opportunity. Apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ 
#infosec #AI #devsecops #SBOMM
RCE Vulnerability in Node.js CI Pipeline Exposed Millions to Potential Supply Chain Attack
Security researchers have uncovered a serious flaw in the Node.js CI/CD architecture — one that allowed attackers to hijack internal Jenkins agents and execute arbitrary code.
The core issue? A Time-of-Check-Time-of-Use (TOCTOU) vulnerability in the communication between GitHub Actions and Jenkins pipelines. By forging a commit timestamp that predates a maintainer’s approval, attackers could smuggle malicious code past security checks and straight into Jenkins execution.
Here’s what made this attack so dangerous:
- It bypassed the `checkCommitsAfterReviewOrLabel()` function.
- It enabled attackers to compromise Jenkins infrastructure.
- It even risked injecting malware into the Node.js main branch — impacting the entire ecosystem.
Praetorian reported the flaw on March 21. The Node.js team responded fast:
- Restricted access to Jenkins CI.
- Rebuilt 24 potentially compromised machines.
- Switched from timestamp checks to SHA-based validation.
- Audited 140+ Jenkins jobs and patched the commit-queue workflow.
This is a wake-up call for every company using multi-platform CI/CD pipelines:
- Integration between platforms creates invisible attack surfaces.
- Automated approvals and cross-platform handoffs must be treated as critical security boundaries.
Credit to the Node.js team for their transparency and swift mitigation — but the lesson is clear:
If you're not securing the spaces between your DevOps tools, you're leaving the door wide open.
Kexa offers automated compliance checks for multi-cloud environments like AWS, GCP, and Azure—supporting CI/CD integration, rule-based scanning, and real-time alerts via common channels.
The federal cloud market is headed toward $78B by 2029. Is your business ready?
Our FedRAMP guide shows you how to unlock these opportunities with a strategic approach to compliance. Download now!
https://anchore.com/blog/navigating-the-path-to-federal-markets-your-complete-fedramp-guide/
Get ready to shine on stage! Don't miss the chance to showcase your skills at #OWASP Global #AppSec USA in Washington, DC this November. Submit your presentations now for an incredible opportunity to share your expertise. Apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM
MCP adoption in AI is skyrocketing 
, but so are the risks. Microsoft's Sarah Young & Den Delimarsky have a fresh blog on thwarting indirect injection attacks and more 
.
Read it: https://devblogs.microsoft.com/blog/protecting-against-indirect-injection-attacks-mcp
Регуляторика РБПО. Часть 5 – Ответственность, взгляд в будущее, инфографика всего обзора
Приветы после долгого перерыва! С вами Альбина Аскерова, руководитель направления по взаимодействию с регуляторами в Swordfish Security. Сегодня в завершающей статье по Регуляторике РБПО: - напомним о применимой законодательной ответственности, - расскажем, что сейчас в проектах у регуляторов на 2025 год, а что уже есть нового утвержденного, - покажем майндкарты регуляторики. В конце будет розыгрыш мерча, который обещали в 1 части 
https://habr.com/ru/companies/swordfish_security/articles/905168/
Hello #FediHire !
A friend of mine is looking for an internship in #devops / #devsecops / #cybersecurity / #infosec !
She's a hard worker, very eager to learn, speaks very well English !
Please consider giving her a chance to learn even more, or forward to your own profesionnal network ! 
Security teams: Stop manually grepping through your codebase during #zeroday incidents. Learn how to implement production #SBOM inventory that turns "Are we affected by this CVE?" into a simple query. https://get.anchore.com/rapid-incident-response-with-sboms/ #ZeroDay #DevSecOps
The Evolution of Programming: AI's Role in Disrupting Developer Roles
As AI continues to advance, the landscape of programming is shifting dramatically. Developers are now integrating AI helpers into their workflows, fundamentally changing how software is built and main...
https://news.lavx.hu/article/the-evolution-of-programming-ai-s-role-in-disrupting-developer-roles
Let's level up our EKS security game! Join our hands-on webinar on "Shift Right Security for EKS" with Bion Consulting and Anchore. Learn practical techniques to identify and remediate vulnerabilities in your scaling EKS applications. We will focus on:
- Kubernetes Runtime Inventory and why it matters for container security
- How to install and configure Anchore's Runtime Inventory on Amazon EKS
- How Anch... https://get.anchore.com/shift-right-security-for-eks-anchore/ #EKS #KubernetesSecurity #DevSecOps #Anchore #SecurityWebinar
Anchore announces Grype v0.91.2. This release resolves several false positives identified in v0.91.1, enhancing scan accuracy. Users are advised to update.
#VulnerabilityScanning #Security #DevSecOps
https://github.com/anchore/grype/releases/tag/v0.91.2
Join Ken Toler at OWASP Global AppSec EU 2025 in Barcelona for a thought-provoking session on rethinking how we approach security innovation.
Mastering Security through Simple Machines: How Consistency, Not Complexity, Drives Innovation 
Thursday, May 29, 2025 
1:15 PM – 2:00 PM CEST
Vibe coding with LLMs is fast—but is your code secure? Discover the hidden risks: SQL injection, leaked secrets, and prompt injection vulnerabilities. Stay ahead in AI-driven development! Learn more: https://zerodaily.me/blog/2025-04-25-vibe-coding-llms-security-flaws
Vibe coding with LLMs is fast—but is your code secure? Discover the hidden risks: SQL injection, leaked secrets, and prompt injection vulnerabilities. Stay ahead in AI-driven development! Learn more: https://zerodaily.me/blog/2025-04-25-vibe-coding-llms-security-flaws
New release: Grype v0.91.1 is out! 
Packed with important bug fixes for improved vulnerability scanning accuracy and stability.
Check the changelog and upgrade!
#grype #security #devsecops
https://github.com/anchore/grype/releases/tag/v0.91.1
