Targeted supply chain attack against Chrome browser extensions
In this blog post, learn about the supply chain attack targeting Chrome browser extensions and the associated targeted phishing campaign.
![Government and university websites targeted in ScriptAPI[.]dev client-side attack - c/side](https://rdl.ink/render/https%3A%2F%2Fcontent.cside.dev%2Fcontent%2Fimages%2F2025%2F01%2FScriptAPI-cside.dev.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
Government and university websites targeted in ScriptAPI[.]dev client-side attack - c/side
Yesterday we discovered another client-side JavaScript attack targeting +500 websites, including governments and universities. The injected scripts create hidden links in the Document Object Model (DOM), pointing to external websites, a programming interface for web documents.
Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications
- E.V.A Information Security researchers uncovered several vulnerabilities in the CocoaPods dependency manager that allows any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications. These vulnerabilities have since been patched. Such an attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage. One of the vulnerabilities could also enable zero day attacks against the most advanced and secure organizations’ infrastructure. Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code. * Dependency managers are an often-overlooked aspect of software supply chain security. Security leaders should explore ways to increase governance and oversight over the use these tools.
0-days exploited by commercial surveillance vendor in Egypt
Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device. In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.
The OWASSRF + TabShell exploit chain
We see that one of our vulnerabilities is exploited in the wild Link. So we decided to public the detail analysis of our two bug chains. Any customer has enough information to mitigate these bugs. The vendor also released all patches a week ago. This blog post shares the detail
npm Supply Chain Attack Targeting Germany-Based Companies
The JFrog Security Research team identified and quickly disclosed new npm malicious packages aimed at compromising leading industrial organizations
The OWASSRF + TabShell exploit chain
We see that one of our vulnerabilities is exploited in the wild Link. So we decided to public the detail analysis of our two bug chains. Any customer has enough information to mitigate these bugs. The vendor also released all patches a week ago. This blog post shares the detail
npm Supply Chain Attack Targeting Germany-Based Companies
The JFrog Security Research team identified and quickly disclosed new npm malicious packages aimed at compromising leading industrial organizations
npm Supply Chain Attack Targeting Germany-Based Companies
The JFrog Security Research team identified and quickly disclosed new npm malicious packages aimed at compromising leading industrial organizations