#supply-chain-security

#supply-chain-security

Supposedly, Anthropic refused to give the Pentagon unrestricted access to Claude, its frontier AI model, the only one currently running on classified military networks. They wanted guarantees that there would be zero mass surveillance and no autonomous weapons without a human in the loop, making the final decisions of life or death. The Department of War's message was 'remove those restrictions or lose everything.'

From the very beginning, this has been about one fundamental principle: the military being able to use technology for all lawful purposes. The military will not allow a vendor to insert itself into the chain of command by restricting the lawful use of a critical capability and put our warfighters at risk.

The Pentagon put its ultimatum in writing on Wednesday night, reiterating its demand that Anthropic agree to let the military use its technology for "all lawful purposes." Anthropic CEO Dario Amodei responded with a public statement laying out the company's concerns and stating "we cannot in good conscience accede to their request."

The push reflects a broader Pentagon effort to field large numbers of low-cost drones quickly without creating new dependencies that could backfire in a fight. The Blue UAS [Uncrewed Aerial Systems] List provides service branches and federal agencies with a catalog of approved drones they can buy.

But after decades of outsourcing tungsten production, the federal government has now begun restricting imports. United States Tungsten founders Stacy Hastie and Randy Waterfield saw this coming. They're reviving what was once America's largest tungsten mine, the Tungsten Queen. It's a site holding an estimated 1 million tons of tungsten with an in-ground value approaching $450 million, the company says. And it says it is already in talks with the U.S. Government.

saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.

Europe faces increasingly sophisticated hybrid attacks on every area of its infrastructure, the EC claims. The revised Cybersecurity Act looks to address this with union-level risk assessments, combined with targeted mitigation measures that will include bans on IT components from "high-risk suppliers." The suggested timeframe for this could leave member states with as little as three years to remove non-compliant kit.

Midway through a decade that is coming to be defined by the runaway acceleration of technological change, the threat of ransomware attacks seems to be dropping down the agenda in boardrooms around the world, with C-suite executives more concerned about growing risks arising from artificial intelligence (AI) vulnerabilities, cyber-enabled fraud and phishing attacks, disruption to supply chains, and exploitation of software vulnerabilities.

The European Commission has launched a fresh consultation into open source, setting out its ambitions for Europe's developer communities to go beyond propping up US tech giants' platforms. In a "Call for Evidence" published this week, Brussels says the EU's reliance on non-European technology suppliers (read: US tech giants) has become a strategic liability, limiting choice, weakening competitiveness, and creating supply chain risks across everything from cloud services to critical infrastructure.

Charlie Marsh announced the Beta release of ty on Dec 16 "designed as an alternative to tools like mypy, Pyright, and Pylance." Extremely fast even from first run Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.

As organizations operate across cloud infrastructure, distributed endpoints, and complex supply chains, security has shifted from a collection of point solutions to a question of architecture, trust, and execution speed. This report examines how core areas of cybersecurity are evolving in response to that shift. Across authentication, endpoint security, software supply chain protection, network visibility, and human risk, it explores how defenders are adapting to adversaries that move faster, blend technical and social techniques, and exploit gaps between systems rather than weaknesses in any single control.

The first seafood vanished on Nov. 22 in Falmouth, Maine, where authorities suspect someone stole 14 cages full of oysters from an aquaculture site in Casco Bay. Many of the oysters were full-grown and ready for sale, and together with the cages were worth $20,000, according to the Maine Marine Patrol. "This is a devastating situation for a small businessman," said Marine Patrol Sgt. Matthew Sinclair.

The chairman of the Senate Intelligence Committee asked National Cyber Director Sean Cairncross in a Wednesday letter to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies. Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia.

Logitech believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. The zero-day vulnerability was patched by Logitech following its release by the software platform vendor. The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system.

A lawsuit brought by the US Securities & Exchange Commission (SEC) against SolarWinds has been dropped. The legal fire was also directed at the company's CISO, Timothy G. Brown. Brown's alleged personal responsibility will now not be determined in court. It therefore appears that CISOs have less to fear from the law than previously thought. CISOs are responsible for securing their company's IT infrastructure.

This represents a "new operational model that's neither traditional cyber attack nor conventional warfare," Amazon Chief Security Officer Steve Schmidt told The Register. "The targeting data collected through cyber means flows directly into kinetic decision making."

Slopsquatting is an attack method in which hackers exploit common AI hallucinations to trick engineers into mistakenly installing malicious packages. In short, hackers track non-existent packages hallucinated by AI coding tools and then publish malicious packages under these names on public repositories such as . The seemingly legitimate packages are then installed by victims who trust their AI code suggestions.

An influential bipartisan congressional commission is urging lawmakers to create a new economic statecraft office to enforce U.S. sanctions, limit Chinese influence in the electrical grid, and release funding to maintain dominance in cyber and quantum technologies - warning that the national security threat from Beijing has escalated over the past year and could threaten the United States in a future conflict.

I think the big cyber incidents happening in the Middle East and Europe in recent months, particularly ransomware as a service, so big names like Jaguar Land Rover and others, have kind of given this meeting an extra buzz just before we met. Quite a few people flew in from that have been affected by the supply chain attack on baggage handling software. So it was very relevant and topical.

Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems which could be exploited to affect buses while in transit.

Quantum computing stocks continue to rebound following a Wall Street Journal article yesterday detailing potential U.S. government equity investments in the sector. The report outlined early discussions with the Commerce Dept., where firms could trade shares for at least $10 million each in federal funds. The story ignited investor excitement after consecutive days of declining stock prices, with QBTS, RGTI, IONQ, and QUBT all racing higher by double-digit percentages.

Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL."

Data from 28,000 internal projects at Red Hat has been stolen. The hacker group Crimson Collective claims to have stolen nearly 570GB of data. The stolen information is not only affecting Red Hat: BleepingComputer reports that customer data from around 800 Customer Engagement Reports has also been stolen. The hackers claim that the breach took place around two weeks ago. Customer Engagement Reports (CERs) are documents that contain infrastructure details, configuration data, authentication keys, and other sensitive customer information.

New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered.