Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, eth-tester and databases.

This newly discovered "dual use" campaign enables software supply chain compromise as well as phishing.

Efforts to establish SBOM standards and guidance have progressed, but unanswered questions persist -- including how the federal government plans to enforce its own requirements.

DigiCert announced that it had partnered with ReversingLabs June 6 to enhance supply chain software security by combining ReversingLabs’ binary analysis and threat detection services with DigiCert’s secure code signing solution.

DigiCert today announced it has allied with ReversingLabs to integrate binary analysis and threat detection capabilities