Looked at from one angle, the recent attack on JumpCloud, a cloud-based identity and access management provider, was unsurprising.

Threat researchers at ReversingLabs, a software supply chain security and malware analysis platform, have discovered a malicious new PyPI package dubbed VMConnect on the Python Package Index (PyPI) repository.

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

A new malicious campaign has been found on the Python Package Index (PyPI) open-source repository involving 24 malicious packages that closely imitate three popular open-source tools: vConnector, eth-tester and databases.

This newly discovered "dual use" campaign enables software supply chain compromise as well as phishing.

Efforts to establish SBOM standards and guidance have progressed, but unanswered questions persist -- including how the federal government plans to enforce its own requirements.