//
sign in
Profile
by @danabra.mov
Profile
by @dansshadow.bsky.social
AviHandle
by @danabra.mov
AviHandle
by @dansshadow.bsky.social
ProfileHeader
by @dansshadow.bsky.social
ProfileHeader
by @danabra.mov
ProfileHeaderAlt
by @jakesimonds.com
ProfileMedia
by @danabra.mov
ProfilePlays
by @danabra.mov
ProfilePosts
by @danabra.mov
ProfilePosts
by @dansshadow.bsky.social
ProfileReplies
by @danabra.mov
Record
by @atsui.org
Skircle
by @danabra.mov
StreamPlacePlaylist
by @katherine.computer
+ new component
Profile
Loading...
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. https://socket.dev
Socket
Loading...
cc: @campuscodi.risky.biz @zackwhittaker.com @techcrunch.com @arstechnica.com
This post appeared under this Techmeme headline:
TeamPCP has partnered with ransomware group Vect after exfiltrating ~300GB of credentials from CI/CD environments, targeting open source supply chains. “We will chain these compromises into devastating follow-on ransomware campaigns.” Details → socket.dev/blog/teampcp...
This kind of attack is getting more and more common. Early in my career I used to update dependencies blindly — not anymore. For a few years now I’ve been locking packages to specific versions, reading changelogs carefully, and setting a `cooldown` in Dependabot (link in thread).