Broken projects are the least of the concerns for Ruby on Rails users| TechRadar
If you work with JavaScript at all, you probably saw a ton of noise yesterday about a vulnerability in the event-stream npm package. Unfortunately, the actual forensic analysis of the issue is buried under 600+ comments on the GitHub issue, most of which are just people flaming about the state of npm, open source, etc. I thought that was a shame, because the vulnerability was actually exceptionally clever and technically interesting, and teaches some important lessons about maintaining securi...| Zach Schneider
This page covers the detailed technical requirements for producing artifacts at each SLSA level. The intended audience is platform implementers and security engineers.| SLSA
With supply chain attacks on the rise, a shared vocabulary and universal framework is needed to provide incremental guidance to harden supply chains for more secure software production. This page introduces the main concepts behind SLSA and explains how it can help anyone involved in producing, consuming, or providing infrastructure for software.| SLSA
SushiSwap’s MISO launchpad hacked via a malicious GitHub commit.| Ars Technica
Summary On April 1, 2021, the Codecov team was alerted to a security event involving our Bash Uploader. The threat actor specifically targeted the Codecov Bash Uploader and used it ...| Codecov
Before diving into the SLSA specification levels, we need to establish a core set of terminology and models to describe what we’re protecting.| SLSA
A comprehensive technical analysis of supply chain threats and their corresponding mitigations in SLSA.| SLSA