Kusan kowane mako, tsarin gano ƙwayoyin cuta namu yana duba dubban sabbin fakiti da aka sabunta a cikin rajistar jama'a kamar npm da PyPI. Wannan makon ya kasance mai aiki sosai.
Mun tabbatar Fakiti 198 na cutarwa, galibi a fadin npm, tare da ƙarin shari'o'i a cikin PyPI, OpenVSX, Composer, da VS Code. Da yawa sun bayyana a cikin ƙungiyoyi masu haɗin gwiwa, tare da sake buga munanan sakewa da aka buga a ƙarƙashin sunaye iri ɗaya ko a cikin iyalai masu alaƙa da juna. Wani lamari mai ban mamaki shine shari'ar da ta fi fice ita ce sensivity kunshin, wanda ya cika npm da fitowar da aka yi wa sigar sama da 60 a cikin kewayon 2.5.x. Sauran manyan rukunoni sun haɗa da ai-sdk-helpers (Sigogi 8 da ke niyya ga masu haɓaka AI), @antoncallahan/aws-user-helper (nau'ikan 7 da ke kwaikwayon amfanin AWS), @apple-pay-trust da kuma @google-pay-trust iyalai (kwaikwayon tsarin biyan kuɗi), @frengki0707/google-cloud-clone (nau'ikan 5 da ke yin lalata da Google Cloud), da kuma cms-storehub, cms-helpgit, Da kuma cms-github (wanda aka yi niyya ga CMS pipelines). Fakiti da yawa sun kwaikwayi tsarin biyan kuɗi da biyan kuɗi, enterprise da kuma fakitin yanar gizo na ciki, abokan ciniki na nazari, tushen UI, kayan aikin haɓakawa, masu binciken sassa, fakitin girgije da jigogi na Google, da sauran kayayyaki waɗanda aka fi amincewa da su a cikin ayyukan ci gaba na zamani.
Waɗannan ba wasu abubuwa ne da ba a saba gani ba. Abin da ya fito fili a wannan makon shi ne yawan bugawa da aka yi a gidajen fakiti ɗaya, sake amfani da tsarin suna, da kuma yadda aka ɓoye fakitin da ba su dace ba don su yi kama da dogaro na gaskiya a cikin isar da software na gaske. pipelines.
Wannan hoton mako-mako wani ɓangare ne na ci gaba da ake yi da Mummunan Lambobin Yaƙi, inda muke tabbatar da sabbin barazanar da kuma samar da bayanan sirri masu amfani don taimakawa ƙungiyoyin DevSecOps don kare su. pipelinekafin lalacewa ta faru.
Bari mu bayyana abin da muka samu a wannan makon da kuma dalilin da ya sa yake da muhimmanci.
| Kayan daji | Package | Rana |
|---|---|---|
| npm | @cloudplatform-single-spa/administration:99.99.100 | Bari 30, 2026 |
| npm | @cloudplatform-single-spa/svp-s3-storage:99.99.100 | Bari 30, 2026 |
| npm | @maximvs1538/os-npm:99.0.0 | Bari 30, 2026 |
| npm | @easy-entry/downing-routes:99.9.5 | Bari 30, 2026 |
| npm | @easy-entry/outside-registration-fop-navigator:99.9.5 | Bari 30, 2026 |
| npm | @shiga mai sauƙi/hanyoyi:99.9.5 | Bari 30, 2026 |
| npm | @t-in-one/form_product_token:5.7.1 | Bari 30, 2026 |
| npm | @capibar.chat/ui-kit:99.5.7 | Bari 30, 2026 |
| vscode | xampp-manaja: 5.1.3 | Bari 30, 2026 |
| npm | @chat-template/auth:1.0.0 | Bari 31, 2026 |
| npm | json-to-simple-graphql-schema:1.0.0 | Jun 1, 2026 |
| npm | @gs-select/savings-client-application:99.0.0 | Jun 1, 2026 |
| npm | nemo-reporter: 1.8.2 | Jun 1, 2026 |
| npm | cms-github:4.2.4 | Jun 1, 2026 |
| npm | cms-helpgit:4.2.6 | Jun 1, 2026 |
| npm | cms-helpgit:4.2.8 | Jun 1, 2026 |
| npm | Tsarin ajiya na cms: 1.3.4 | Jun 1, 2026 |
| npm | Tsarin ajiya na cms: 1.3.5 | Jun 1, 2026 |
| npm | Tsarin ajiya na cms: 1.3.6 | Jun 1, 2026 |
| pypi | simtooreal-cli:0.3.0 | Jun 1, 2026 |
| npm | dabarun-wuri-gaba-gaba:1.1.1 | Jun 1, 2026 |
| npm | dabarun-wuri-gaba-gaba:1.1.2 | Jun 1, 2026 |
| npm | tattaunawa-sdk:2.0.2 | Jun 1, 2026 |
| npm | veltrix:9.0.0 | Jun 1, 2026 |
| npm | veltrix:9.0.1 | Jun 1, 2026 |
| npm | jingmeideshishi:1.0.4 | Jun 1, 2026 |
| npm | jingmeideshishi:1.0.5 | Jun 1, 2026 |
| npm | @tse-dijital/core:99.0.0 | Jun 1, 2026 |
| npm | @telenor-se/core:99.0.0 | Jun 1, 2026 |
| npm | @ownit/core:99.0.0 | Jun 1, 2026 |
| npm | Takardun marasa lafiya:75.0.0 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.69 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.68 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.82 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.80 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.81 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.83 | Jun 1, 2026 |
| npm | @antoncallahan/aws-mai-hannun-mai-hannu:6767.67.3 | Jun 1, 2026 |
| npm | @emcd-vue/auth:6.4.9 | Jun 1, 2026 |
| npm | @emcd-vue/b2b-pay-form:5.7.4 | Jun 1, 2026 |
| npm | @ccrm/ajiya-mai amfani-api-axios:5.0.1 | Jun 2, 2026 |
| npm | hankali: 2.5.8 | Jun 2, 2026 |
| npm | hankali: 2.5.12 | Jun 2, 2026 |
| npm | hankali: 2.5.16 | Jun 2, 2026 |
| npm | hankali: 2.5.17 | Jun 2, 2026 |
| npm | hankali: 2.5.18 | Jun 2, 2026 |
| npm | hankali: 2.5.19 | Jun 2, 2026 |
| npm | hankali: 2.5.20 | Jun 2, 2026 |
| npm | hankali: 2.5.21 | Jun 2, 2026 |
| npm | hankali: 2.5.22 | Jun 2, 2026 |
| npm | hankali: 2.5.23 | Jun 2, 2026 |
| npm | hankali: 2.5.24 | Jun 2, 2026 |
| npm | hankali: 2.5.25 | Jun 2, 2026 |
| npm | hankali: 2.5.26 | Jun 2, 2026 |
| npm | hankali: 2.5.27 | Jun 2, 2026 |
| npm | hankali: 2.5.28 | Jun 2, 2026 |
| npm | hankali: 2.5.29 | Jun 2, 2026 |
| npm | hankali: 2.5.30 | Jun 2, 2026 |
| npm | hankali: 2.5.31 | Jun 2, 2026 |
| npm | hankali: 2.5.32 | Jun 2, 2026 |
| npm | hankali: 2.5.41 | Jun 2, 2026 |
| npm | hankali: 2.5.42 | Jun 2, 2026 |
| npm | hankali: 2.5.43 | Jun 2, 2026 |
| npm | hankali: 2.5.44 | Jun 2, 2026 |
| npm | hankali: 2.5.45 | Jun 2, 2026 |
| npm | hankali: 2.5.46 | Jun 2, 2026 |
| npm | meoo-ui-helpers:1.0.1 | Jun 2, 2026 |
| npm | @langgraphjs/kayan aiki:1.2.10 | Jun 2, 2026 |
| npm | eyevox:9.0.1 | Jun 2, 2026 |
| npm | hankali: 2.5.53 | Jun 3, 2026 |
| npm | hankali: 2.5.54 | Jun 3, 2026 |
| npm | hankali: 2.5.55 | Jun 3, 2026 |
| npm | hankali: 2.5.56 | Jun 3, 2026 |
| npm | hankali: 2.5.57 | Jun 3, 2026 |
| npm | hankali: 2.5.61 | Jun 3, 2026 |
| npm | @sentry-browser-sdk/profiling-node:1.0.1 | Jun 4, 2026 |
| npm | @sentry-browser-sdk/profiling-node:1.0.2 | Jun 4, 2026 |
| npm | @sentry-browser-sdk/profiling-node:1.0.5 | Jun 4, 2026 |
| npm | hidimar tara kuɗi: 1.0.0 | Jun 4, 2026 |
| npm | hankali: 2.5.67 | Jun 4, 2026 |
| npm | hankali: 2.5.68 | Jun 4, 2026 |
| npm | samfurin hulɗar vg:40.0.5 | Jun 4, 2026 |
| npm | internallib_v346:1.0.3 | Jun 4, 2026 |
| npm | internallib_v346:1.0.5 | Jun 4, 2026 |
| npm | internallib_v346:1.0.9 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:0.2.1 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:0.3.0 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:0.3.1 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:1.1.0 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:1.1.1 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:1.3.0 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:1.4.0 | Jun 4, 2026 |
| npm | masu taimaka wa ai-sdk:1.4.2 | Jun 4, 2026 |
| npm | @achuthvp/postinstall-poc: 1.0.3 | Jun 4, 2026 |
| npm | hankali: 2.5.0 | Jun 5, 2026 |
| npm | hankali: 2.5.1 | Jun 5, 2026 |
| npm | hankali: 2.5.2 | Jun 5, 2026 |
| npm | hankali: 2.5.3 | Jun 5, 2026 |
| npm | hankali: 2.5.4 | Jun 5, 2026 |
| npm | hankali: 2.5.5 | Jun 5, 2026 |
| npm | hankali: 2.5.13 | Jun 5, 2026 |
| npm | hankali: 2.5.14 | Jun 5, 2026 |
| npm | hankali: 2.5.15 | Jun 5, 2026 |
| npm | hankali: 2.5.33 | Jun 5, 2026 |
| npm | hankali: 2.5.34 | Jun 5, 2026 |
| npm | hankali: 2.5.35 | Jun 5, 2026 |
| npm | hankali: 2.5.36 | Jun 5, 2026 |
| npm | hankali: 2.5.37 | Jun 5, 2026 |
| npm | hankali: 2.5.38 | Jun 5, 2026 |
| npm | hankali: 2.5.58 | Jun 5, 2026 |
| npm | hankali: 2.5.59 | Jun 5, 2026 |
| npm | hankali: 2.5.60 | Jun 5, 2026 |
| npm | hankali: 2.5.62 | Jun 5, 2026 |
| npm | hankali: 2.5.63 | Jun 5, 2026 |
| npm | hankali: 2.5.64 | Jun 5, 2026 |
| npm | hankali: 2.5.65 | Jun 5, 2026 |
| npm | hankali: 2.5.66 | Jun 5, 2026 |
| npm | hankali: 2.5.69 | Jun 5, 2026 |
Kare Dogayen Tushenka na Buɗaɗɗen Bayani daga Rauni da Lambobin Mugunta
Kada ku bari fakitin da ba su da kyau su isa gare ku pipelines. Gano Malware na Farko na Xygeni Yana ba wa ƙungiyar ku damar fahimtar barazanar da ta fi muhimmanci a ainihin lokaci, tare da kama abubuwan da suka shafi haɗari kafin su taɓa software ɗinku.
Kamar yadda wannan rahoto na wannan makon ya bayyana a sarari, yawan da kuma fasahar kamfen ɗin ɓarna ba ya raguwa. Ruwan sama mai tsari, kwaikwayon tsarin biyan kuɗi, da kuma sunayen fakitin da ke kama da na ciki suna daga cikin dabarun da maharan ke amfani da su don su wuce gona da iri. standard Kariya. Ci gaba da waɗannan barazanar yana buƙatar fiye da bincike lokaci-lokaci, yana buƙatar ci gaba da sa ido a duk rajistar da ƙungiyoyin ku suka dogara da ita.
Xygeni's Open Source Security Maganin yana duba da toshe fakiti masu cutarwa a wurin bugawa, a fadin npm, PyPI, da sauransu. Ta hanyar fifita yanayin raunin da ke haifar da babban haɗari na gaske (da kuma daidaita hanyar gyara ga ƙungiyoyin DevSecOps ɗinku) Xygeni yana taimaka muku kiyaye isar da software mai aminci da inganci ba tare da rage gudu ba.




