Malware warning: A new npm attack targets the popular Ethereum library ethers, sneaking in a backdoor to take control of systems.

Read: https://hackread.com/npm-malware-infects-ethereum-library-with-backdoor/

The wait is over—Kubewarden 1.23 is here! Packed with security enhancements, smoother workflows, and key updates to elevate your Kubernetes experience. Dive into what's new: https://www.kubewarden.io/blog/2025/03/kubewarden-1.23-release #Kubernetes #DevSecOps #Security #PolicyAsCode

Regal v0.32.0 just dropped! After having worked mostly on language server features recently, it was time for the linter to get some love. This release includes 3 new linter rules as well as much faster linting. Check it out!

https://github.com/StyraInc/regal/releases/tag/v0.32.0

Master Privacy Engineering at OWASP Global AppSec 2025 EU in Barcelona!

2-Day Training | May 27-28, 2025
Level: Intermediate | Trainers: Kim Wuyts & Avi Douglen

Led by Kim Wuyts and Avi Douglen, you'll gain hands-on experience tackling privacy challenges while addressing the growing skills gap in privacy engineering.

https://owasp.glueup.com/event/123983/register/

Ready to shine on stage? Share your expertise at #OWASP Global #AppSec USA in Washington, DC this November! Submit your presentations now for this incredible event! Seize the opportunity - apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM

Alerte sécurité sur Kubernetes : #IngressNightmare

Le 24 mars 2025, l’équipe de recherche de Wiz et les mainteneurs de Kubernetes ont dévoilé 5 vulnérabilités majeures affectant le très populaire Ingress-NGINX Controller (présent sur +40% des clusters).

Ces failles, dont la plus grave est CVE-2025-1974 (CVSS 9.8), permettent à un attaquant sans identifiants d’exécuter du code à distance (Remote Code Execution) et de prendre le contrôle complet du cluster Kubernetes, en accédant à tous les secrets (mots de passe, clés d’API, etc.).

Ce qui est en cause :
Le composant vulnérable est le Validating Admission Controller d’Ingress-NGINX. Il valide les objets "Ingress" mais est, par défaut, accessible sans authentification depuis le réseau interne du cluster – parfois même exposé publiquement.

Les chercheurs ont réussi à injecter des configurations NGINX malveillantes, puis à exécuter du code en important des bibliothèques à partir de fichiers temporaires via NGINX. Une véritable porte d’entrée invisible.

Ce que vous devez faire rapidement:
Vérifiez si vous utilisez ingress-nginx :

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Mettez à jour vers une version corrigée :

v1.12.1 ou v1.11.5

Si vous ne pouvez pas mettre à jour tout de suite :

Désactivez temporairement le webhook d’admission (voir instructions officielles).

[Sources officielles]

Blog de recherche Wiz :
"IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX"

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

Annonce de Kubernetes (Security Response Committee) :
"Ingress-nginx CVE-2025-1974: What You Need to Know"

https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

Wow, things are getting wild in the Kubernetes world! The name alone – "IngressNightmare" – gives me chills! It's crucial to know this affects the Ingress NGINX Controller, *not* the NGINX Ingress Controller. That's a big difference!

Wiz really uncovered something huge. We're talking over 6,500 vulnerable clusters, with the potential for some serious Remote Code Execution (RCE). Ouch! They found that a scary 43% of cloud environments are impacted.

It appears, that these kinds of vulnerabilities often slip past standard scans. You really need manual penetration testing to catch them. And as a pentester myself, I can tell you, it's frequently like digging for buried treasure!

Here are the CVEs to watch out for: CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974. These have a CVSS score of 9.8! So, you'll want to update to 1.12.1, 1.11.5, or 1.10.7 *immediately*. Another crucial step? See if your Admission Webhook Endpoint is exposed. Make sure you're limiting access. Don't need it? Then, turn it off!

So, what are your experiences with K8s security? I'm curious, what tools do you swear by?

OWASP Global AppSec EU 2025 Barcelona: full training schedule is out now!

Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise! Whether you're new to the field or looking to sharpen your skills, this day promises deeper dives into the latest security techniques and tools.

View the full agenda and register now:
https://owasp.glueup.com/event/owasp-global-appsec-eu-2025-123983/home.html

Are you ready to take the stage? Showcase your knowledge at #OWASP Global #AppSec USA in Washington, DC this November! Submit your proposals now to be part of this amazing event! Don't let this opportunity pass you by - apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM

Get ready for an exhilarating time at #OWASP Global #AppSec EU in May! Imagine navigating between sessions, connecting over coffee... Why not elevate your experience by becoming a Mentor? Embrace the opportunity and sign up here: https://owasp.wufoo.com/forms/zk2cdkr1qla6o8/ #CyberSecurity #AI #infosec #devsecops

OWASP Global AppSec EU 2025 Barcelona– Day 2 Training Spotlight!

Day 2 is packed with hands-on training sessions designed to take your AppSec skills to the next level!

Don’t miss out on this immersive learning experience! View the full agenda, live now on our website, and secure your seat today.

Register now! https://owasp.glueup.com/event/owasp-global-appsec-eu-2025-123983/home.html

Are you excited about #OWASP Global #AppSec EU in May? Picture yourself dashing between sessions, networking over coffee... How about adding mentoring to your experience? Be a Mentor! Join us: https://owasp.wufoo.com/forms/zk2cdkr1qla6o8/

Calling all potential speakers! Here's your chance to shine at #OWASP Global #AppSec USA in Washington, DC this November! Share your expertise by submitting presentation proposals now! Don't miss out - apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM #threatmodeling

Exciting update! Calling all cybersecurity enthusiasts! Don't miss out on the opportunity to showcase your expertise at #OWASP Global #AppSec USA in Washington, DC this November. Submit your presentation proposals today! Click here to apply: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/

Středeční #hiring update:

Do interního #DevOps týmu hledám borce na pozici, které říkáme
INFRASTRUCTURE AND DEVOPS SPECIALIST

HPP, nebo IČO, jak chceš.
Hybridní forma práce, kancl #Praha Nusle.
Nezávazná pokec s DevOps Leadem není problém, online/onsite.
Nespěcháme, hledáme oboustranný "match."

Optimize Your AppSec Tools at OWASP Global AppSec 2025 EU in Barcelona!

2-Day Training | May 27-28, 2025
Level: Beginner | Trainer: Josh Grossman

Led by Josh Grossman, this updated course focuses on practical, vendor-neutral strategies to streamline workflows, automate processes, and measure your security improvements effectively without slowing down your CI/CD pipelines.

Register: https://owasp.glueup.com/event/123983/register/

*Alerte Sécurité * dans l’action GitHub– tj-actions/changed-files

Une vulnérabilité a été **activement exploitée dans l’action GitHub tj-actions/changed-files, mettant en danger les pipelines CI/CD et exposant des secrets sensibles.

Impact : Vol de credentials et compromission potentielle des workflows.

Période à risque : 12 mars 2025 (00:00 UTC) - 15 mars 2025 (12:00 UTC)

Dépôts affectés :

Dépôts publics → Les logs étant accessibles publiquement, les secrets doivent être considérés comme ** compromis.**

Action recommandé: Faites pivoter tous les secrets sans attendre.

Dépôts privés → Moins exposés, mais toujours à risque. Rotation des secrets recommandée dès que possible.

Recommandation :

Si votre projet a exécuté cette action pendant la période à risque, changez immédiatement tous les secrets.

Sources :

Wiz.io

StepSecurity

OWASP Global AppSec EU 2025 Barcelona Day 1 Agenda Sneak Peek!

The full agenda is now live on our website, and we're kicking things off in Barcelona with an incredible first day! Join in on training sessions on AI Whiteboard Hacking, Full-Stack Pentesting, and iOS and Andriod App Security on day 1.

https://owasp.glueup.com/event/owasp-global-appsec-eu-2025-123983/home.html

As part of the @ActiveState team, I’m proud to share insights from our 2025 State of Vulnerability Management and Remediation Report. Did you know that over 50% of vulnerabilities are exploited within 7 days of discovery?

This report dives into how DevSecOps teams can reduce Mean Time to Resolution (MTTR) and strengthen application security.

If you’re looking to stay ahead of open-source risks, download the report today and learn how to better protect your software supply chain! Read the press release here: https://www.prnewswire.com/news-releases/activestates-groundbreaking-report-exposes-critical-gaps-in-enterprise-vulnerability-remediation-302394249.html?tc=eml_cleartime

Download the report today: https://www.activestate.com/resources/white-papers/the-2025-state-of-vulnerability-management-and-remediation-report/?utm_source=linkedin&utm_medium=social&utm_campaign=remediated-report&utm_content=employee