Security

Cloudflare mitigated the largest HTTPS DDoS attack ever recorded at 26 million requests per second. The Mantis botnet represents a new generation of volumetric threats.

CVE-2022-30190, dubbed Follina, exploits Microsoft’s diagnostic tool through Office documents — no macros required.

Heroku’s OAuth token breach exposes the fragile trust chain in platform-as-a-service dependencies and what it means for developers.

A critical RCE vulnerability in Spring Framework has the internet in panic mode, but the actual risk profile is more nuanced than the Log4Shell comparisons suggest.

The Lapsus$ hacking group has breached both Okta and Microsoft, exposing critical weaknesses in identity provider security and third-party access management.

A popular npm package was deliberately sabotaged by its own maintainer, raising urgent questions about supply chain trust in open source.

As conflict erupts in Ukraine, destructive wiper malware targeting critical infrastructure signals a new chapter in state-sponsored cyber operations.

The Linux Foundation’s new Alpha-Omega Project, backed by Google and Microsoft, aims to systematically improve the security of critical open source software.

The White House convened tech leaders to address open source security after Log4Shell. Here’s what was discussed and what it means for developers.

A week after Log4Shell, the patching chaos continues. But the bigger lesson is about software supply chain security and why we need SBOMs now.

A critical remote code execution vulnerability in Apache Log4j has sent the entire industry scrambling. Here’s what you need to know and do right now.

Popular npm packages coa and rc were hijacked to distribute malware, impacting thousands of projects and raising urgent questions about supply chain security.