Paul's Avatar

Paul

@ismisepaul

πŸ” Product Security πŸ“¦ Software Supply Chain Security 🐍 Python πŸ§‘β€πŸ’» https://ismisepaul.github.io/

81
Followers 317
Following 11
Posts 11.08.2023
Joined
Posts Following

Latest posts by Paul @ismisepaul

As someone deep into MCP (hello, I am one of the Core Maintainers of the protocol), what Kelsey alludes to here is 🎯

MCP completely removes the need to care about underlying API shape. Intent is what matters in a universal adapter. Behind the scenes you can use SOAP/XML for all we care.

12.02.2026 21:23 πŸ‘ 59 πŸ” 7 πŸ’¬ 6 πŸ“Œ 0
Preview
Safer Docker Hub Pulls via a Sonatype-Protected Proxy | Docker Learn from Docker experts to simplify and advance your app development and management with Docker. Stay up to date on Docker events and new version

Running Docker Hub pulls at scale?

This post shows how to add a Sonatype-protected proxy to centralize policy checks, cache trusted images, and keep existing workflows intact.
Learn how β†’ https://bit.ly/4jQBm2g

23.01.2026 14:00 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
EU Launches GCVE, A Decentralized Vulnerability Database Europe launches GCVE, a decentralized EU vulnerability database designed to reduce reliance on CVE and strengthen digital sovereignty.

New EU Vulnerability Platform GCVE Goes Live, Reducing Reliance on Global Systems

21.01.2026 12:51 πŸ‘ 1 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0

Framing bans as existential while treating sexual abuse as a regulatory detail is the real slippery slope. Why the digital exceptionalism - this would never be accepted in printed material. The harm was foreseeable, the safeguards were obvious, and limited action only came under pressure.

15.01.2026 07:42 πŸ‘ 17 πŸ” 0 πŸ’¬ 0 πŸ“Œ 1

Comics peeps. I am finally clocking off from work tomorrow and doing my annual splurge on as many of the year's best titles as I can get my hands on. What've been your highlights of 2025? Ongoing weeklies, collected tpbs, one-off graphic novels, reissues, indies, whatever you've got.

18.12.2025 16:13 πŸ‘ 31 πŸ” 18 πŸ’¬ 22 πŸ“Œ 0
Preview
Socket Firewall Now Available in Docker Hardened Images - So... Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection on top of hardened b...

Read more here: socket.dev/blog/socket-...

17.12.2025 19:03 πŸ‘ 4 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
The Mend.io AppSec Blog The latest news and insights on application security and securing the software supply chain. Read the Mend.io blog here.

www.mend.io/blog/

09.12.2025 11:23 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
StepSecurity Blog | GitHub Actions Security Insights Dive deep into the world of GitHub Actions and CI/CD security with StepSecurity's blog.

www.stepsecurity.io/blog

09.12.2025 11:23 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Blog - Aikido Security Discover today's best security practices and the latest trends that your software company should be aware of. Stay ahead of the game and read Aikido's industry-leading blog today.

www.aikido.dev/blog

09.12.2025 11:23 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
HelixGuard Supply chain security, vulnerability intelligence, and malware detection.

helixguard.ai/blog/

09.12.2025 11:22 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Wiz Blog | Latest stories about Cloud Security Guides, announcements, and articles about Cloud Security and the Wiz platform.

www.wiz.io/blog

09.12.2025 11:22 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Blog - Socket Learn about the latest security news, Socket updates and announcements.

Also in no particular order blogs that will keep you up-to-date with the latest supply chain attacks

socket.dev/blog

09.12.2025 11:22 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Compromises Catalog of Supply Chain Compromises This repository contains links to articles of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture m...

Catalog of Supply Chain Compromises

tag-security.cncf.io/community/ca...

09.12.2025 11:17 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
A Timeline of SSC Attacks, Curated by Sonatype View the history of software supply chain attacks, open source components analyzed by Sonatype

Good resources documenting software supply chain incidents

www.sonatype.com/resources/vu...

09.12.2025 11:16 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

Version 1 of the OWASP AI testing guide just got published.

I promise you, from my own experience, this will save you a lot of heartache.

github.com/OWASP/www-pr...

27.11.2025 10:31 πŸ‘ 42 πŸ” 14 πŸ’¬ 0 πŸ“Œ 1
Preview
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices

Given Shai-Hulud comeback (hello SHA1-HULUD πŸ‘‹)

It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:

27.11.2025 07:01 πŸ‘ 9 πŸ” 4 πŸ’¬ 2 πŸ“Œ 0

Shai-Hulud Returns: Over 300 NPM packages infected via fake Bun runtime within hours

helixguard.ai/blog/malicio...

24.11.2025 12:38 πŸ‘ 11 πŸ” 2 πŸ’¬ 1 πŸ“Œ 1
Post image

Troy Parrott's 96th-minute winner keeps Ireland's World Cup hopes alive!

The 23-year-old's hat-trick earns his country victory and a spot in the play-offs, breaking Hungarian hearts in the process.

Remarkable scenes in Budapest.

16.11.2025 16:08 πŸ‘ 167 πŸ” 21 πŸ’¬ 0 πŸ“Œ 14
Towards a secure by default GitHub Actions Β· community Β· Discussion #179107 Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...

πŸš€ GitHub is making Actions more secure by default

We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.

We’ve opened a discussion to gather feedback πŸ‘‡

πŸ”— github.com/orgs/communi...

11.11.2025 18:38 πŸ‘ 6 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0
Introduction - OWASP Top 10:2025 RC1 OWASP Top 10:2025 RC1

The release candidate of the OWASP Top 10 2025 has been released

owasp.org/Top10/2025/0...

The definitive release should be out on November 20th

07.11.2025 12:19 πŸ‘ 8 πŸ” 11 πŸ’¬ 0 πŸ“Œ 0

There's some really big caveats to this. A thread.

05.11.2025 15:52 πŸ‘ 157 πŸ” 74 πŸ’¬ 6 πŸ“Œ 2
Preview
Security-Focused Prompts | Vibe Coding Framework

Just prompt it they way you like. E.g with something like this: docs.vibe-coding-framework.com/document-tem...

01.11.2025 08:59 πŸ‘ 4 πŸ” 1 πŸ’¬ 1 πŸ“Œ 1
Post image

🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall β€” FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.

30.09.2025 18:06 πŸ‘ 45 πŸ” 12 πŸ’¬ 7 πŸ“Œ 3

The press release is here: www.secretservice.gov/newsroom/rel...

Some images are below:

23.09.2025 11:59 πŸ‘ 14 πŸ” 5 πŸ’¬ 2 πŸ“Œ 3
Preview
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages... Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

16.09.2025 18:15 πŸ‘ 31 πŸ” 15 πŸ’¬ 1 πŸ“Œ 5
Preview
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity The popular @ctrl/tinycolor package with over 2 million weekly downloads has been compromised alongside 40+ other NPM packages in a sophisticated supply chain attack. The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors - representing a major escalation in NPM ecosystem threats.

#NPM:The popular @ctrl/tinycolor package with over 2mln weekly downloads has been compromised alongside 40+ other NPM packages (including Crowdstirke packages!) in a sophisticated supply chain attack:
#SoftwareSupplyChainSecurity
πŸ‘‡

16.09.2025 14:44 πŸ‘ 0 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

Hi everyone. The 'next day' busy-ness has fully set in.

Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.

Sincerest apologies for the delay.

09.09.2025 14:10 πŸ‘ 29 πŸ” 3 πŸ’¬ 3 πŸ“Œ 0

🚨URGENT: A series of popular packages maintained by qix have just been compromised.

Compromised packages include:
β€’ has-ansi - 12 million weekly downloads - V6.0.1
β€’ supports-hyperlinks - 19m weekly downloads - v4.1.1
β€’ chalk-template - 3.9m weekly downlaods - V1.1.1

08.09.2025 15:45 πŸ‘ 5 πŸ” 4 πŸ’¬ 1 πŸ“Œ 1
Post image

A cryptostealer malware was pushed to a number of npm packages including debug, chalk , and a number of utility packages as a result of the compromise of a single contributor.

We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...

08.09.2025 17:21 πŸ‘ 0 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0