Aggregator

Isabella Daggett, 22, was locked up in a hell-hole prison in the puritanical Gulf state last March accused of possessing drugs.

Lily Allen has repaired another relationship with an important man in her life - her estranged father Keith Allen.

Congressman Suhas Subramanyam who sits on the House Oversight Committee probing the paedophile's child sex trafficking ring spoke to the Mail on Sunday.

Benjamin Phelps, a father-of-two from Swindon, Wiltshire, repeatedly messaged and met up with the pupil, asking her to bunk off lessons to 'sneak off together for some lunch'.

The failure to roll out services that check patients for osteoporosis, known as fracture liaison services (FLS), has resulted in 17,000 preventable fractures.

The Prince of Wales has revealed his commitment to the Church of England and his 'quiet faith' in a move aimed at clarifying his role as future king and head of the Church.

She thought increasingly regular bouts of memory loss could only mean one thing: that she was dying of a brain tumor - just as her mother had.

The hard-Left parliamentarians will force a showdown in Parliament over the controversial policy.They want criminals serving up to four years in jail to vote in both local and national elections.

Scientists at Aberystwyth University are developing a lateral flow test - similar to a Covid or pregnancy test - that can detect early signs of the disease from a single urine sample.

In a speech last week, Ms Rayner said plans to double the time which most migrants must wait to secure a permanent right to remain in the UK were 'un-British' and a 'breach of trust'.

The former soap star has always kept the secrets of her relationship with the late INXS frontman Michael Hutchence under wraps.

Egil Johansen will no longer permit under-18s in the trendy Kenton Arms in Hackney, East London, due, leading to divided opinions online.

After retiring from football, Sir David Beckham has become known for his green fingers - so much so that he will host a garden at this year's prestigious Chelsea Flower Show.

But maybe giving in to temptation wouldn't be such a bad thing - as a study has found eating chocolate is better for you than avoiding it.

Nigel Farage ,who is visiting the city next week as part of a local election campaign, called for those involved to be sacked, branding them 'pathetic, weak people'.

Scientists have found that the specific type of light emitted by mobiles may trigger premature ageing, including hair loss, wrinkles, and circles around the eyes.

Insiders say bosses are plotting a major revamp of the BBC2 weeknight show in the wake of a string of damaging scandals that have rocked the franchise.

Environment Secretary Emma Reynolds revealed £45 million more is to be spent on enforcement.

"We have removed all malicious artifacts from the affected registries and channels," Trivy maintainer Itay Shakury posted today, noting that all the latest Trivy releases "now point to a safe version." But "On March 19, we observed that a threat actor used a compromised credential..." And today The Hacker News reported the same attackers are now "suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages..." (The attackers apparently leveraged a postinstall hook "to execute a loader, which then drops a Python backdoor that's responsible for contacting the ICP canister dead drop to retrieve a URL pointing to the next-stage payload.") The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said... Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason by using the "Restart=always" directive. The systemd service masquerades as PostgreSQL tooling ("pgmon") in an attempt to fly under the radar... In tandem, the packages come with a "deploy.js" file that the attacker runs manually to spread the malicious payload to every package a stolen npm token provides access to in a programmatic fashion. The worm, assessed to be vibe-coded using an AI tool, makes no attempt to conceal its functionality. "This isn't triggered by npm install," Aikido said. "It's a standalone tool the attacker runs with stolen tokens to maximize blast radius." To make matters worse, a subsequent iteration of CanisterWorm detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 has been found to self-propagate on its own without the need for manual intervention... [Aikido Security researcher Charlie Eriksen said] "Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats." So far affected packages include 28 in the @EmilGroup scope and 16 packages in the @opengov scope, according to the article, blaming the attack on "a cloud-focused cybercriminal operation known as TeamPCP." Ars Technica explains that Trivy had "inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates," leading to a situation where attacks "compromised virtually all versions" of the widely used Trivy vulnerability scanner: Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies... "If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately," Shakury wrote. Security firms Socket and Wiz said that the malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines, including developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may live there. Once found, the malware encrypts the data and sends it to an attacker-controlled server. The end result, Socket said, is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run... "In our initial analysis the malicious code exfiltrates secrets with a primary and backup mechanism. If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence...." Although the mass compromise began Thursday, it stems from a separate compromise last month of the Aqua Trivy VS Code extension for the Trivy scanner, Shakury said. In the incident, the attackers compromised a credential with write access to the Trivy GitHub account. Shakury said maintainers rotated tokens and other secrets in response, but the process wasn't fully "atomic," meaning it didn't thoroughly remove credential artifacts such as API keys, certificates, and passwords to ensure they couldn't be used maliciously. "This [failure] allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself," Socket researchers wrote. Pushing to a branch or creating a new release would've appeared in the commit history and trigger notifications, Socket pointed out, so "Instead, the attacker force-pushed 75 existing version tags to point to new malicious commits." (Trivy's maintainer says "we've also enabled immutable releases since the last breach.") Ars Technica notes Trivy's vulnerability scanner has 33,200 stars on GitHub, so "the potential fallout could be severe."

Read more of this story at Slashdot.

Tests on raw honey from hives reveal it contains potent drugs used to treat cancer, fungal infections and depression, as well as ibuprofen.