The company said it found more evidence of compromise across its customer base. Exposure, which has yet to be defined, poses significant downstream risk.

The attack, which originated at Context.ai, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions.

Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the…

The company said a developer tool automatically retrieved a malicious version of the popular open-source library, but insists the integrity of its systems and software were not…

The program comes as the tech industry races to secure software before similar AI-powered offensive capabilities become too much for defenders to handle.

Attackers compromised the open-source security tool and published malicious versions of the software. Mandiant warns the fallout could impact up to 10,000 downstream victims.

Attackers can exploit the defect in the widely deployed pac4j with relative ease, but researchers haven’t observed active exploitation in the wild.

Tom Cotton, R-Okla., cited Chinese and Russian involvement in open-source tech and the risks to government and defense systems.

A debate over actual exploitation is muddying response efforts. Multiple researchers say they’ve observed working proof of concepts while others assert evidence of attacks is lacking.

The open-source code library is one of the most extensively used application frameworks. Wiz found vulnerable versions in around 39% of cloud environments.