Welcome back to Week in Review. This week, weβre looking at OpenAIβs last β and biggest β announcement from its β12 Days of OpenAIβ event; Appleβs potential entrance into the foldable market; and why Databricks is choosing to wait to go public. Letβs get into it. P.S. Weβre off for the holidays! Week in Review [β¦]
Microsoft-owned GitHub announced on Wednesday a free version of its popular Copilot code completion/AI pair programming tool, which will also now ship by default with Microsoftβs popular VS Code editor. Until now, most developers had to pay a monthly fee, starting at $10 per month, with only verified students, teachers, and open source maintainers getting [β¦]
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.
Unusual longevity
The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.
The open source funding problem is very real, but a slew of initiatives have emerged of late, with startups, corporations, and venture capitalists launching various programs to support some of the most critical projects via equity-free financing. Today itβs GitHubβs turn, launching the GitHub Secure Open Source Fund with an initial commitment of $1.25 million [β¦]