Dependency manager used in millions of apps leaves a bitter taste CocoaPods, an open-source dependency manager used in over three million applications coded in Swift and Objective-C, left thousands of packages exposed and ready for takeover for nearly a decade – thereby creating opportunities for supply chain attacks on iOS and macOS apps, according to security researchers.…

Also, more OEM Android malware, Google's bug reports (mostly) ditch CVEs, and this week's critical vulns in brief  Google has settled another location tracking lawsuit, yet again being fined a relative pittance.…

Also, Finland sentences CEO of breach company to prison (kind of), and this week's laundry list of critical vulns In Brief  We thought it was probably the case when the news came out, but now it's been confirmed: The X_Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer.…

Also: Atlassian says Jira has a 9.4 severity bug and the TSA issues milquetoast no-fly list security advisory When a Texas school district sold some old laptops at auction last year, it probably didn't expect to end up in a public legal fight with a local computer repair shop – but a debate over what to do with district data found on the liquidated machines has led to precisely that.…

And two other security snafus in this web publishing world It's only been a week or so, and obviously there are at least three critical holes in WordPress plugins and tools that are being exploited in the wild right now to compromise loads of websites.…

Also, EA goes kernel-deep to stop cheaters, PuTTY gets hijacked by North Korea, and more. In Brief  OpenAI's popular natural language model GPT-3 has a problem: It can be tricked into behaving badly by doing little more than telling it to ignore its previous orders.…

Also, Authorities seize WT1SHOP selling 5.8m sets of PII, The North Face users face tough security hike In brief  AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones.…

Digital thieves made off with 20GB of internal documents and customer data Updated  Crooks have reportedly made off with 20GB of data from Marriott Hotels, which apparently included credit card info and internal company documents. …

Any models made between 2016 and 2020 can have key fob codes sniffed and re-transmitted If you're driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.…

Bad data can throw vulnerable apps and services for an infinite loop A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. …

New infosec intelligence service aims to spread the word about recently discovered vulns in free code Securing open source software may soon become a little bit easier thanks to a new vulnerability info-sharing effort initiated by the Open Source Security Foundation (OpenSSF).…

Are your security and ops teams fighting to pass the buck? Comment  Patching: The bane of every IT professional's existence. It's a thankless, laborious job that no one wants to do, goes unappreciated when it interrupts work, and yet it's more critical than ever in this modern threat landscape.…

Crew bragged they could help crooks raid victims' bank accounts Updated  A trio of men have pleaded guilty to running a multifactor authentication (MFA) bypass ring in the UK, which authorities estimate has raked in millions in less than two years. …

If you're gonna come at the mouse, you need to be better at hiding your tracks A disgruntled ex-Disney employee has been arrested and charged with hacking his former employer's systems to alter restaurant menus with potentially deadly consequences. …