Taming the Wild West of #ML: Practical Model Signing with #Sigstore
https://security.googleblog.com/2025/04/taming-wild-west-of-ml-practical-model.html
"When Covid hit in 2020, the diversification efforts sped up. The global pandemic — and manufacturing line shutdowns — made it painfully obvious that building everything in one place wasn’t the best idea. Then there was the toll from US inflation, but Apple held firm to its pricing strategy.
The latest tariffs promise to be the biggest test yet — especially because they go beyond China and extend to the very countries Apple has been shifting toward. As I detailed in a story this past week, these production hubs are all getting hit by the new tariffs:
- India, where Apple is increasingly building iPhones and AirPods, will have a 26% tariff.
- Vietnam, where the company now makes some AirPods, iPads, Apple Watches and Macs, will be hit with a 46% levy.
- Malaysia, where Apple is increasingly producing Macs, will have a 24% tariff.
- Thailand, where the company also makes some Macs, will get a 37% levy.
- Ireland, within the European Union, gets a 20% tariff. Apple produces some iMacs there.
- Indonesia, which will soon begin making AirTags and mesh for the AirPods Max headphones, gets a 32% tariff.
The latest tariffs will be 34% for China, bringing its total level to 54%. But the overall picture suggests Apple isn’t going to get as much benefit as hoped from diversifying away from that country. Apple will still be taking a hit on iPhones made in India, AirPods made in Vietnam and Macs made elsewhere in Asia.
There is still a chance that Cook can secure some sort of exemption or that the countries themselves will negotiate better terms. But assuming the levies are fully in place by April 9 as planned, Apple will have a big decision to make: Will it eat the costs of the tariffs, push suppliers to reduce prices, pass on the expense to customers or make further supply chain adjustments? My bet is that Apple will do a combination of all four."
New projections reveal a 4°C rise in global #temperatures would cut world #GDP by 40% by 2100. The results support limiting #globalwarming to 1.7 °C. In a hotter future, extreme weather events worldwide can trigger cascading #supplychain disruptions… (1/2) www.unsw.edu.au/newsroom/new...
New UNSW research reveals dram...
Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack – Source: www.securityweek.com https://ciso2ciso.com/compromised-spotbugs-token-led-to-github-actions-supply-chain-hack-source-www-securityweek-com/ #rssfeedpostgeneratorecho #ApplicationSecurity #SupplyChainSecurity #CyberSecurityNews #securityweekcom #GitHubactions #securityweek #supplychain
A disruption in Taiwan's exports could hit US builders hard. Drywall needs 125 screws per 100 sq. ft., and most came from Taiwan last year. A business professor breaks down the impact on U.S. imports: https://theconversation.com/more-than-just-chips-chinese-threats-and-trump-tariffs-could-disrupt-lots-of-made-in-taiwan-imports-disappointing-us-builders-cyclists-and-golfers-alike-253729 #tariffs #supplychain
Typosquatted Go Packages Deliver Malware Loader Targeting Li...
A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. The packages download and execute remote scripts that install an ELF file named f0eee999, which exhibits minimal initial malicious behavior. The campaign specifically targets UNIX-like environments, placing developers at risk. Multiple domains and fallback infrastructure suggest a persistent and adaptable threat actor. Developers are advised to implement real-time scanning tools, code audits, and careful dependency management to mitigate the risk of supply chain compromises.
Pulse ID: 67efc6e6d18160ba914fc662
Pulse Link: https://otx.alienvault.com/pulse/67efc6e6d18160ba914fc662
Pulse Author: AlienVault
Created: 2025-04-04 11:47:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation
The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.
Pulse ID: 67ef8546d1d9ef9cd8e91906
Pulse Link: https://otx.alienvault.com/pulse/67ef8546d1d9ef9cd8e91906
Pulse Author: AlienVault
Created: 2025-04-04 07:07:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack https://www.securityweek.com/compromised-spotbugs-token-led-to-github-actions-supply-chain-hack/ #ApplicationSecurity #SupplyChainSecurity #GitHubactions #SupplyChain
Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack https://www.securityweek.com/compromised-spotbugs-token-led-to-github-actions-supply-chain-hack/ #ApplicationSecurity #SupplyChainSecurity #GitHubactions #SupplyChain
"CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL"
The EU hones in on Central Asia in race for raw materials.
The EU has raised billions for the region to diversify supply chains and reduce dependence on China.
Experts say the idea is to offer competitive deals and build local industry while encouraging sustainable mining.
Bloomberg alerts sent on this:
*CANADA, MEXICO NOT SUBJECT TO RECIPROCAL TARIFFS FOR NOW
*US CONTINUES USMCA EXEMPTION FOR CANADA, MEXICO TARIFFS
BREAKING: Canada gets an exemption from Trump's baseline 10% tariffs, Bloomberg reports. At least for now, the existing tariff exemption for USMCA compliant goods will continue. (It's not immediately clear to me if Canadian autos will still get hit with the 25% tariff on foreign cars)
The list of tarifs announced today, for each country
Canada not listed, so likely 10%.
EDIT: Canada is exempted entirely beside what was announced already in the last few weeks
Unclear if it is the new baseline tariff or the extra on top of what exists already.
(No Alt text on the photos yet)
Average person will be 40% poorer if world warms by 4C
Experts say previous #economic models underestimated impact of #globalheating – as well as likely ‘cascading #supplychain disruptions’
Australian scientists study suggests average per person #GDP across the globe will be reduced by 16% even if warming is kept to 2C above pre-industrial levels. This is a much greater reduction than previous estimates, which found the reduction would be 1.4%.
https://www.theguardian.com/environment/2025/apr/01/average-person-will-be-40-poorer-if-world-warms-by-4c-new-research-shows #climate #climatechange
[#TRADESHOW] 2025 #EAC New #Energy & #Autonomous #Vehicle #Trade #Show will take place from June 4–6, 2025, at the #Hangzhou Grand #Exhibition #Center, #China. #Expo #event bridges the entire #automotive #supplychain, from raw #materials and #battery #tech to #OEMs, driving advancements in #sustainability, #safety, and #connectivity. https://cnbusinessforum.com/event/2025-eac-new-energy-autonomous-vehicle-trade-show-hangzhou/
https://www.alojapan.com/1232366/semiconductor-chip-fabrication-comes-to-hokkaido-island/ Semiconductor chip fabrication comes to Hokkaido island #hardware #Hokkaido #HokkaidoNews #innovation #news #SupplyChain #北海道 Semiconductor chip fabrication in Northern Japan.A new hands-on government approach boosts tech funding.IBM partners with local startup, backed by Sony & Toyota. The Northernmost island in the Japanese archipelago, Hokkaido, is perhaps best known for its hot springs, cold winters, spider crab delicacies, and ski-ing. B…
In today's Supply Chain News ...
Eleven oooold npm packages were hijacked to steal API keys. Wonder how many of them jise are just sitting on n someone's built pipeline with "latest" as the version parameter?
https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers
h/t to SonaType for the top notch research.
Man, npm and supply chain security... seriously a never-ending story. 
Just caught an article about "ethers-provider2" and "ethers-providerz". Get this: these things are actually infecting packages you *already* have installed! 
Speaking as a pentester, let me tell ya: you absolutely *have* to run regular checks. Your `package-lock.json`, `yarn.lock`... check 'em all! Trust me, SCA tools are worth their weight in gold in these situations. And listen up, people, MFA for your npm account? That's not some optional extra, it's a straight-up *MUST*!
I literally just had a client who thought, "Ah, npm's pretty safe, right?". Yeah, famous last words! 
So, what're your most insane supply chain attack stories? Lay 'em on me!
We're #hiring!
Two(!) full #professorships open in our department at WU Vienna (Vienna University of Economics and Business) under two complementary focus topics:
1) #Foundations of contemporary #InformationSystems, where we look for candidates who complement and strengthen the existing research at our department in areas such as:
· #ArtificialIntelligence: #AI Systems and Architectures
· #DataMining and #MachineLearning
· #DistributedSystems and #Decentralization
· #DistributedLedgers
· #Cloud and #Virtualisation
· #IoT and #EdgeComputing
· #DataGovernance for AI
2) #OperationsManagement with a focus on #DigitalTransformation, where the candidate’s expertise falls within one of the following research areas:
· #behavioural #operations
· AI application to #process improvements
· integrated #supplymanagement and #demandmanagement
· #ProductionPlanning and control
· #SupplyChain planning and control
· circular supply chains and sustainable supply chain management
· #tokenization in supply chains and new product development
Details at the link below... Please get in touch, if you want to know more!
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads
Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration.
Pulse ID: 67e5c75c2569365ec3ecae21
Pulse Link: https://otx.alienvault.com/pulse/67e5c75c2569365ec3ecae21
Pulse Author: AlienVault
Created: 2025-03-27 21:47:08
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
