Nerd question about the Port of Los Angeles: anyone have insight into what the contents of "recyclable plastics (293,218 TEUs)" imported in 2024 are? Is it nurdles? Is it just consumer goods made of plastic that are being labeled recyclable? ??
Recent searches
Search options
#supplychain
0 posts0 participants0 posts today
Continued thread
StepSecurity has posted another entry on this topic:
https://www.stepsecurity.io/blog/reviewdog-github-actions-are-compromised
The security incident involves a malicious payload in reviewdog GitHub Actions that targets the Runner.Worker process to extract secrets. The exploit uses a Python script that reads the process memory of the GitHub Actions runner to access stored secrets. The malicious code was found in commit SHA f0d342d24037bb11d26b9bd8496e0808ba32e9ec of reviewdog/action-setup. The script works by identifying the Runner.Worker process, mapping its memory regions, and reading the contents, which are then printed to stdout, effectively exposing secrets in build logs. This technique is similar to the previously reported tj-actions/changed-files incident.
www.stepsecurity.ioreviewdog GitHub Actions are compromised - StepSecurityreviewdog GitHub Actions are compromised
It would appear as if Wiz may have discovered another supply-chain compromise:
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
The attack involved compromising the v1 tag of reviewdog/action-setup between March 11th 18:42 and 20:31 UTC. Unlike the tj-actions attack that used curl to retrieve a payload, this attack directly inserted a base64-encoded malicious payload into the install.sh file. When executed, the code dumped CI runner memory containing workflow secrets, which were then visible in logs as double-encoded base64 strings. The attack chain appears to have started with the compromise of reviewdog/action-setup, which was then used to compromise the tj-actions-bot Personal Access Token (PAT), ultimately leading to the compromise of tj-actions/changed-files. Organizations are advised to check for affected repositories using GitHub queries, examine workflow logs for evidence of compromise, rotate any leaked secrets, and implement preventive measures like pinning actions to specific commit hashes rather than version tags.
wiz.io · GitHub Action supply chain attack: reviewdog/action-setup | Wiz BlogA supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.
#SupplyChain is now trending across Mastodon
The Nation's largest #egg producer is being investigated after reporting a profit of *342 PERCENT FOR THE LAST QUARTER*.
This is the same profiteering we saw after T****'s mismanagement of the #Covid #pandemic destroyed the #SupplyChain. #HistoryRepeatingItself
Continued thread
…#trading data & economic studies suggest #consumers in the #US will see higher #prices on a products from vegetables & meat to cellphones & cars. While a few companies may not pass on the cost of the #tariff, many are likely to raise prices on their products.
“Because of the combination of these 3 countries, it’s going to be difficult to go down an aisle of a grocery store & not see some sort of inflationary effect,” said Jason Miller, a prof of #SupplyChain management at Michigan State.
#Trump
Bigger, Better, and Built to Innovate: Continuous belt 3D Printing
Introducing Our New Continuous Belt 3D Printing Technology! 
… read more …
3D Printing LEEDS
Website: https://www.3dprintingleeds.co.uk/3d-printing-portfolio-showcase/
Reproducible-openSUSE (RBOS) hits a milestone! 100% bit-identical packages built; boosting #supplychain #security & #software integrity! 
#openSUSE #Linux https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/
openSUSE NewsReproducible-openSUSE (RBOS) Project Hits MilestoneThe Reproducible-openSUSE (RBOS) project, which is a proof-of-concept fork of openSUSE, has reached a significant milestone after demonstrating a usable Linu...
More supply chain thoughts.
Let's Encrypt is based in the United States.
Just launched: Supply Chain Analytics Dashboard in #rshiny! 
KPIs & Performance Metrics 
Warehouse Utilization 
Interactive Cost Analysis
.
stevenponce.netlify.app/projects/standalone_visualizations/sa_2025-02-16.html
.
#rstats | #dataviz | #supplychain | #analytics
#News: A new #study reveals consumption in developed countries drives #deforestation in tropical regions, endangering around 7,600 forest-dependent species. Time to rethink the #supplychain and to adopt a #vegan #PalmOilFree lifestyle! #BoycottPalmOil https://phys.org/news/2025-02-consumption-driven-deforestation-threatens-forest.html?utm_source=mastodon&utm_medium=Palm+Oil+Detectives&utm_campaign=publer
Delivering Malware Through Abandoned Amazon S3 Buckets
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the project... https://www.schneier.com/blog/archives/2025/02/delivering-malware-through-abandoned-amazon-s3-buckets.html
Schneier on Security · Delivering Malware Through Abandoned Amazon S3 Buckets - Schneier on SecurityHere’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc. The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines—and then abandoned...
Our latest Cyber Insights for H2 2024 is live!
https://www.quad9.net/news/blog/trends-h2-2024-cyber-insights
From Credit Card Skimming to Exploiting Zero-Days
XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sectors. They have demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability. XE Group maintains long-term access to compromised systems, as evidenced by their reactivation of a webshell planted years earlier. Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands. The group's evolution highlights their adaptability and growing threat to supply chain security.
Pulse ID: 67a1237da9ade8e303e6d713
Pulse Link: https://otx.alienvault.com/pulse/67a1237da9ade8e303e6d713
Pulse Author: AlienVault
Created: 2025-02-03 20:13:49
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Trader Joe's apparently has no eggs.
Costco has plenty.
Albertson's has eggs, but they want your firstborn and a lien on your mortgage per dozen.
(Southern California, Ventura County, Conejo Valley)
#groceryreport #birdflu #supplychain #eggs #grocery
Continued thread
…All of these businesses—whether from #Asia, #Europe or the #UnitedStates —would also have to contend with any added duties on components they import from #China, which remains the go-to source of many of the parts, tools & equipment.
[all of those costs, #tariffs, #taxes, #duties, #SupplyChain rerouting, shipping, relocation, etc, get passed on to the #consumer. #Prices for American consumers will go up.]
It’s not really a Trump presidency until there’s #supplychain issues, ammirite? I am indeed spending less on eggs, as there are no eggs to be had. I’m getting real #2020 vibes. #doibuybrokenones? #albuquerque #newmexico #avianflu
There is a clear upside risk to #inflation pressure next year if the #trade war b/w the US and #China escalates. The market seems to underestimate how a #tradewar could increase the risk of new #supplychain issues, chart @NordeaMarkets
Ultralytics Supply-Chain Attack
Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary:
On December 4... https://www.schneier.com/blog/archives/2024/12/ultralytics-supply-chain-attack.html
Schneier on Security · Ultralytics Supply-Chain Attack - Schneier on SecurityLast week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics —which has almost 60 million downloads—was published to the Python Package Index (PyPI) package repository. The package contained downloader code that was downloading the XMRig coinminer. The compromise of the project’s build environment was achieved by exploiting a known and previously reported GitHub Actions script injection. Lots more details at that link. Also ...
Last week the Python package "Ultralytics" suffered a supply-chain attack on its build and release process. This is a review of the attack from @pypi's perspective.
There's plenty of advice for how Python projects can increase their #security posture for their processes and repositories, please take a look:
https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/
blog.pypi.orgSupply-chain attack analysis: Ultralytics - The Python Package Index BlogAnalysis of a package targeted by a supply-chain attack to the build and release process