Weekly Security Roundup: Trusted Publishing, Signing, and Response
Recent updates in security emphasize supply chain protection, vulnerability remediation, artifact signing, and up-to-date governance for developers working in increasingly risk-aware environments.
Package Registry and Supply Chain Security
NuGet.org now supports Trusted Publishing with short-lived OIDC tokens through GitHub Actions, replacing static keys and improving .NET package safety. Npm registry updates include enforced 2FA, short-lived tokens, and trusted publishing. Chainguard’s curated JavaScript repository adds SLSA provenance and malware scanning for safer dependencies.
- New Trusted Publishing Enhances Security on NuGet.org
- GitHub's Roadmap for Strengthening npm Supply Chain Security
- How GitHub Plans to Secure npm After Recent Supply Chain Attacks
- Chainguard Launches Curated JavaScript Libraries to Enhance Software Supply Chain Security
Code Scanning, Static Analysis, and Remediation Workflows
CodeQL 2.23.1 introduces improved language detection and query updates for common vulnerabilities, like SSRF and CORS. Incremental analysis speeds scanning for pull requests, and GitHub Security Campaigns with Assignable Alerts help teams coordinate and track remediation within CI flows.
- CodeQL 2.23.1 Released: Java 25, TypeScript 5.9, and Swift 6.1.3 Support
- Incremental Security Analysis with CodeQL Now Available Across All Languages
- Accelerate Remediation with GitHub Security Campaigns and Assignable Alerts
Artifact Signing, Infrastructure, and Cloud Security
Azure Trusted Signing (public preview) and Notary Project now support integrated signing of OCI images, SBOMs, and Helm charts, helping automate certificate handling for CI/CD. RBAC for AI Landing Zones and secure Databricks deployments via Private Link/Azure Firewall provide templates for regulated operational security.
- Simplify Image Signing and Verification with Notary Project and Trusted Signing (Public Preview)
- Enterprise-Ready RBAC Model for Azure AI Landing Zone
- Securing Azure Databricks Serverless with Private Link and Azure Firewall
Threat Intelligence, Malware, and Incident Response
Microsoft details the latest XCSSET malware variant targeting macOS dev tools, with mitigation strategies for Defender XDR users. A retail sector incident report outlines response tactics to SharePoint-based attacks, stressing rapid patching and Zero Trust controls. Threat intelligence detects new AI-obfuscated phishing techniques, showcasing layered defense strategies.
- Latest XCSSET Malware Variant: Technical Deep Dive and Mitigation Guidance
- Retail at Risk: How a Single Alert Uncovered a Major Cyberthreat
- AI-Obfuscated Phishing Campaign Detection by Microsoft Threat Intelligence
Identity, Data Protection, and Developer Security Skills
A Microsoft Entra Suite guide outlines unified identity, access, risk, passwordless options, and multi-cloud gateways for zero trust. Purview’s DLP and sensitivity labeling (now GA for Fabric) assist with policy enforcement and auditing. OneLake Catalog previews a centralized security permissions tab. An Azure OpenAI customer success story demonstrates App Gateway and NSGs for secure access. A DevSecOps guide covers career progression and practical skills for developers.
- Microsoft Entra Suite: The Future of Identity and Access Security
- Protecting Microsoft Fabric Data with Purview DLP and Sensitivity Labels
- View and Manage Security in the OneLake Catalog (Preview)
- Securing Azure OpenAI Access from On-Premises with Application Gateway: A Customer Success Story
- The DevSecOps Career Path: What No One Tells You About Getting Started
Other Security News
A practical guide details JWT authentication and authorization for MCP servers in agentic platforms and microservices. GitHub’s Bug Bounty program increases incentives for Copilot ecosystem vulnerability research during Cybersecurity Awareness Month, inviting more robust security testing of developer tooling.