AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack
AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack Today's Highlights This week, a critical RCE vulnerability in AMD hardware went unpatched, highlighting vendor inaction, while GitHub significantly enhanced its secret scanning using LLM-driven verification to reduce false positives. Additionally, a widespread supply chain attack compromised hundreds of AUR packages with an infostealer, demanding immediate attention from Arch Linux users. The RCE that AMD wouldn't fix (Hacker News) Source: https://mrbruh.com/amd2/ This report details a critical Remote Code Execution (RCE) vulnerability affecting AMD hardware, which the vendor reportedly declined to fix. The article delves into the technical specifics of the RCE, outlining the exploit vector and potential impact. Such vulnerabilities allow attackers to execute arbitrary code on a compromised system, often leading to full system control, data exfiltration, or further network penetration. The disclosure highlights the challenges faced by security researchers when vendors are unresponsive to critical findings, leaving users exposed. It emphasizes the importance of independent security research and transparent vulnerability reporting for the wider tech ecosystem. Comment: A developer should be deeply concerned when a major hardware vendor like AMD refuses to patch a severe RCE. This forces users to either accept the risk or seek third-party mitigations, underscoring the need for robust supply chain security diligence beyond just software. Making secret scanning more trustworthy: Reducing false positives at scale (GitHub Blog) Source: https://github.blog/security/making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale/ GitHub's security team details their efforts to enhance their secret scanning service by significantly reducing false positives. The article focuses on the implementation of context-aware LLM (Large Language Model) reasoning in the verification step of secret