Just days before Apple's expected launch of the satellite-enabled Apple Watch Ultra 3, Garmin unveiled its Fenix 8 Pro -- the company's first smartwatch with built-in inReach satellite and cellular connectivity, SOS features, and a blindingly bright 4,500-nit microLED display. MacRumors reports: With inReach, the Fenix 8 Pro can send location check-ins and text messages over satellite using the Garmin Messenger app. There is also included cellular connectivity, so the smartwatch can make phone calls, send 30-second voice messages, and provide LiveTrack links and weather forecasts when an LTE connection is available.

LiveTrack is a feature that allows the wearer's family and friends to keep track of their location during an activity or adventure. For emergencies, there is an SOS feature that will send a message to the Garmin Response center over a satellite or cellular connection. Garmin Response will then communicate with the user, their emergency contacts, and search and rescue organizations to provide help. Garmin says that its Response team has supported over 17,000 inReach incident responses across over 150 countries. The Fenix 8 Pro smartwatch launches September 8, with the AMOLED model starting at $1,200 and the 51mm microLED version priced at $2,000. Both require a paid inReach satellite plan beginning at $7.99 per month for full functionality.

The FBI and other law enforcement and intelligence agencies around the world warned Wednesday that a Chinese-government hacking campaign that previously penetrated nine U.S. telecommunications companies has expanded into other industries and regions, striking at least 200 American organizations and 80 countries. From a report: The joint advisory was issued with the close allies in the Five Eyes English-language intelligence-sharing arrangement and also agencies from Finland, Netherlands, Poland and the Czech Republic, an unusually broad array meant to demonstrate global resolve against what intelligence officials said is a pernicious campaign that exceeds accepted norms for snooping.

"The expectation of privacy here was violated, not just in the U.S., but globally," FBI Assistant Director Brett Leatherman, who heads the bureau's cyber division, told The Washington Post in an interview. Chinese hackers won deep access to major communication carriers in the U.S. and elsewhere, then extracted call records and some law enforcement directives, which allowed them to build out a map of who was calling whom and whom the U.S. suspected of spying, Leatherman said. Prominent politicians in both major U.S. parties were among the ultimate victims.

Farmers Insurance disclosed a breach affecting 1.1 million customers after attackers exploited Salesforce in a widespread campaign involving ShinyHunters and allied groups. According to BleepingComputer, the hackers stole personal data such as names, birth dates, driver's license numbers, and partial Social Security numbers. From the report: The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification (PDF) on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities."

The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. Further reading: Google Suffers Data Breach in Ongoing Salesforce Data Theft Attacks

The Hill reports: Russian state-sponsored hackers have targeted thousands of networking devices associated with U.S. critical infrastructure sectors over the past year, the FBI warned Wednesday. The cyber actors are associated with the Russian Federal Security Service's (FSB) Center 16 and have taken aim at a vulnerability in certain Cisco devices, according to an agency public service announcement.

In some cases, hackers have been able to modify configuration files to enable unauthorized access, which they have used to conduct reconnaissance on networks. This has "revealed their interest in protocols and applications commonly associated with industrial control systems," the FBI said.

Cisco's threat intelligence research arm, Talos, explained in a separate advisory that a subcluster of this group, which it has named "Static Tundra," is targeting a seven-year-old vulnerability in the company's Smart Install feature. The firm has offered a patch for the vulnerability, but it remains a problem in unpatched and end-of-life network devices, it warned.
"Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering," warns the Talos blog. "This is demonstrated by the group's ability to maintain access in target environments for multiple years without being detected."

In a statement emailed to The Register, a Cisco spokesperson "said the company is aware of ongoing exploitation targeting this flaw." "We strongly urge customers to immediately upgrade to fixed software versions as outlined in the security advisory and follow our published security best practices," the spokesperson said, directing customers to the FBI's announcement and Cisco Talos blog for additional details.

The ongoing campaign targets telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, "with victims selected based on their strategic interest to the Russian government," according to Talos researchers Sara McBroom and Brandon White. "We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government," McBroom and White wrote.

And while both security alerts focus on the FSB's latest round of network intrusions, "many other state-sponsored actors also covet the access these devices afford," the Talos team warned. "Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well."
Some context from Hot Hardware: Cisco indicated in its advisory that "Only Smart Install client switches are affected by the vulnerability". The list of affected devices is in Table A-1 here. For a successful attack, hackers exploit a vulnerability tracked as CVE-2018-0171. This was a vulnerability that was patched way back in 2018.

Organizations still using default Microsoft 365 email domains face severe throttling starting this October. The restrictions target the onmicrosoft.com domain that Microsoft 365 automatically assigns to new tenants, limiting external messages to 100 recipients per day starting October 15. Microsoft blames spammers who exploit new tenants for quick spam bursts before detection. Affected organizations must acquire custom domains and update primary SMTP addresses across all mailboxes -- a process that requires credential updates across devices and applications.

The GenAI Divide: State of AI in Business 2025, a new report published by MIT's NANDA initiative, reveals that while generative AI holds promise for enterprises, most initiatives to drive rapid revenue growth are falling flat. Fortune: Despite the rush to integrate powerful new models, about 5% of AI pilot programs achieve rapid revenue acceleration; the vast majority stall, delivering little to no measurable impact on P&L. The research -- based on 150 interviews with leaders, a survey of 350 employees, and an analysis of 300 public AI deployments -- paints a clear divide between success stories and stalled projects.

To unpack these findings, I spoke with Aditya Challapally, the lead author of the report, and a research contributor to project NANDA at MIT. "Some large companies' pilots and younger startups are really excelling with generative AI," Challapally said. Startups led by 19- or 20-year-olds, for example, "have seen revenues jump from zero to $20 million in a year," he said. "It's because they pick one pain point, execute well, and partner smartly with companies who use their tools," he added.

But for 95% of companies in the dataset, generative AI implementation is falling short. The core issue? Not the quality of the AI models, but the "learning gap" for both tools and organizations. While executives often blame regulation or model performance, MIT's research points to flawed enterprise integration. Generic tools like ChatGPT excel for individuals because of their flexibility, but they stall in enterprise use since they don't learn from or adapt to workflows, Challapally explained.

"As employers and tech companies rush to deploy AI software into workplaces to improve efficiency, labor unions are stepping up work with state lawmakers across the nation to place guardrails on its use..." reports the Washington Post.

"Union leaders say they must intervene to protect workers from the potential for AI to cause massive job displacement or infringe on employment rights." In Massachusetts, the Teamsters labor union is backing a proposed state law that would require autonomous vehicles to have a human safety operator who can intervene during the ride, effectively forbidding truly driverless rides. Oregon lawmakers recently passed a bill supported by the Oregon Nurses Association that prohibits AI from using the title "nurse" or any associated abbreviations. The American Federation of Labor and Congress of Industrial Organizations, a federation of 63 national and international labor unions, launched a national task force last month to work with state lawmakers on more laws that regulate automation and AI affecting workers... The AFL-CIO task force plans to help unions take on problematic use of AI in collective bargaining and contracts and in coming months to develop a slate of model legislation available to state leaders, modeled on recently passed and newly proposed legislation in places including California and Massachusetts.
The president of the California Federation of Labor Unions also supports a proposed state law "that would prevent employers from primarily relying on AI software to automate decisions like terminations or disciplinary actions," according to the article. "Instead, humans would have to review decisions. The law would also prohibit use of tools that predict workers' behaviors, emotional states and personality."

The African Union has endorsed the "Correct The Map" campaign, urging governments and global institutions to replace the distorted 16th-century Mercator projection with the Equal Earth map that more accurately represents Africa's true size. Reuters reports: "It might seem to be just a map, but in reality, it is not," AU Commission deputy chairperson Selma Malika Haddadi told Reuters, saying the Mercator fostered a false impression that Africa was "marginal," despite being the world's second-largest continent by area, with 54 nations and over a billion people. Such stereotypes influence media, education and policy, she said. Criticism of the Mercator map is not new, but the 'Correct The Map' campaign led by advocacy groups Africa No Filter and Speak Up Africa has revived the debate, urging organizations to adopt the 2018 Equal Earth projection, which tries to reflect countries' true sizes.

"The current size of the map of Africa is wrong," Moky Makura, executive director of Africa No Filter, said. "It's the world's longest misinformation and disinformation campaign, and it just simply has to stop." Fara Ndiaye, co-founder of Speak Up Africa, said the Mercator affected Africans' identity and pride, especially children who might encounter it early in school. "We're actively working on promoting a curriculum where the Equal Earth projection will be the main standard across all (African) classrooms," Ndiaye said, adding she hoped it would also be the one used by global institutions, including Africa-based ones. [...]

The Mercator projection is still widely used, including by schools and tech companies. Google Maps switched from Mercator on desktop to a 3D globe view in 2018, though users can still switch back to the Mercator if they prefer. On the mobile app, however, the Mercator projection remains the default. 'Correct The Map' wants organizations like the World Bank and the United Nations to adopt the Equal Earth map. A World Bank spokesperson said they already use the Winkel-Tripel or Equal Earth for static maps and are phasing out Mercator on web maps.

Thursday saw the release of Rust 1.89.0 But this week the Rust Foundation also released its second comprehensive annual technology report.

A Rust Foundation announcement shares some highlights: - Trusted Publishing [GitHub Actions authentication using cryptographically signed tokens] fully launched on crates.io, enhancing supply chain security and streamlining workflows for maintainers.

- Major progress on crate signing infrastructure using The Update Framework (TUF), including three full repository implementations and stakeholder consensus.

- Integration of the Ferrocene Language Specification (FLS) into the Rust Project, marking a critical step toward a formal Rust language specification [and "laying the groundwork for broader safety certification and formal tooling."]

- 75% reduction in CI infrastructure costs while maintaining contributor workflow stability. ["All Rust repositories are now managed through Infrastructure-as-Code, improving maintainability and security."]

- Expansion of the Safety-Critical Rust Consortium, with multiple international meetings and advances on coding guidelines aligned with safety standards like MISRA. ["The consortium is developing practical coding guidelines, aligned tooling, and reference materials to support regulated industries — including automotive, aerospace, and medical devices — adopting Rust."]

- Direct engagement with ISO C++ standards bodies and collaborative Rust-C++ exploration... The Foundation finalized its strategic roadmap, participated in ISO WG21 meetings, and initiated cross-language tooling and documentation planning. These efforts aim to unlock Rust adoption across legacy C++ environments without sacrificing safety.
The Rust Foundation also acknowledges continued funding from OpenSSF's Alpha-Omega Project and "generous infrastructure donations from organizations like AWS, GitHub, and Mullvad VPN" to the Foundation's Security Initiative, which enabled advances like including GitHub Secret Scanning and automated incident response to "Trusted Publishing" and the integration of vulnerability-surfacing capabilities into crates.io.

There was another announcement this week. In November AWS and the Rust Foundation crowdsourced "an effort to verify the Rust standard library" — and it's now resulted in a new formal verification tool called "Efficient SMT-based Context-Bounded Model Checker" (or ESBMCESBMC) This winning contribution adds ESBMC — a state-of-the-art bounded model checker — to the suite of tools used to analyze and verify Rust's standard library. By integrating through Goto-Transcoder, they enabled ESBMC to operate seamlessly in the Rust verification workflow, significantly expanding the scope and flexibility of verification efforts...

This achievement builds on years of ongoing collaboration across the Rust and formal verification communities... The collaboration has since expanded. In addition to verifying the Rust standard library, the team is exploring the use of formal methods to validate automated C-to-Rust translations, with support from AWS. This direction, highlighted by AWS Senior Principal Scientist Baris Coskun and celebrated by the ESBMC team in a recent LinkedIn post, represents an exciting new frontier for Rust safety and verification tooling.

An anonymous reader quotes a report from TechCrunch: Ron Deibert, the director of Citizen Lab, one of the most prominent organizations investigating government spyware abuses, is sounding the alarm to the cybersecurity community and asking them to step up and join the fight against authoritarianism. On Wednesday, Deibert will deliver a keynote at the Black Hat cybersecurity conference in Las Vegas, one of the largest gatherings of information security professionals of the year. Ahead of his talk, Deibert told TechCrunch that he plans to speak about what he describes as a "descent into a kind of fusion of tech and fascism," and the role that the Big Tech platforms are playing, and "propelling forward a really frightening type of collective insecurity that isn't typically addressed by this crowd, this community, as a cybersecurity problem."

Deibert described the recent political events in the United States as a "dramatic descent into authoritarianism," but one that the cybersecurity community can help defend against. "I think alarm bells need to be rung for this community that, at the very least, they should be aware of what's going on and hopefully they can not contribute to it, if not help reverse it," Deibert told TechCrunch. [...] "I think that there comes a point at which you have to recognize that the landscape is changing around you, and the security problems you set out for yourselves are maybe trivial in light of the broader context and the insecurities that are being propelled forward in the absence of proper checks and balances and oversight, which are deteriorating," said Deibert.

Deibert is also concerned that big companies like Meta, Google, and Apple could take a step back in their efforts to fight against government spyware -- sometimes referred to as "commercial" or "mercenary" spyware -- by gutting their threat intelligence teams. [...] Deibert believes there is a "huge market failure when it comes to cybersecurity for global civil society," a part of the population that generally cannot afford to get help from big security companies that typically serve governments and corporate clients. "This market failure is going to get more acute as supporting institutions evaporate and attacks on civil society amplify," he said. "Whatever they can do to contribute to offset this market failure (e.g., pro bono work) will be essential to the future of liberal democracy worldwide," he said. Deibert is concerned that these threat intelligence teams could be cut or at least reduced, given that the same companies have cut their moderation and safety teams. He told TechCrunch that threat intelligence teams, like the ones at Meta, are doing "amazing work," in part by staying siloed and separate from the commercial arms of their wider organizations. "But the question is how long will that last?" said Deibert.

An anonymous reader quotes a report from Ars Technica: OpenAI is preparing to raise what could be its final defense to stop The New York Times from digging through a spectacularly broad range of ChatGPT logs to hunt for any copyright-infringing outputs that could become the most damning evidence in the hotly watched case. In a joint letter (PDF) Thursday, both sides requested to hold a confidential settlement conference on August 7. Ars confirmed with the NYT's legal team that the conference is not about settling the case but instead was scheduled to settle one of the most disputed aspects of the case: news plaintiffs searching through millions of ChatGPT logs. That means it's possible that this week, ChatGPT users will have a much clearer understanding of whether their private chats might be accessed in the lawsuit. In the meantime, OpenAI has broken down (PDF) the "highly complex" process required to make deleted chats searchable in order to block the NYT's request for broader access.

Previously, OpenAI had vowed to stop what it deemed was the NYT's attempt to conduct "mass surveillance" of ChatGPT users. But ultimately, OpenAI lost its fight to keep news plaintiffs away from all ChatGPT logs. After that loss, OpenAI appears to have pivoted and is now doing everything in its power to limit the number of logs accessed in the case -- short of settling -- as its customers fretted over serious privacy concerns. For the most vulnerable users, the lawsuit threatened to expose ChatGPT outputs from sensitive chats that OpenAI had previously promised would be deleted. Most recently, OpenAI floated a compromise, asking the court to agree that news organizations didn't need to search all ChatGPT logs. The AI company cited the "only expert" who has so far weighed in on what could be a statistically relevant, appropriate sample size -- computer science researcher Taylor Berg-Kirkpatrick. He suggested that a sample of 20 million logs would be sufficient to determine how frequently ChatGPT users may be using the chatbot to regurgitate articles and circumvent news sites' paywalls. But the NYT and other news organizations rejected the compromise, OpenAI said in a filing (PDF) yesterday. Instead, news plaintiffs have made what OpenAI said was an "extraordinary request that OpenAI produce the individual log files of 120 million ChatGPT consumer conversations."

That's six times more data than Berg-Kirkpatrick recommended, OpenAI argued. Complying with the request threatens to "increase the scope of user privacy concerns" by delaying the outcome of the case "by months," OpenAI argued. If the request is granted, it would likely trouble many users by extending the amount of time that users' deleted chats will be stored and potentially making them vulnerable to a breach or leak. As negotiations potentially end this week, OpenAI's co-defendant, Microsoft, has picked its own fight with the NYT over its internal ChatGPT equivalent tool that could potentially push the NYT to settle the disputes over ChatGPT logs.

For years, whistle-blowers have warned that fake results are sneaking into the scientific literature at an increasing pace. A new statistical analysis backs up the concern. From a report: A team of researchers found evidence of shady organizations churning out fake or low-quality studies on an industrial scale. And their output is rising fast, threatening the integrity of many fields.

"If these trends are not stopped, science is going to be destroyed," said LuÃs A. Nunes Amaral, a data scientist at Northwestern University and an author of the study, which was published in the Proceedings of the National Academy of Sciences on Monday. Science has made huge advances over the past few centuries only because new generations of scientists could read about the accomplishments of previous ones. Each time a new paper is published, other scientists can explore the findings and think about how to make their own discoveries. Fake scientific papers produced by commercial "paper mills" are doubling every year and a half, according to the report. Northwestern University researchers examined over one million papers and identified networks of fraudulent studies sold to scientists seeking to pad their publication records. The team estimates the actual scope of fraud may be 100 times greater than currently detected cases. Paper mills charge hundreds to thousands of dollars for fake authorship and often target specific research fields like microRNA cancer studies.

An anonymous reader quotes a report from CyberScoop: North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday. "We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity," Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report. "We see them almost every day now," he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe.

CrowdStrike's threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process. "They use generative AI across all stages of their operation," Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found. CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs -- sometimes three to four -- they worked simultaneously.

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions -- 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. "We're up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters," otherwise unnamed threat groups or individuals under development, Meyers said.

Microsoft announced last month that Chinese state-sponsored hackers exploited vulnerabilities in SharePoint to breach hundreds of companies and government agencies, including the National Nuclear Security Administration and Department of Homeland Security. The company omitted that SharePoint support is handled by China-based engineers who have maintained the software for years.

ProPublica reviewed screenshots of Microsoft's internal systems showing China-based employees recently fixing bugs for SharePoint "OnPrem," the version targeted in the attacks. Microsoft told the publication that the China-based team operates under U.S. supervision and the company is relocating this work.

A Brussels court has issued an unusually broad site-blocking order targeting Internet Archive's Open Library alongside shadow libraries including Anna's Archive, Libgen, and Z-Library. The order, requested by publishing and author organizations, directs an unprecedented range of intermediaries to take action beyond traditional ISP blocks.

Search engines, DNS resolvers, advertisers, domain name services, CDNs, hosting companies, and payment processors -- including Google, Microsoft, Cloudflare, Amazon Web Services, PayPal, and Starlink -- must restrict access to the targeted sites. The court found "clear and significant infringement" in the ex parte proceeding.

Google today announced AlphaEarth Foundations, a new AI model that processes terabytes of daily satellite data to track environmental changes across the planet. The system, part of Google's broader Earth AI initiative, uses machine learning to compress satellite imagery into color-coded maps showing material properties, vegetation types, groundwater sources, and human constructions down to 10-meter resolution.

The model uses a technique called "embeddings" that reduces storage requirements by 16 times compared to other AI tools Google tested, while delivering 23.9% higher accuracy than similar systems. AlphaEarth has already mapped complex Antarctic terrain and identified variations in Canadian agricultural land use invisible to direct observation.

The technology currently powers flood and wildfire alerts in Google Search and Maps. Research organizations including Brazil's MayBiomas and the Global Ecosystems Atlas are using the system to analyze rainforests, deserts, and wetlands. The model integrates with Google Earth Engine, providing agencies like NASA and the Forest Service access to over one trillion annual data points for environmental monitoring and mapping applications.

Cisco has donated its AGNTCY initiative to the Linux Foundation, aiming to create an open-standard "Internet of Agents" to allow AI agents from different vendors to collaborate seamlessly. The project is backed by tech giants like Google Cloud, Dell, Oracle and Red Hat. "Without such an interoperable standard, companies have been rushing to build specialized AI agents," writes ZDNet's Steven Vaughan-Nichols. "These work in isolated silos that cannot work and play well with each other. This, in turn, makes them less useful for customers than they could be." From the report: AGNTCY was first open-sourced by Cisco in March 2025 and has since attracted support from over 75 companies. By moving it under the Linux Foundation's neutral governance, the hope is that everyone else will jump on the AGNTCY bandwagon, thus making it an industry-wide standard. The Linux Foundation has a long history of providing common ground for what otherwise might be contentious technology battles. The project provides a complete framework to solve the core challenges of multi-agent collaboration:

- Agent Discovery: An Open Agent Schema Framework (OASF) acts like a "DNS for agents," allowing them to find and understand the capabilities of others.
- Agent Identity: A system for cryptographically verifiable identities ensures agents can prove who they are and perform authorized actions securely across different vendors and organizations.
- Agent Messaging: A protocol named Secure Low-latency Interactive Messaging (SLIM) is designed for the complex, multi-modal communication patterns of agents, with built-in support for human-in-the-loop interaction and quantum-safe security.
- Agent Observability: A specialized monitoring framework provides visibility into complex, multi-agent workflows, which is crucial for debugging probabilistic AI systems.

You may well ask, aren't there other emerging AI agency standards? You're right. There are. These include the Agent2Agent (A2A) protocol, which was also recently contributed to the Linux Foundation, and Anthropic's Model Context Protocol (MCP). AGNTCY will help agents using these protocols discover each other and communicate securely. In more detail, it looks like this: AGNTCY enables interoperability and collaboration in three primary ways:

- Discovery: Agents using the A2A protocol and servers using MCP can be listed and found through AGNTCY's directories. This enables different agents to discover each other and understand their functions.
- Messaging: A2A and MCP communications can be transported over SLIM, AGNTCY's messaging protocol designed for secure and efficient agent interaction.
- Observability: The interactions between these different agents and protocols can be monitored using AGNTCY's observability software development kits (SDKs), which increase transparency and help with debugging complex workflows You can view AGNTCY's code and documentary on GitHub.

This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts.

It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.") Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. Building on the hosted infrastructure model that we pioneered with OSS Fuzz for memory issue detection, OSS Rebuild similarly seeks to use hosted resources to address security challenges in open source, this time aimed at securing the software supply chain... We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries — providing rebuild provenance for many of their most popular packages — is just the beginning of our journey...

OSS Rebuild helps detect several classes of supply chain compromise:

- Unsubmitted Source Code: When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.

- Build Environment Compromise: By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether.

- Stealthy Backdoors: Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review.


For enterprises and security professionals, OSS Rebuild can...

— Enhance metadata without changing registries by enriching data for upstream packages. No need to maintain custom registries or migrate to a new package ecosystem.

— Augment SBOMs by adding detailed build observability information to existing Software Bills of Materials, creating a more complete security picture...

- Accelerate vulnerability response by providing a path to vendor, patch, and re-host upstream packages using our verifiable build definitions...


The easiest (but not only!) way to access OSS Rebuild attestations is to use the provided Go-based command-line interface.
"With OSS Rebuild's existing automation for PyPI, npm, and Crates.io, most packages obtain protection effortlessly without user or maintainer intervention."

A cyber-espionage campaign exploiting vulnerable Microsoft server software has escalated to deploying ransomware against victims, Microsoft said, marking a significant shift from typical state-backed data theft operations to attacks designed to paralyze networks until payment is made. The campaign by a group Microsoft calls "Storm-2603" has compromised at least 400 organizations, according to Netherlands-based cybersecurity firm Eye Security, quadrupling from 100 victims cataloged over the weekend. The National Institutes of Health confirmed one server was breached and additional servers were isolated as a precaution, while reports indicate the Department of Homeland Security and multiple other federal agencies were also compromised.

A cyber-espionage campaign exploiting unpatched Microsoft SharePoint vulnerabilities has breached approximately 400 organizations worldwide, including the US National Nuclear Security Administration, according to Netherlands-based cybersecurity firm Eye Security. The figure represents a four-fold increase from 100 organizations cataloged over the weekend, with researchers calling it likely an undercount since not all attack vectors leave detectable artifacts.

Microsoft identified three Chinese groups -- state-backed Linen Typhoon and Violet Typhoon, plus China-based Storm-2603 -- as exploiting the vulnerabilities in on-premises SharePoint servers to steal authentication credentials and execute malicious code remotely. The campaign began July 7 and was first detected July 18 when Eye Security found unusual activity on a customer's server. Victims include the US Energy Department, Education Department, Florida's Department of Revenue, Rhode Island General Assembly, and European and Middle Eastern governments.