❌

Reading view

↗️

Supply-chain attacks on open source software are getting out of hand

βœ‡Ars Technica
By:Dan Goodin

It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users.

The latest target, according to security firm Socket, is JavaScript code available on repository npm. A total of 10 packages available from the npm page belonging to global talent agency Toptal contained malware and were downloaded by roughly 5,000 users before the supply-chain attack was detected. The packages have since been removed. This was the third supply-chain attack Socket has observed on npm in the past week.

Poisoning the well

The hackers behind the attack pulled it off by first compromising Toptal’s GitHub Organization and from there using that access to publish the malicious packages on npm.

Read full article

Comments

Β© CHUYN / Getty Images

  •  
  • ↗️
↗️

Destructive malware available in NPM repo went unnoticed for 2 years

βœ‡Ars Technica
By:Dan Goodin

Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.

Eight packages using names that closely mimicked those of widely used legitimate packages contained destructive payloads designed to corrupt or delete important data and crash systems, Kush Pandya, a researcher at security firm Socket, reported Thursday. The packages have been available for download for more than two years and accrued roughly 6,200 downloads over that time.

A diversity of attack vectors

β€œWhat makes this campaign particularly concerning is the diversity of attack vectorsβ€”from subtle data corruption to aggressive system shutdowns and file deletion,” Pandya wrote. β€œThe packages were designed to target different parts of the JavaScript ecosystem with varied tactics.”

Read full article

Comments

Β© Getty Images

  •  
  • ↗️