The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a… Read More: Dozens of Red Hat packages backdoored through its official NPM… »
“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company didn’t say what kinds of data were leaked. Checkmarx isn’t the only security company to suffer the aftereffects of the Trivy… Read More: Why a recent supply-chain attack singled out security firms Checkmarx… »
Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them. Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident.… Read More: Widely used Trivy scanner compromised in ongoing supply-chain attack »
The invisible code is rendered with Public Use Areas (sometimes called Public Use Access), which are ranges in the Unicode specification for special characters reserved for private use in defining emojis, flags, and other symbols. The code points represent every letter of the US alphabet when fed to computers, but their output is completely invisible… Read More: Supply-chain attack using invisible code hits GitHub and other repositories »
According to independent researcher Kevin Beaumont, three organizations told him that devices inside their networks that had Notepad++ installed experienced “security incidents” that “resulted in hands on keyboard threat actors,” meaning the hackers were able to take direct control using a web-based interface. All three of the organizations, Beaumont said, have interests in East Asia.… Read More: Notepad++ users take note: It’s time to check if you’re… »
A third AI-related proof-of-concept attack that garnered attention used a prompt injection to cause GitLab’s Duo chatbot to add malicious lines to an otherwise legitimate code package. A variation of the attack successfully exfiltrated sensitive user data. Yet another notable attack targeted the Gemini CLI coding tool. It allowed attackers to execute malicious commands—such as… Read More: Supply chains, AI, and the cloud: The biggest failures (and… »
Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time,… Read More: Software packages with more than 2 billion weekly downloads hit… »
sudo rm -rf –no-preserve-root / The –no-preserve-root flag is specifically designed to override safety protections that would normally prevent deletion of the root directory. The postinstall script that includes a Windows-equivalent destructive command was: rm /s /q Socket published a separate report Wednesday on yet more supply-chain attacks, one targeting npm users and another targeting… Read More: Supply-chain attacks on open source software are getting out of… »
Screenshot showing a graph tracking mining activity. Credit: Checkmarx But wait, there’s more On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent… Read More: Yearlong supply-chain attack targeting security pros steals 390K credentials »
reader comments 18 WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday. So far, five plugins are known to be affected in the campaign, which was active as recently as Monday morning, researchers from security firm Wordfence reported. Over the… Read More: Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack »