"Unlike the spate of package poisoning incidents over recent months, this one didn't inject traditional malware into the open source code. Instead, the miscreants created a self-replicating attack, infecting the packages with code to automatically generate and publish, thus earning cryptocurrency rewards on the backs of legitimate open source developers. The code also included tea.yaml files that linked these packages to attacker-controlled blockchain wallet addresses. Meanwhile, users were completely unaware that they were unwittingly padding the attackers' wallets."
"Amazon Inspector security researchers, using a new detection rule and AI assistance, originally spotted the suspicious npm packages in late October, and, by November 7, the team had flagged thousands. By November 12, they had uncovered more than 150,000 malicious packages across "multiple" developer accounts. These were all linked to a coordinated tea.xyz token farming campaign, we're told."
"Yet another supply chain attack has hit the npm registry in what Amazon describes as "one of the largest package flooding incidents in open source registry history" - but with a twist. Instead of injecting credential-stealing code or ransomware into the packages, this one is a token farming campaign."
Amazon Inspector researchers detected thousands of suspicious npm packages in late October and flagged over 150,000 malicious packages by November 12 across multiple developer accounts. The packages were part of a coordinated tea.xyz token farming campaign that used the TEA token for incentives, staking, and governance. Attackers injected self-replicating code that generated and published packages automatically, earning cryptocurrency rewards while linking packages via tea.yaml files to attacker-controlled blockchain wallets. Users and legitimate open-source developers were unaware that their contributions and publishing actions were crediting attackers' wallets. AWS coordinated with OpenSSF and used new detection rules and AI assistance to identify and report the campaign.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]