"As of Tuesday, the supply-chain attack remains active, and its scope extends beyond the original 18 infected Qix packages to now include five additional compromised DuckDB and coveops/abi packages, according to JFrog. Wiz warns organizations to assume "malicious versions of popular packages are still available for download and might be automatically included in development pipelines.""
"During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. Those 18 compromised packages collectively account for about two billion downloads per week. As a refresher, here's what happened on Monday. Qix developer Josh Junon, after being duped by a phishing email, inadvertently authorized a reset of the two-factor authentication protecting his npm account."
"This allowed criminals to backdoor popular npm packages, including debug and chalk, with cryptocurrency-stealing malware. The good news is that, despite having the social-engineering skills to potentially pull off one of the largest supply-chain-attacks-slash-crypto-heists in history, the miscreants massively fumbled it, and as of mid-day Tuesday, the attackers had only stolen about $925 in cryptocurrency, according to on-chain analytics firm Arkham."
Malicious versions of widely used npm packages were published during a two-hour window after a developer's npm two-factor authentication was reset following a phishing attack. Eighteen Qix packages and at least five additional DuckDB and coveops/abi packages were compromised, affecting libraries with about two billion weekly downloads. Malware-laced releases reached roughly one in ten cloud environments and could be automatically pulled into development pipelines. The backdoors targeted popular packages such as debug and chalk to steal cryptocurrency, but attackers extracted only about $925. The incident exposed fragility in JavaScript dependency chains and forced extensive mitigation efforts.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]