"In early September, attackers phished the NPM account of "Qix," a prolific maintainer, then pushed tainted releases of 18 popular packages: ansi-styles, debug, chalk, supports-color, and others, which are collectively responsible for more than 2 billion weekly downloads. The malware wasn't particularly sophisticated, and the window of exposure was brief (roughly two hours) before the maintainer and registry intervened. Even so, the situation raises uncomfortable questions about open source's supply chain risk."
"Even with two-factor authentication (2FA) more common today, a convincing phishing email can still turn a popular package into a Trojan horse. As JFrog's CTO said, in regards to the incident, this is the ugly reality of a JavaScript ecosystem in which "half of the codebase is dependent on single-line utilities maintained by a single developer." That's not a dunk on small, composable libraries; it's a sober assessment of risk."
Early September attacks on the NPM ecosystem showed maintainers' accounts phished to push tainted releases of 18 packages responsible for more than 2 billion weekly downloads. The malware was simple and exposure lasted roughly two hours before intervention. Community review and rapid response neutralized the incident. Even with increased two-factor authentication, convincing phishing can still convert popular packages into Trojans, especially when many codebases rely on single-line utilities maintained by lone developers. A subsequent worm, "Shai-Hulud," propagated by stealing author tokens and seeding back doors through hidden CI workflows, demonstrating supply-chain risk. Process improvements and sustainable funding streams better protect open source than isolated guardrails.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]