"The email message Junon fell for came from an email address at support.npmjs.help, a domain created three days ago to mimic the official npmjs.com used by npm. It said Junon's account would be closed unless he updated information related to his 2FA-which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in."
"According to an analysis from security firm Akido, the malicious code injects itself into the web browser of infected systems and begins monitoring for transfers involving ethereum, bitcoin, solana, tron, litecoin, and bitcoin cash currencies. When such transactions are detected, the infected packages would then replace the destination wallets with attacker-controlled addresses. The malware worked by hooking JavaScript functions, including fetch, XMLHttpRequest, and wallet APIs. Hooking gives code control over functions so they can be stopped or altered at certain execution points."
An email from support.npmjs.help impersonated npm and tricked a user to update 2FA details, leveraging urgency about account closure. The malicious packages inject code into browsers and monitor transfers involving ethereum, bitcoin, solana, tron, litecoin, and bitcoin cash, replacing destination wallets with attacker-controlled addresses. The malware hooks JavaScript functions such as fetch, XMLHttpRequest, and wallet APIs to intercept and modify transactions. Separate supply-chain compromises exposed 3,325 authentication secrets across PyPI, npm, DockerHUB, GitHub, Cloudflare, and AWS, affected 327 GitHub users across 817 repositories, and leveraged malicious GitHub Actions to extract tokens. Another incident used a valid npm token to compromise Nx.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]