"Several major incidents occurred over the past three months, with the most recent involving the Shai-Hulud self-replicating worm that impacted dozens of maintainer accounts last week. The attackers compromised 195 packages and pushed over 500 malicious package versions to the registry. A week before, 18 NPM packages maintained by Josh Junon were injected with malware after the maintainer fell victim to a phishing campaign impersonating NPM support. The packages have over 2.5 billion weekly downloads."
"According to GitHub, the Shai-Hulud attack triggered swift action from the platform and the community to remove the malicious packages and block the upload of new malware that could have led to a significantly higher number of infections. "By combining self-replication with the capability to steal multiple types of secrets (and not just npm tokens), this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers," GitHub notes."
Multiple supply-chain attacks targeted the NPM ecosystem in recent months, including the Shai-Hulud self-replicating worm that compromised 195 packages and pushed over 500 malicious versions. A phishing campaign led to malware in 18 packages maintained by Josh Junon, collectively receiving over 2.5 billion weekly downloads. Typosquatting attacks also poisoned packages with combined weekly downloads exceeding 30 million. Rapid action removed malicious packages and blocked further uploads. To reduce token abuse and propagation risk, GitHub will require local publishing with two-factor authentication, introduce short-lived granular tokens that expire after seven days, and implement trusted publishing to avoid long-lived tokens.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]