#secrets-exfiltration

[ follow ]
#shai-hulud #javascript-malware #npm-supply-chain #npm #supply-chain-attack #malicious-scripts
fromTechzine Global
15 hours ago

On the heels of 2.0, Shai Hulud 3.0 emerges as a supply chain threat

Shai Hulud was first observed in September and specifically targets the JavaScript ecosystem. Instead of attacking end users, the malware focuses on developers by hiding malicious code in npm packages. Once such a package is installed, the malware attempts to collect sensitive information, including environment variables, API keys, and secrets from cloud and CI/CD environments. This data is then automatically leaked to GitHub repositories created by the attacker.
Tech industry
Information security
fromTechzine Global
4 weeks ago

Shai-Hulud 2.0's impact appears vast as NPM ecosystem struggles to cope

A widespread NPM supply-chain campaign, Shai-Hulud 2.0, exfiltrated hundreds of thousands of secrets, reused valid tokens, and added destructive functionality targeting development environments.
Information security
fromTheregister
4 months ago

AWS patches Q Developer after prompt injection, RCE demo

Amazon fixed prompt-injection and RCE-capable vulnerabilities in the Amazon Q Developer VS Code extension by updating the language server and adding human-in-the-loop approval.
[ Load more ]