Bill<p>In today's Supply Chain News ...</p><p>Eleven oooold npm packages were hijacked to steal API keys. Wonder how many of them jise are just sitting on n someone's built pipeline with "latest" as the version parameter?</p><p><a href="https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">sonatype.com/blog/multiple-cry</span><span class="invisible">pto-packages-hijacked-turned-into-info-stealers</span></a></p><p>h/t to SonaType for the top notch research.</p><p><a href="https://infosec.exchange/tags/supplychain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>supplychain</span></a><br><a href="https://infosec.exchange/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a></p>
lepoulsdumonde.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Small french Mastodon instance for friends, family and useful bots
Administered by:
Server stats:
52active users
lepoulsdumonde.com: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-alpha.4
#npm
4 posts · 4 participants · 0 posts today
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/NPM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NPM</span></a>: Two malicious packages were discovered on npm (<a href="https://infosec.exchange/tags/NodeJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NodeJS</span></a> package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor:<br><a href="https://infosec.exchange/tags/SoftwareSupplyChainSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareSupplyChainSecurity</span></a><br>👇<br><a href="https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/new-npm-attack-poisons-local-packages-with-backdoors/</span></a></p>
Dino<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@BleepingComputer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BleepingComputer</span></a></span> Do we think something like this is enough to find if this garbage is present on a Linux system? `sudo find / -iregex '.*ethers-.*`<br><a href="https://masto.ai/tags/node" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>node</span></a> <a href="https://masto.ai/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://masto.ai/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload