Tech News
Back to home
Technology

JavaScript packages with billions of downloads were injected with malicious code in world's largest supply chain hack, geared to steal crypto — a phishing email is all it took to undermine npm packages

Source

Tom's Hardware

Published

TL;DR

AI Generated

In the world's largest supply chain hack, 18 JavaScript packages with over 2 billion weekly downloads were injected with malicious code aimed at stealing cryptocurrency. The compromised code intercepted crypto and web3 activity in browsers, redirecting funds to attacker-controlled accounts. The attack, distributed via npm, was facilitated by a phishing email that tricked the maintainer into unknowingly modifying the packages. This incident highlights ongoing vulnerabilities in software development despite efforts to improve security measures like two-factor authentication and software bills of materials. The hack underscores the need for fundamental changes in software development practices to prevent future breaches.

Read Full Article

Similar Articles

Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Security researchers discovered a critical remote code execution vulnerability in Anthropic's Model Context Protocol (MCP), affecting SDKs in Python, TypeScript, Java, and Rust. This flaw puts up to 200,000 AI servers at risk across a supply chain with over 150 million downloads. Despite the exposure, Anthropic has declined to patch the protocol, stating that the behavior was expected. OX Security's research team identified multiple exploitation methods and recommended protocol-level fixes to Anthropic, which were reportedly declined. The vulnerability comes shortly after Anthropic launched Claude Mythos, a model aimed at identifying security vulnerabilities in other software, prompting calls for the company to address its own infrastructure vulnerabilities.

Tom's Hardware
Twitch streamer raising money for cancer treatment has funds stolen by malware-ridden Steam game — BlockBlasters title stole $150,000 from hundreds of players

Twitch streamer raising money for cancer treatment has funds stolen by malware-ridden Steam game — BlockBlasters title stole $150,000 from hundreds of players

Twitch streamer Raivo "RastalandTV" Plavnieks had over $32,000 in cryptocurrency stolen, intended for cancer treatment, after downloading the Steam game "BlockBlasters," which was later found to contain malware stealing funds from hundreds of players. Security researchers discovered that $150,000 was taken from 261 Steam accounts, with a potential victim count of 478. Despite being labeled as "Verified" on Steam, the game was found to contain malware, prompting discussions on platform security. The incident highlights the need for improved vetting processes on platforms like Steam to prevent such malware attacks.

Tom's Hardware
Software packages with more than 2 billion weekly downloads hit in supply-chain attack

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

Hackers executed a massive supply-chain attack by inserting malicious code into open source software packages that receive over 2 billion weekly downloads. This attack, affecting nearly two dozen packages on the npm repository, was one of the largest of its kind. The breach was brought to light through social media posts, with a maintainer of the compromised packages admitting to being tricked into revealing account information. The incident highlights the vulnerability of software supply chains to cyber threats and the importance of maintaining strong security measures.

Ars Technica
Dr. L.C. Lu on TSMC Advanced Technology Design Solutions

Dr. L.C. Lu on TSMC Advanced Technology Design Solutions

Dr. L.C. Lu, a key figure at TSMC, focuses on design-technology co-optimization, packaging innovations, and AI-driven methodologies for next-gen semiconductor systems. TSMC emphasizes DTCO and DDCL innovations for scaling from N5 to A14 nodes, with NanoFlex and NanoFlex Pro architectures offering efficiency gains. N2P and N2U nodes incorporate advanced DTCO and power delivery optimizations, with hybrid dual-rail architectures achieving significant energy savings. TSMC collaborates with EDA partners for AI integration, enhancing productivity and design quality. Advanced packaging technologies like CoWoS and SoIC play a crucial role in enabling AI scaling, with memory bandwidth and interconnect performance scaling aggressively. TSMC addresses power delivery and thermal management challenges in AI systems through advanced solutions. TSMC's advancements in design methodologies and AI-driven automation promise improved productivity and scalability in chip-package co-design.

SemiWiki

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.