Tech News
Back to home
Technology

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

Source

Ars Technica

Published

TL;DR

AI Generated

Hackers executed a massive supply-chain attack by inserting malicious code into open source software packages that receive over 2 billion weekly downloads. This attack, affecting nearly two dozen packages on the npm repository, was one of the largest of its kind. The breach was brought to light through social media posts, with a maintainer of the compromised packages admitting to being tricked into revealing account information. The incident highlights the vulnerability of software supply chains to cyber threats and the importance of maintaining strong security measures.

Read Full Article

Similar Articles

Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Security researchers discovered a critical remote code execution vulnerability in Anthropic's Model Context Protocol (MCP), affecting SDKs in Python, TypeScript, Java, and Rust. This flaw puts up to 200,000 AI servers at risk across a supply chain with over 150 million downloads. Despite the exposure, Anthropic has declined to patch the protocol, stating that the behavior was expected. OX Security's research team identified multiple exploitation methods and recommended protocol-level fixes to Anthropic, which were reportedly declined. The vulnerability comes shortly after Anthropic launched Claude Mythos, a model aimed at identifying security vulnerabilities in other software, prompting calls for the company to address its own infrastructure vulnerabilities.

Tom's Hardware
Here’s how potent Atomic credential stealer is finding its way onto Macs

Here’s how potent Atomic credential stealer is finding its way onto Macs

Security companies have warned of a potent credential stealer targeting Mac users through ads impersonating online services, with LastPass users being a recent focus. LastPass detected a campaign using SEO to display fake LastPass macOS app ads on search engines, leading to fraudulent GitHub sites offering to install LastPass but actually delivering the Atomic Stealer malware. LastPass is actively working to combat the threat and has shared indicators of compromise to help others detect similar cyber threats.

Ars Technica
DDoS scrubbing service ironic target of massive attack it was built to prevent — hit with 1.5 billion packets per second from more than 11,000 distributed networks

DDoS scrubbing service ironic target of massive attack it was built to prevent — hit with 1.5 billion packets per second from more than 11,000 distributed networks

A DDoS scrubbing service was hit by a massive DDoS attack, receiving 1.5 billion packets per second from over 11,000 distributed networks. FastNetMon, a defensive firm, helped mitigate the attack, emphasizing the need for ISP-level support against such attacks. DDoS scrubbing is a defense mechanism that filters traffic to distinguish legitimate users from malicious sources. While this attack was successfully defended, it highlights the growing threat of DDoS attacks and the need for stronger anti-DDoS measures and regulations.

Tom's Hardware
JavaScript packages with billions of downloads were injected with malicious code in world's largest supply chain hack, geared to steal crypto — a phishing email is all it took to undermine npm packages

JavaScript packages with billions of downloads were injected with malicious code in world's largest supply chain hack, geared to steal crypto — a phishing email is all it took to undermine npm packages

In the world's largest supply chain hack, 18 JavaScript packages with over 2 billion weekly downloads were injected with malicious code aimed at stealing cryptocurrency. The compromised code intercepted crypto and web3 activity in browsers, redirecting funds to attacker-controlled accounts. The attack, distributed via npm, was facilitated by a phishing email that tricked the maintainer into unknowingly modifying the packages. This incident highlights ongoing vulnerabilities in software development despite efforts to improve security measures like two-factor authentication and software bills of materials. The hack underscores the need for fundamental changes in software development practices to prevent future breaches.

Tom's Hardware

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.