Supply-chain attacks on open source software are getting out of hand
Supply-chain attacks on open source software are escalating, with recent breaches targeting developer accounts and leading to the distribution of malicious packages to users. Security firm Socket reported a supply-chain attack on JavaScript code in the npm repository, where 10 packages from Toptal were infected with malware and downloaded by around 5,000 users before detection. This incident marks the third supply-chain attack on npm observed by Socket in a week. The hackers compromised Toptal's GitHub Organization to publish the malicious packages on npm.
Ars Technica•