December 4, 2024 at 05:06AM Cybersecurity researchers have identified a software supply chain attack targeting the @solana/web3.js npm library, with malicious versions 1.95.6 and 1.95.7 designed to steal users’ private keys and drain cryptocurrency wallets. Affected users are advised to update their versions and potentially rotate their authority keys. ### Meeting Takeaways – December 4, … Read more
November 28, 2024 at 06:08AM Researchers found a year-long software supply chain attack on the npm package registry involving the malicious package @0xengine/xmlrpc, which harvested sensitive data and mined cryptocurrency. Discovered by Checkmarx, it exploited trust in dependencies. Additionally, ongoing malicious campaigns using counterfeit packages target multiple platforms, including Roblox developers. ### Meeting Takeaways – … Read more
November 5, 2024 at 01:45AM A campaign targeting npm developers employs hundreds of typosquat packages to install cross-platform malware, utilizing Ethereum smart contracts for command-and-control. This approach complicates detection and takedown efforts, highlighting vulnerabilities in the open-source ecosystem. The attacker may be Russian-speaking, emphasizing the need for developer vigilance when downloading packages. ### Meeting Takeaways … Read more