November 22, 2024 at 01:58AM Researchers found two malicious packages on PyPI, impersonating AI models to deploy the JarkaStealer malware. Uploaded in November 2023, the packages had 1,748 and 1,826 downloads, respectively. They revealed risks of supply chain attacks, emphasizing caution when using open-source components in development. The packages are now unavailable for download. ### … Read more
November 8, 2024 at 07:51AM A new campaign targets the npm package repository with malicious JavaScript libraries that infect Roblox users with stealer malware. The attack exploits trust in open-source ecosystems using deceptive packages and public platforms for operations. Developers are urged to verify package names and scrutinize source code to enhance security practices. ### … Read more
November 5, 2024 at 11:32AM A typosquatting campaign is targeting developers through similar-named malicious JavaScript npm packages, leading to info-stealing malware. Originating in October, it employs Ethereum smart contracts for command and control, complicating detection. Researchers emphasize the need for stricter package management and authentication to protect development environments from these attacks. Here are the … Read more
November 1, 2024 at 05:11AM LottieFiles reported a supply chain attack on Lottie-Player, aimed at stealing cryptocurrency. This breach poses risks to cryptocurrency wallets, highlighting vulnerabilities in software supply chains. **Meeting Takeaways:** 1. **Incident Confirmation**: LottieFiles has confirmed a breach involving Lottie-Player. 2. **Nature of the Attack**: The breach is classified as a supply chain … Read more
October 31, 2024 at 04:10PM LottieFiles’ Lotti-Player project was compromised in a supply chain attack, injecting a crypto drainer into websites, potentially costing one victim $723,000 in Bitcoin. Affected versions were quickly replaced with a secure update. Users are advised to upgrade or be cautious of fraudulent wallet connection requests amid ongoing investigations into the … Read more
October 31, 2024 at 10:39AM LottieFiles announced that its npm package “lottie-player” was compromised in a supply chain attack, leading to unauthorized, malicious versions that prompted users to connect cryptocurrency wallets. Users of versions 2.0.5, 2.0.6, and 2.0.7 should update to 2.0.8. The company is investigating with an external team. ### Meeting Takeaways – October … Read more
October 2, 2024 at 02:31AM Malicious packages posing as cryptocurrency wallet recovery services were found in the Python Package Index. They targeted users of prominent wallet services, offering utility functions while secretly stealing sensitive wallet data. The attack exploited open-source trust and dynamic malicious capabilities, highlighting the need for comprehensive security measures in the cryptocurrency … Read more
September 17, 2024 at 10:43PM Australian Federal Police (AFP) apprehended a man for creating the Ghost app, a platform for criminal activities. Sold with a modified smartphone for approximately AU$2350, it allowed encrypted communication for illicit dealings. The AFP infiltrated Ghost and conducted raids, arresting 38 individuals, seizing weapons and drugs, and preventing numerous acts … Read more
September 17, 2024 at 11:33AM Google has patched a vulnerability in its Google Cloud Platform (GCP) that could have led to supply chain attacks on customer cloud servers. Researchers discovered the flaw, dubbed “CloudImposer,” in GCP’s Cloud Composer service, posing a dependency confusion risk. Google addressed the issue by fixing the vulnerable script and updating … Read more
September 16, 2024 at 09:27AM A critical security flaw in Google Cloud Platform Composer, now patched, could have allowed remote code execution via a supply chain attack called dependency confusion. This could have led to a large-scale supply chain attack by tricking the package manager into downloading a malicious package. The issue was fixed by … Read more