Cybersecurity researchers discovered a vibe-coded malicious VS Code extension with built-in ransomware capabilities, which exfiltrates and encrypts files, and uses GitHub as a command-and-control server. Additionally, 17 npm packages disguised as SDKs were found to stealthily deploy Vidar Stealer, highlighting ongoing supply chain threats in open-source ecosystems. Microsoft has removed the malicious extension from the marketplace, emphasizing the importance of vigilance in software development.
A suspected nation-state threat actor has deployed a new malware called Airstalk, exploiting the AirWatch API for covert C2 communication, with variants capable of capturing browser data and executing various malicious tasks, potentially targeting enterprise sectors like BPO in a sophisticated supply chain attack.
Salesloft has temporarily taken Drift offline after a widespread supply chain attack led to the theft of OAuth tokens, impacting over 700 organizations including major companies like Cloudflare and Google Workspace. The breach exploited compromised OAuth tokens associated with Drift's integration with Salesforce, prompting Salesforce to disable all related integrations as a precaution. The incident is linked to the threat cluster UNC6395, and the affected companies are working with cybersecurity firms to enhance security and prevent further attacks.
Cloudflare was compromised in a supply chain attack involving Salesloft and Drift, where attackers accessed a Salesforce instance containing customer support data and API tokens. The breach exposed customer contact info and support tickets, with threat actors potentially planning future targeted attacks. This incident is part of a broader wave of Salesforce data breaches linked to the ShinyHunters group and other threat actors targeting cloud and CRM platforms.
Researchers have uncovered over 70 malicious npm and VS Code packages used for data theft, cryptomining, and destructive payloads, with threat actors deploying sophisticated techniques including masquerading as legitimate tools, evading sandbox detection, and using multi-stage infection chains to compromise developers' systems and steal sensitive information.
Binarly has released an online scanner to detect Linux executables affected by the XZ Utils supply chain attack, CVE-2024-3094. The backdoor, discovered by a Microsoft engineer, was introduced in XZ version 5.6.0 and remained in 5.6.1, impacting a few Linux distributions. Binarly's scanner uses static analysis to identify tampering of transitions in GNU Indirect Function and can detect similar backdoors in other projects. The scanner is available online for unlimited free checks, with a free API for bulk scans also available.
Malicious code was discovered in the widely used XZ Utils library for Linux systems, enabling remote code execution and bypassing secure shell authentication. The backdoor was introduced by a project maintainer named Jia Tan, who gained credibility over two years and eventually added the malicious code to the XZ Utils release. The sophisticated supply chain attack highlights the potential risks associated with open-source software and the need for organizations to adopt tools and processes to identify tampering and malicious features in their development pipeline.
A backdoor was discovered in xz Utils, a widely used data compression utility in Linux and Unix-like systems, allowing unauthorized access with root privileges through SSH. The backdoor was nearly merged into major Linux distributions, and its creator, Jia Tan, has a mysterious online presence. The attack involved years of planning and manipulation of open-source projects, and the malicious code was designed to be stealthy and targeted specific system configurations. Multiple researchers have analyzed the backdoor's components, and the incident serves as a cautionary tale for the security of open-source software supply chains.
RedHat issued an urgent security alert after discovering a backdoor in XZ Utils versions 5.6.0 and 5.6.1, impacting major Linux distributions. The malicious code, with a maximum severity CVSS score, allows unauthorized remote access and interferes with the sshd daemon process. The compromised packages are present in Fedora 41 and Fedora Rawhide, prompting recommendations for users to downgrade to a safe version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to downgrade XZ Utils to an uncompromised version.
Malicious code was discovered in the widely used xz Utils compression tool, affecting versions 5.6.0 and 5.6.1, which made its way into beta releases of major Linux distributions, including Red Hat and Debian. The backdoor was designed to break SSH authentication, potentially allowing unauthorized access to systems. While the malicious versions were caught before being added to production releases, users are advised to check with their distributors to determine if their systems are affected.
Researchers have discovered 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor. The packages have been downloaded over 10,000 times since May 2023. The attackers use various techniques to bundle the malicious code into Python packages, with the goal of compromising the targeted host with malware capable of remote command execution, data exfiltration, and taking screenshots. This is the latest in a series of compromised Python packages used for supply chain attacks, highlighting the need for developers to thoroughly vet the code they download.
Free Download Manager, a popular software, was involved in a supply chain attack that redirected Linux users to a malicious Debian package repository, resulting in the installation of information-stealing malware. The malware established a reverse shell to a command-and-control server and installed a Bash stealer that collected user data and account credentials. The campaign went undetected for over three years, and despite being informed, the software vendor has not responded. The attack was facilitated through the official download page, which occasionally redirected users to the malicious domain. The malware-infected package was disseminated through social media and online forums, with users unaware of the compromise. The malicious package dropped a Bash information-stealing script and a backdoor, allowing the attackers to collect sensitive information. The malware remained undetected due to the rarity of Linux malware and limited redirection to the unofficial URL.
A North Korean government-backed hacking group, known as "Labyrinth Chollima," breached an American IT management company called JumpCloud and used it as a launching pad to target cryptocurrency companies. The hackers gained access to JumpCloud's systems in late June and then targeted a small number of its clients, which were confirmed to be cryptocurrency companies. This incident highlights North Korea's increasing sophistication in cyber espionage and their shift towards supply chain attacks. Cybersecurity firms CrowdStrike and Mandiant have attributed the attack to North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency. The stolen cryptocurrency by North Korean-linked groups is estimated to be worth $1.7 billion.
The npm registry for Node.js is vulnerable to a manifest confusion attack, allowing threat actors to hide malware in project dependencies or execute arbitrary scripts during installation. The issue arises from the decoupling of the manifest and package metadata, leading to unexpected behavior and misuse. This loophole can be exploited to publish modules with hidden dependencies and run install scripts, potentially leading to supply chain attacks. Users are advised to scan packages for anomalies and exploits, as relying solely on metadata is insufficient. GitHub is aware of the problem but has yet to resolve it. Insecure dependencies were also found in a study of GitHub repositories, highlighting the ongoing threat to software supply chains.
The leak of MSI's private encryption keys, including the signing key used to digitally sign firmware updates, has raised concerns of devastating supply chain attacks that could inject malicious updates that are trusted by a huge base of end-user devices. Security researchers warn that MSI doesn't have an automated patching process and doesn't provide the same kind of key revocation capabilities as larger hardware makers, making it difficult to block the leaked keys.
