Checkmarx SCS (Supply Chain Security) team found a vulnerability in GitHub that can allow an attacker to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code. If not explicitly
A few hours ago, PyPi disclose information on the first seen phishing attack aimed at a Python contributor. Right now, we are aware of hundreds of malicious packages that were related to this attack based on the known indicator. During
A known malicious contributor has published two new Python packages trying to mimic popular ones to lure developers into downloading them and infect their machines with Cobalt Strike. This account was not disabled after the first attack, allowing the attacker
An alarming software supply chain attack technique allows threat actors to trick developers into using potentially malicious code. By leveraging the ability to spoof and forge commits’ metadata on GitHub, an attacker can deceive users and lure them into using
Over a thousand packages and users were created on NPM using an automated process in the past few days. Is it a phase one of an upcoming attack? Checkmarx SCS team detected over 1200 npm packages released to the registry
Does Protestware undermine the trustworthiness of OSS ecosystems? Two popular packages, “styled-components” and “es5-ext”, with millions of weekly downloads and thousands of dependent projects, released new Protestware versions. The new versions verify that the infected machine belongs to a Russian
Intro A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. This package has over a million weekly downloads and hundreds of direct other dependent packages, including the
Intro Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload
Malicious Python Packages with Self-spreading Capabilities Caught Stealing Browser Credentials, Discord Tokens, and System Information. The malicious package is able to steal the user’s password from their Chrome browser, along with Discord tokens and system information, and exfiltrate this data
A new attempt to compromise a popular NPM package had occurred in the past few hours. The popular COA (Command-Option-Argument) package is a parser for command line options with around 9 million weekly downloads, and a long list of dependent
©2023 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified
