Happy New Year! What a way to open 2024! NPM user account gdi2290, aka PatrickJS, published a troll campaign to the NPM registry by uploading a package named “everything”, which relies on every other public NPM package, resulting in millions of transitive dependencies. This
HuggingFace Hub has become a go-to platform for sharing and exploring models in the world of machine learning. Recently, I embarked on a journey to experiment with various models on the hub, only to stumble upon something interesting – the
The highly popular NuGet package, Moq, with total downloads of 475M+, released a new versions 4.20.0 and 4.20.1 on August 8th with a new sub-dependency that has hidden executable code that reads the user’s local git config, extracting the developer’s email address, hashing it, and
CocoaPods is THE dependency manager for iOS and Mac projects. It helps software developers easily add pre-made pieces of code (called “libraries” or “dependencies”) to their iOS or Mac projects. These code libraries can help developers add extra features or
What Happened? Working Together, Keeping the Ecosystem Safe The ongoing battle against software supply chain attackers continues to be challenging as attackers constantly adapt and surprise with new techniques. In order to better defend against these threats, Checkmarx and Illustria
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. This attack group has been operating for over a year with multiple hacking objectives: Credit card information Discord “Nitro” (premium) upgrades Streaming services
On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. The PyPi user account devfather777 published a dozen malicious Typosquatting packages under the names of popular projects
Today, as it was revealed by Stephen Lacy in his tweet, he shared his findings of a large-scale campaign targeting random GitHub repositories with project clones containing credential stealing malware and remote shell execution on top of the original code.
A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published, making it highly
What Happened? Multiple supply chain attacks from the same attacker were reported today by s0md3v. (1) PHP package hautelook/phpass with over 2.5 million installations was hijacked using the RepoJacking technique. (2) Python package “ctx” with over 700,000 downloads was compromised
©2024 Checkmarx Ltd. All Rights Reserved. iISO/IEC 27001:2013 Certified
