CyberSecurity updates
Updated: 2024-11-22 17:44:29 Pacfic

csoonline.com
Command Jacking: New Supply Chain Attack Technique Targets Open Source Package Entry Points - 8d

A new and concerning attack technique has been identified by Checkmarx researchers, leveraging the entry points of open source application packages. This technique, dubbed “command jacking,” exploits the ability of developers to expose specific functions as command line tools. Attackers can create malicious packages with fake entry points, impersonating widely-used third-party tools or system commands like ‘aws’, ‘docker’, ‘npm’, ‘pip’, ‘git’, ‘kubectl’, ‘terraform’, ‘gcloud’, ‘heroku’, or ‘dotnet’. When unsuspecting developers install these packages and run the hijacked commands, malicious code can be executed, potentially leading to data theft, malware installation, and compromise of entire cloud infrastructures.

cnews.link
Open-Source Repositories Infiltrated by Malicious Packages - 7d

The reliance on open-source repositories has unfortunately led to a significant rise in malicious software packages infiltrating software products. These malicious packages are deliberately designed to compromise systems and steal data. They can be hidden within legitimate-looking packages, making it difficult for developers and users to detect them. This threat highlights the need for stringent security measures and thorough vetting of all open-source packages.


This site is an experimental news aggregator using feeds I personally follow. You can reach me at Bluesky if you have feedback or comments.