A supply chain ransomware attack targeted Blue Yonder, impacting its customers including Starbucks and UK grocery chains. The attack disrupted operations and highlighted vulnerabilities in supply chain security. Further details on the specific ransomware used and the extent of data exfiltration are still emerging.
A malicious PyPI package, ‘aiocpa’, disguised as a legitimate cryptocurrency client, was used to steal cryptocurrency wallet information. Attackers used a stealthy approach, publishing their own package instead of typosquatting. The malicious code was obfuscated using Base64 encoding and zlib compression; it exfiltrated sensitive data to a Telegram bot. This highlights the risk of malicious packages in software supply chains.
A malicious PyPI package, ‘aiocpa’, was discovered to be injecting infostealer code into cryptocurrency wallets. This highlights the risk of malicious code injection into open-source software repositories and the importance of dependency management. The malicious actors did not use typosquatting techniques, but published a legitimate-looking crypto client to attract users.
A malicious PyPI package, ‘aiocpa’, disguised as a legitimate cryptocurrency client tool, implanted infostealer code to compromise cryptocurrency wallets. The attackers used a stealthier approach, publishing their own tool rather than impersonating existing packages. This highlights the risks of using third-party open-source packages without proper security assessment and version pinning. Machine learning-based threat hunting proved crucial in detecting the malicious package.
A new feature called digital attestations has been released on PyPI, the Python Package Index, to bolster supply chain security for Python packages. These attestations essentially function as digital signatures, cryptographically linking packages published on PyPI to the specific source code used for their creation, thus offering stronger assurance that packages downloaded from PyPI haven’t been tampered with or injected with malicious code. This feature utilizes a mechanism that proves a trustworthy build system was used to generate and publish the package, starting with its source code on GitHub. This development significantly enhances the reliability and trust in Python package distribution by providing concrete evidence of package origin and authenticity, mitigating risks associated with malware injection or tampering within the Python ecosystem. While this feature is already available to those using the PyPI Trusted Publishers mechanism in GitHub Actions, a new API has been introduced for consumers and installers to verify published attestations, allowing for broader adoption and increased confidence in package provenance across the Python community.
Spectra Assure, a software supply chain security tool, has introduced a new feature called SAFE Levels, aimed at simplifying risk evaluation and remediation efforts. These levels, ranging from Level 1 to Level 5, benchmark the overall supply chain security of a software package, providing organizations with a clear understanding of the risks associated with specific software. The tool automatically generates a plan for addressing prioritized software risks, recommending manageable projects to continually improve the software’s level of supply chain security. By using complex binary analysis and threat classification, Spectra Assure identifies the software bill of materials (SBOM) and assesses embedded threats, risks, and security issues. The detected violations are then assessed against the criteria for achieving each SAFE Level, providing a roadmap for security improvement.
Cyble researchers have identified high-priority vulnerabilities in products from Ivanti, Microsoft, Qualcomm, Zimbra, and the Common Unix Printing System (CUPS). Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited. Cyble also detected 14 vulnerability exploits discussed on dark web forums, suggesting that they may soon be under attack, if not already. This vulnerability report highlights the need for organizations to prioritize patching and mitigation of these vulnerabilities to protect against potential exploitation by threat actors.
A new and concerning attack technique has been identified by Checkmarx researchers, leveraging the entry points of open source application packages. This technique, dubbed “command jacking,” exploits the ability of developers to expose specific functions as command line tools. Attackers can create malicious packages with fake entry points, impersonating widely-used third-party tools or system commands like ‘aws’, ‘docker’, ‘npm’, ‘pip’, ‘git’, ‘kubectl’, ‘terraform’, ‘gcloud’, ‘heroku’, or ‘dotnet’. When unsuspecting developers install these packages and run the hijacked commands, malicious code can be executed, potentially leading to data theft, malware installation, and compromise of entire cloud infrastructures.
Researchers have uncovered the HijackLoader malware, a sophisticated threat that leverages stolen code-signing certificates to gain legitimacy and evade detection. HijackLoader, also known as LummaStealer, uses these certificates to sign malicious payloads, making them appear trustworthy. This technique enables it to bypass security measures and install malicious software on victim systems.
Open source application packages, including those in Python and JavaScript, have a vulnerability in their entry points that could be used by threat actors to execute malicious code to steal data, plant malware, and more. This warning to developers and infosec leaders comes from researchers at Checkmarx, who dub the techniques “command jacking.” Attackers can use entry points to run specific commands impersonating popular third-party tools and system commands, but they could also leverage malicious plugins and extensions. This highlights the importance of scrutinizing open source package repositories and ensuring that developers are aware of the potential risks associated with entry point attacks.