In August, the open-source ecosystem faced multi-faceted cybersecurity threats, emphasizing the persistent vulnerabilities in software supply chains. A new exploit in GitHub put millions of users and thousands of repositories at risk by bypassing GitHub’s security mechanisms, affecting code packages in multiple languages and GitHub actions. Meanwhile, the popular NuGet package “Moq” came under scrutiny for silently exfiltrating user data. North Korea was tied to yet another ongoing open-source
supply chain attack, illustrating the increasing involvement of nation-state actors. Additionally, long-standing threats were traced back to 2021. All of this and much more occurred this month, underlining the necessity for organizations to reassess and bolster their cyber security strategies against an increasing array of software supply chain threats.
Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk
A new vulnerability in GitHub’s repository creation and username renaming operations could allow attackers to distribute malicious code via a Repojacking attack. This is the fourth time a method has been discovered to bypass GitHub’s “Popular repository namespace retirement” mechanism. This could potentially affect over 4,000 code packages, many of which have over 1,000 stars, in Go, PHP, and Swift languages, as well as GitHub actions, putting millions of users and applications at risk.
Popular NuGet Package “Moq” Silently Exfiltrates User Data to Cloud Service
The highly popular NuGet package Moq, boasting over 475M+ downloads, released on August 8th new versions. These updates sparked backlash after it was discovered that they introduced a controversial new sub-dependency that covertly accesses the user’s local git config to extract the developer’s email address, hashes it, and then sends this hashed information to a cloud.
North Korea Tied to Another Ongoing Open Source Software Supply Chain Attack
ReversingLabs identified malicious Python packages that are part of an ongoing attack campaign originally discovered in early August. These packages mimic popular open-source Python tools and are believed to be connected to North Korea’s Lazarus Group. Uniquely, the packages are designed to avoid immediate detection by only executing malicious code after being imported and called within a legitimate application, rather than upon installation. These findings emphasize how nation-state actors are increasingly targeting the open-source ecosystem, underlining the urgency for organizations to reassess their cybersecurity posture to encompass the full range of software supply chain threats, including those emanating from well-resourced and highly skilled nation-state actors.
An Ongoing Open Source Attack Reveals Roots Dating Back To 2021
A threat actor was exposed for exploiting npm packages to target cryptocurrency developers, aiming to steal source code and confidential information. The activities of this threat actor were traced back to as early as 2021.
Threat Actor continues to Plague the Open-Source Ecosystem with Sophisticated Info-Stealing Malware
For several months, the threat actor group designated as PYTA31 has been exploiting PyPI packages to distribute sophisticated info stealer malware known as ‘WhiteSnake Stealer’, targeting both Linux and Windows platforms for data exfiltration.
A Deep Dive into 70 Layers of Obfuscated Info-Stealer Malware
A recent analysis uncovered two Python packages, containing multiple layers of obfuscation and leveraging a multi-stage payload delivery system, advanced evasion.