Tagged: supply chain attack
Attackers infected more than 140 packages from the Mastra AI ecosystem through npm. The malicious code ran right after npm install or npm update. So the infection could reach developer workstations and build servers,...
Attackers injected malicious JavaScript into Okendo Reviews, a product review widget used by more than 18,000 brands. The compromised script loaded on store pages. After a few checks, it could show visitors a fake...
The longer an electronics supply chain grows, the harder it gets to keep trade secrets inside factory walls. India’s Tata Electronics has now confirmed a recent cyber incident. The confirmation followed reports that files...
GitHub has filled up with fake repositories. They disguise themselves as ordinary developer projects. In reality, they push Trojans through links to ZIP archives. A developer using the alias Orchid uncovered the large campaign....
The market intelligence platform Klue has confirmed a breach of part of its integration infrastructure. Attackers obtained OAuth tokens, the digital keys that grant access between services. With those keys, they slipped into the...
Popular WordPress plugins have found themselves at the center of a supply chain attack, where the products themselves were not compromised directly. Instead, attackers targeted the infrastructure responsible for distributing them. Three plugins from...
When a new batch of source code appeared on GitHub, it unexpectedly caught the attention of security researchers. Over the past few days, repositories bearing the name Miasma-Open-Source-Release began appearing across the platform in...
The Mini Shai-Hulud incursion has once again laid siege to the software supply chain. While the initial offensive primarily targeted SAP modules, this malignant architecture has since metastasized into hundreds of contaminated iterations, specifically...
RubyGems has temporarily suspended the registration of new accounts following a pervasive assault on the Ruby ecosystem. According to investigators, adversaries disseminated hundreds of deleterious packages—some tailored to compromise specific enterprises, while others functioned...
Unidentified adversaries have subverted the Checkmarx plugin for Jenkins, embedding deleterious code designed for credential exfiltration. This incursion represents the latest installment in a persistent series of software supply chain attacks orchestrated by the...
Cybersecurity specialists have exposed a pervasive malicious campaign targeting developers, wherein the adversary bypassed the compromise of finished products to exploit vulnerabilities within the build process itself. By leveraging the public NPM registry, the...
The seemingly innocuous download of a mobile game could culminate in a smartphone being compromised by sophisticated spyware. Researchers at ESET have revealed that the ScarCruft group, widely associated with North Korea, infiltrated a...