GitLab discovers widespread npm supply chain attack
Yet another week; yet another supply chain attack...
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity
A pretty impressive and concerning compromise of a lot of JavaScript (and by extension TypeScript) packages.
Supply Chain Security Alert: num2words PyPI Package Shows Signs of Compromise - StepSecurity
Interesting supply chain attack on a Python package.
https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
Ouch.
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
"Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import . Join us here on the Phylum research team as we investigate these new and shifting tactics the attacker is using to deploy W4SP stealer in this supply-chain attack."
How We Executed A Critical Supply Chain Attack On Pytorch
"Four months ago, Adnan Khan and I exploited a critical CI/CD vulnerability in PyTorch, one of the world’s leading ML platforms. Used by titans like Google, Meta, Boeing, and Lockheed Martin, PyTorch is a major target for hackers and nation-states alike.
Thankfully, we exploited this vulnerability before the bad guys.
Here is how we did it."