#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

supply chain attack | Breaking Cybersecurity News | The Hacker News

Category — supply chain attack
New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

Jun 15, 2023 Software Supply Chain
In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said. The attack was first observed in the case of an npm package called  bignum , which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary versions of an addon named node-pre-gyp during installation. "These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer," according to a  GitHub advisory  published on May 24, 2023. An unknown threat actor ...
PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

May 21, 2023 Software Security / Malware
The maintainers of Python Package Index (PyPI), the official third-party software repository for the Python programming language, have temporarily disabled the ability for users to sign up and upload new packages until further notice. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the admins  said  in a notice published on May 20, 2023. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum  uncovered  an...
Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Jan 20, 2025Data Security / Data Monitoring
Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

May 19, 2023 DevOpsSec / Supply Chain
Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called  TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.  While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as  agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their a...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide

This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide

May 18, 2023 Mobile Security / Cyber Crime
A cybercrime enterprise known as  Lemon Group  is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks. "The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro  said . The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with the highest concentration of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. The findings were  presented  by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week. Describing it as a  continuously evolving problem , the cybersecurity firm said...
Why Honeytokens Are the Future of Intrusion Detection

Why Honeytokens Are the Future of Intrusion Detection

May 10, 2023 Intrusion Detection / Honeypot
A few weeks ago, the 32nd edition of RSA, one of the world's largest cybersecurity conferences, wrapped up in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, presented a retrospective on  the state of cybersecurity . During his keynote, Mandia stated: "There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attack [...] Honeypots , or fake accounts deliberately left untouched by authorized users,  are effective at helping organizations detect intrusions or malicious activities that security products can't stop ". "Build honeypots" was one of his seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms. As a reminder, honeypots are  decoy systems  that are set up to lure attackers and divert their attentio...
MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

May 08, 2023 Data Breach / Software Security
The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company's private code signing keys on their dark website. "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem," Alex Matrosov, founder and CEO of firmware security firm Binarly,  said  in a tweet over the weekend. "It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake." Present in the leaked data are firmware image signing keys associated with 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. The Boot Guard keys from MSI are believed to impact several device vendors, including Intel, Lenovo and Supermicro. Intel Boot Guard is a  hardware-based security technology  that's designed to protect computers against executing tampered UEFI firmware. The development comes a month after MSI  fell victim  to a double...
Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

May 05, 2023 Programming / Software Security
PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in  composer.json  with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann  said . "The package URLs were then changed to point to the forked repositories." The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows - acmephp/acmephp acmephp/core acmephp/ssl doctrine/doctrine-cache-bundle doctrine/doctrine-module doctrine/doctrine-mongo-odm-module doctrine/doctrine-orm-module doctrine/instantiator growthbook/growthbook jdorn/file-system-cache jdorn/sql-formatter khanamiryan/...
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

Apr 21, 2023 Supply Chain Attack
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is  tracking  the attack event under the moniker  UNC4736 ,  said  the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack." The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it  emerged  that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer. "The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CI...
North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack

North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack

Apr 12, 2023 Software Security / Cyber Attack
Enterprise communications service provider 3CX confirmed that the  supply chain attack  targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker  UNC4736 . It's worth noting that CrowdStrike has tied the attack to a Lazarus sub-group dubbed Labyrinth Chollima , citing tactical overlaps. The cybersecurity firm told The Hacker News the latest findings appear to be consistent with their previous attribution. The  attack chain , based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called  Gopuram  in...
 Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages

Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages

Apr 11, 2023 Software Security / Cryptocurrency
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. The  two-stage attack  culminates in the deployment of a .NET-based persistent backdoor, called Impala Stealer, which is capable of gaining unauthorized access to users' cryptocurrency accounts. "The payload used a very rare obfuscation technique, called '.NET AoT compilation,' which is a lot more stealthy than using 'off the shelf' obfuscators while still making the binary hard to reverse engineer," JFrog told The Hacker News in a statement. .NET  AoT compilation  is an  optimization technique  that allows apps to be ahead-of-ti...
Cryptocurrency Companies Targeted in Sophisticated 3CX Supply Chain Attack

Cryptocurrency Companies Targeted in Sophisticated 3CX Supply Chain Attack

Apr 04, 2023 Cryptocurrency / Cyber Attack
The adversary behind the  supply chain attack targeting 3CX  deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. Russian cybersecurity firm Kaspersky, which has been  internally tracking  the versatile backdoor under the name  Gopuram  since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach. Gopuram's primary function is to connect to a command-and-control (C2) server and await further instructions that allow the attackers to interact with the victim's file system, create processes, and launch as many as eight in-memory modules. The backdoor's links to North Korea stem from the fact that it "co-existed on victim machines with  AppleJeus , a backdoor attributed to the Korean-speaking threat actor Lazarus," detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020. The targeting of cryptocurrency companies is another tell...
3CX Supply Chain Attack — Here's What We Know So Far

3CX Supply Chain Attack — Here's What We Know So Far

Mar 31, 2023 Cyber Threat / Supply Chain Attack
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a  supply chain attack . The version numbers include  18.12.407 and 18.12.416  for Windows and  18.11.1213, 18.12.402, 18.12.407, and 18.12.416  for macOS. The issue has been assigned the CVE identifier CVE-2023-29059 . The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422. "3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea  said  in a blog post. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server." Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows ...
New Cyber Platform Lab 1 Decodes Dark Web Data to Uncover Hidden Supply Chain Breaches

New Cyber Platform Lab 1 Decodes Dark Web Data to Uncover Hidden Supply Chain Breaches

Mar 20, 2023 Data Breach / Dark Web
2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis. Nonetheless, stolen data has value beyond a price tag, and in risky ways you may not expect. Evaluating stolen records is what  Lab 1, a new cyber monitoring platform , believes will make a big difference for long-term cybersecurity resilience. Think of data value this way:  Stolen credentials can become future phishing attacks Logins for adult websites are potential extortion attempts Travel and location data are a risk to VIPs and senior leadership, And so on… Hackers could retaliate for non-payment by simply posting their loot to forums where the data will be available for further enrichment and exploitation.  Shining a light on dark places Even though your company may not have...
Researchers Hijack Popular NPM Package with Millions of Downloads

Researchers Hijack Popular NPM Package with Millions of Downloads

Feb 16, 2023 Supply Chain / Software Security
A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack. "The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria  said  in a report. While npm's security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain. The attack, in a nutshell, grants a threat actor access to the package's associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale. This is achieved by taking advantage of a GitHub Action that's configured in the repository to automatically publish the packages when new code changes are pushed. "Even though the maintainer's npm user account i...
Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

Feb 10, 2023 Supply Chain / Software Security
Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are  aptx ,  bingchilling2 ,  httops , and  tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's  highly popular audio codec  of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma  said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated  Meterpreter payload  that's disguised as " pip ," a legitimate package installer for Python, and which can be leveraged to gain shell access to the...
Expert Insights / Articles Videos
Cybersecurity Resources