Supply-chain attacks on open source software are getting out of hand
9 months ago
- #npm-security
- #supply-chain-attack
- #open-source
- Supply-chain attacks targeted open source software in public repositories, compromising developer accounts and distributing malicious packages.
- 10 malicious JavaScript packages on npm, linked to Toptal, were downloaded by 5,000 users before detection and removal.
- Attackers compromised Toptal's GitHub Organization to publish malicious npm packages, possibly via GitHub Actions or stored npm tokens.
- The attack's method and the relationship between GitHub changes and npm publishing remain unclear without more forensic evidence.
- Malicious payload in packages stole GitHub authentication tokens and attempted to delete the target's filesystem.
- The impracticality of inspecting all programs before use highlights vulnerabilities in trust and the reliance on volunteer-maintained libraries.
- Future measures may include AI security checks for code and stronger account verification to combat such threats.