Supply-chain attacks on open source software are getting out of hand

Summary

• The latest in a series of supply-chain attacks has seen ten packages available on global talent agency Toptal’s npm page found to contain malware, which were downloaded by approximately 5,000 users before the breach was detected and the packages were removed.
• Security firm Socket believes the hackers behind the attack gained access to Toptal’s account by compromising its GitHub Organisation.
• While it’s not currently known how the attack was carried out, it’s thought the npm publishing occurred via GitHub Actions or stored npm tokens, which were accessible once the GitHub Organisation had been breached.
• The malicious code extracted the target’s GitHub authentication token, which gave the attackers persistent access to the target’s GitHub repositories and could be used in further supply-chain attacks.
• The script also attempted to delete the entire filesystem of the target’s device.

By Dan Goodin

Original Article