Article 5F0WX A new type of supply-chain attack with serious consequences is flourishing

A new type of supply-chain attack with serious consequences is flourishing

by
Dan Goodin
from Ars Technica - All content on (#5F0WX)
software-code-800x534.jpg

Enlarge (credit: Przemyslaw Klos / EyeEm / Getty Images)

A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.

The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but it's not clear if they succeeded in executing the malware inside their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a firm that helps customers secure the applications they develop.

Given the daily volume of suspicious npm packages being picked up by Sonatype's automated malware detection systems, we only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities," Sonatype researcher Ax Sharma wrote earlier this week.

Read 21 remaining paragraphs | Comments

index?i=ITGVUUJY7g4:0lD0T9k79wE:V_sGLiPB index?i=ITGVUUJY7g4:0lD0T9k79wE:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments