BleepingComputer reports that information- and cryptocurrency-stealing malware were discovered across 272 Python packages with nearly 75,000 downloads that are part of a malicious campaign that has been increasingly sophisticated during the last six months.
Malware leveraged in the campaign has not only targeted browser-stored data, cryptocurrency wallet information, and Discord, Minecraft, and Roblox details, but also enabled screenshot capturing and file exfiltration from impacted systems, as well as app data manipulation, according to Checkmarx Supply Chain Security report. While malicious code in packages discovered in April was in plain text, attackers eventually added encryption and other obfuscation techniques in the succeeding months, with a separate Checkmarx report noting 70 layers of obfuscation used in the campaign. With such a campaign posing a supply chain attack risk, developers and other users have been urged to carefully examine projects and package publishers on GitHub, PyPI, NPM, and other repositories and package registries.
Open-source artificial intelligence compute framework Ray has been found to be impacted by a critical vulnerability, tracked as CVE-2023-48023, which could be exploited to facilitate unauthorized node access, according to SecurityWeek.
Exposed Kubernetes secrets pose significant supply chain threat Numerous organizations and open-source projects could be impacted by a supply chain attack stemming from publicly exposed Kubernetes secrets enabling access to sensitive Software Development Life Cycle environments, according to SecurityWeek.
Partner or Problem? Securing third-party relations in the age of supply-chain attacks
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news