supply chain
GitHub Action hack likely led to another in cascading supply chain attack
A cascading supply chain attack that began with the compromise of the “reviewdog/action-setup@v1” GitHub Action is believed to have led to the recent breach of “tj-actions/changed-files” that leaked CI/CD secrets. Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories. If those […]
Supply chain attack on popular GitHub Action exposes CI/CD secrets
A supply chain attack on the widely used ‘tj-actions/changed-files’ GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs. The GitHub Action is a very popular automation tool designed for GitHub Actions workflows. It allows developers to identify files changed in a pull request or commit […]
North Korean Lazarus hackers infect hundreds via npm packages
Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. The packages, which have been downloaded 330 times, are designed to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information. The Socket Research Team discovered the campaign, which linked it to previously […]
Silk Typhoon hackers now target IT supply chains to breach networks
Microsoft warns that Chinese cyber-espionage threat group ‘Silk Typhoon’ has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers. The tech giant has confirmed breaches across multiple industries, including government, IT services, healthcare, defense, education, NGOs, and energy. “They [Silk Typhoon] exploit […]
Apiiro unveils free scanner to detect malicious code merges
Security researchers at Apiiro have released two free, open-source tools designed to detect and block malicious code before they are added to software projects to curb supply chain attacks. The two tools consist of a comprehensive ruleset for Semgrep and Opengrep designed to detect malicious code patterns with minimal false positives and PRevent, a GitHub-integrated scanner, […]
DeepSeek AI tools impersonated by infostealer malware on PyPI
Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. The packages were named “deepseeek” and “deepseekai” after the Chinese artificial intelligence startup, developer of the R1 large-language model that recently saw […]
PyPI adds project archiving system to stop malicious updates
The Python Package Index (PyPI) has announced the introduction of ‘Project Archival,’ a new system that allows publishers to archive their projects, indicating to the users that no updates are to be expected. The projects will still be hosted on PyPI, and users will still be able to download them but they will see a warning […]
Solana Pump.fun tool DogWifTool compromised to drain wallets
Hackers have compromised the Windows version of the DogWifTools software for promoting meme coins on the Solana blockchain in a supply-chain attack that drained users’ wallets. The developers claim that a malicious threat actor compromised the project’s private GitHub repository after reverse engineering the software to extract a GitHub token. The maintainers of the platform said […]
IPany VPN breached in supply-chain attack to push custom malware
South Korean VPN provider IPany was breached in a supply chain attack by the “PlushDaemon” China-aligned hacking group, who compromised the company’s VPN installer to deploy the custom ‘SlowStepper’ malware. The hackers managed to infiltrate IPany’s development platform and insert its custom ‘SlowStepper’ backdoor on its installer (‘IPanyVPNsetup.exe’), which infected customer systems when the VPN was […]
Microsoft issues urgent dev warning to update .NET installer link
Microsoft is forcing .NET developers to quickly update their apps and developer pipelines so they do not use ‘azureedge.net’ domains to install .NET components, as the domain will soon be unavailable due to the bankruptcy and imminent shutdown of CDN provider Edgio. Specifically, the domains “dotnetcli.azureedge.net” and “dotnetbuilds.azureedge.net” will be taken offline in the next […]