Hackers have compromised dozens of popular open source packages in an ongoing supply-chain attack | TechCrunch
Hackers have compromised dozens of popular open source packages in an ongoing supply-chain attack
In an ongoing cyberattack, hackers have compromised several popular open source projects that software developers all over the world rely on.
On Tuesday, cybersecurity firms StepSecurity and SafeDep warned of the latest wave of supply-chain attacks, which aim to compromise developers of popular open source projects and use that access to plant malicious updates that are pushed to users downstream.
According to SafeDep, hackers took over the account of one developer and released over 630 malicious versions across 317 packages in about 20 minutes. The goal of the attack is to steal credentials for various services, including password managers, as a way to steal data and continue spreading the malware.
Among the packages that the hackers compromised is Antv, a library made by Alibaba. In some cases, the hackers published malicious updates on GitHub, according to JFrog Security.
This latest wave of attacks is part of a wider campaign targeting open source projects and the developers who use the code for their own projects. Researchers have dubbed the hacks “Mini Shai-Hulud,” after the attack followed a previous, more expansive hacking campaign.
Last week, in another wave of attacks as part of the Mini Shai-Hulud attacks, hackers compromised the computers of two OpenAI employees after hacking the open source library TanStack. OpenAI was just one of several victims.
Last chance to save up to $190 on TechCrunch Founder Summit. Join 1,000+ founders and VCs at all stages for real-world scaling insights and connections that move the needle. Savings end June 26, 11:59 p.m. PT.
TechCrunch Daily News
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
TechCrunch Mobility
TechCrunch Mobility is your destination for transportation news and insight.
Startups Weekly
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
StrictlyVC
Provides movers and shakers with the info they need to start their day.
By submitting your email, you agree to our Terms and Privacy Notice.
Related
Password manager maker LastPass says hackers stole customer support case data during Klue breach
A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak
Klue hack results in data breach at several cybersecurity firms
Latest in Security
Password manager maker LastPass says hackers stole customer support case data during Klue breach
Tata Electronics, a major tech supplier to Apple and Tesla, confirms data breach
A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak
