News
Hi folks!
Plenty of news to read through this week, so get a cup of coffee, sit back and have a good one :-)
Cheers,
Dieter
Npm debug and chalk packages compromised
This story is still developing, but it seems that the owner of the packages got compromised, as they stated personally in this Hackernews thread. A long list of popular packages are affected, with all together about 2 billion downloads per week.
There's more supply-chain attacks (and their fallout) being reported on this week. For the heck of it, I'll line them up here:
- AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack: link.
- Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack: link.
- Salesloft platform integration restored after probe reveals monthslong GitHub account compromise: link.
VirusTotal finds hidden malware phishing campaign in SVG files
Read the article (bleepingcomputer.com)
Apparently, one can use SVG files to display HTML and execute Javascript, making it an interesting attack vector for phishers. Virustotal found one such case using their AI powered Code Insight feature, after none of the antivirus vendors detected it. Now that they knew what to look for, they looked back and found 523 more such cases.
How the newest ISAC aims to help food and agriculture firms thwart cyberattacks
Read the article (cybersecuritydive.com)
Interesting read on (the existence of) an ISAC (Information Sharing and Analysis Center) in the US food industry, sharing intel on threats between US food industry companies.
Ukraine’s cyber chief on Russian hackers’ shifting tactics and US cyber aid
Read the article (therecord.media)
High-level read on the state of cyber warfare between Ukraine and Russia, with some interesting nuggets. Like how they are tracking around 80 hacker groups that are actively targeting Ukraine, how Russia is shifting tactics and how cooperation with the US is (fortunately) still ongoing.
The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest.
Read the article (arstechnica.com)
Several unauthorised TLS certificates were issued by a certificate authority called Fina CA, for Cloudflare's 1.1.1.1 IP. According to Fina this was for "internal testing", yet making certificates like that without the permission of the owner of the IP is a big no-no, and can cause huge fallout if those certificates were ever leaked.
The article is a great refresher on our TLS infrastructure, something I'd advise everyone (including myself) to freshen up on once every while.
Microsoft open-sources Bill Gates’ 6502 BASIC from 1978
Read the article (arstechnica.com)
This isn't really about security, but I still got a kick out of it. Especially the note that open-sourcing old code like this is still very important, to help us understand how early computers worked in detail, and how their programmers managed to squeeze a whole lot of functionality out of very limited systems, a skill we are starting to lose. You can go straight to the repository here.
Quick links
- US offers $10 million bounty for info on Russian FSB hackers: link.
- Surge in networks scans targeting Cisco ASA devices raise concerns: link.
- Cloudflare blocks largest recorded DDoS attack peaking at 11.5 Tbps: link.
- Signal adds secure cloud backups to save and restore chats: link.
- Max severity Argo CD API flaw leaks repository credentials: link.
- US court document website PACER buckles under MFA rollout: link.
- CISA orders federal agencies to patch Sitecore zero-day: link.
That was it for this week. As always, thank you 1Password for supporting this newsletter, and helping to keep our passwords safe. See you all next week!