Security News > 2022 > May > Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines
A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware.
Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."
Typosquatting attacks take place when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library.
While typosquatting attacks have been previously documented against NPM, PyPi, and RubyGems, the development marks an uncommon instance where such an incident has been discovered in the Rust ecosystem.
"Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once," SentinelOne researchers said.
"In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks."
News URL
https://thehackernews.com/2022/05/researchers-uncover-rust-supply-chain.html
Related news
- Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks (source)
- Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters (source)
- Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms (source)
- Revival Hijack supply-chain attack threatens 22,000 PyPI packages (source)
- Australian Police conducted supply chain attack on criminal collaborationware (source)
- Israel’s Pager Attacks and Supply Chain Vulnerabilities (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Embargo ransomware escalates attacks to cloud environments (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)