Security News > 2024 > January > Software supply chain attacks are getting easier

The last 12 months have also seen software supply chain attacks shed complexity and boost accessibility.
No longer just the domain of nation-state actors, software supply chain attacks are increasingly being perpetrated by low-skill cybercriminals, evidenced by the use of open source packages to support commodity phishing campaigns that deliver turnkey, automated attacks used to facilitate the theft of victim data.
Secrets related to AWS accounted for around 14% of the total discovered on PyPI. Anticipated surge in software supply chain attacks.
In the wake of high-profile attacks, software producers and end user organizations should expect to see a continued high bar of disclosure requirements as well as more pointed guidance from the federal government, including the use of SBOMs when securing the software supply chain.
"Lacking sufficient visibility, software producers and their customers are failing to spot signs of code tampering and abuse within development pipelines or threats hiding in compiled software artifacts. In 2024, we expect software supply chain attacks to escalate if organizations don't address the threat," added Vuksan.
"Businesses must shift from blind trust of the integrity of software to proven tools and processes that can verify software and ensure it is free of material risks. This includes the ability to scan raw code and compiled binaries in any software they build or buy for behaviors and unexplained changes that may indicate instances of malware and tampering."
News URL
https://www.helpnetsecurity.com/2024/01/24/software-supply-chain-abuse/
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)