Security News
An active malware campaign is targeting the Python Package Index and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. According to Phylum, the rogue packages embed source code that retrieves Golang-based ransomware binary from a remote server depending on the victim's operating system and microarchitecture.
It's becoming apparent that while cybersecurity platforms and defenses are critical components in defense against modern attacks, what is truly needed is secure code that can be deployed free from vulnerabilities. Many developers say they are willing to champion security and commit to higher standards of code quality and secure output, but they can't do it alone.
It's becoming apparent that while cybersecurity platforms and defenses are critical components in defense against modern attacks, what is truly needed is secure code that can be deployed free from vulnerabilities. Many developers say they are willing to champion security and commit to higher standards of code quality and secure output, but they can't do it alone.
An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. "The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary WASP. "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales."
WASP malware is using steganography and polymorphism to evade detection with malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers.
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability, at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library, that came to light last month.
Cybersecurity researchers have uncovered 29 packages in Python Package Index, the official third-party software repository for the Python programming language, that aim to infect developers' machines with a malware called W4SP Stealer. "The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22," software supply chain security company Phylum said in a report published this week.
While some security teams are beginning to assess their own open-source security by implementing SBOMs, many businesses are considering ditching open-source software altogether. Instead of reluctantly using open source and blaming developers when something goes wrong, businesses should be working with the open-source community with the aim of improving security and working to minimize the fallout from the next vulnerability.
The report, Developer Engagement Report: Are Your Developers Happy or Halfway Out The Door?, draws on data from 860 global developers from different backgrounds to identify trends regarding satisfaction and retention of developers, and provide best practices for IT leaders to avoid developer burnout and turnover. "We continue to be amazed by how IT leaders and developers around the globe continue to innovate in the face of challenges. However, with a global talent shortage of over one million developers, IT leaders will not be able to hire their way out of the challenges they face in response to the insatiable appetite for building high-performance, quality software," said Gonçalo Gaiolas, Chief Product Officer of OutSystems.
Open-source software has reached greater levels of security than ever before, but its increased adoption comes with new challenges. In this Help Net Security video, Josep Prat, Open Source Engineering Director at Aiven, illustrates how threat actors see greater use of open-source software as an opportunity, deploying new methods targeting tech professionals and open-source projects.