Скачать или смотреть Historic NPM Supply Chain Attack Targets Crypto Wallets

…
Hackers carried out what is being called the largest supply chain attack in history by compromising a popular npm maintainer’s account through a phishing email sent from a fake npmjs[.]help domain.

The attackers gained control of several high-profile npm packages with over 2.6 billion weekly downloads, including chalk, debug, ansi-styles, and supports-color. Malicious updates embedded JavaScript code into package files that functions as a browser interceptor, hijacking cryptocurrency wallet transactions by replacing destination addresses with attacker-controlled ones.

The malware targeted Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash by hooking into browser APIs such as fetch, XMLHttpRequest, and wallet interfaces. The impact was limited to users who installed the compromised packages between approximately 9 AM and 11:30 AM ET, but the scale of exposure is unprecedented.

The npm team has since removed the malicious versions, although attackers also attempted to phish additional maintainers using the same impersonation tactics.


RECOMMENDATIONS:

1. Mandate phishing-resistant MFA (such as hardware keys or passkeys) for all developers with package publishing rights to prevent account takeovers.

2. Implement strict package signing and verification so organizations can identify and prevent malicious updates from entering production environments.


Also in today's cybersecurity news…


Arctic Wolf uncovered GPUGate, a new malware campaign that combines abuse of GitHub, Google Ads malvertising, and GPU-dependent decryption to target IT professionals in Western Europe.

Attackers used sponsored ads to redirect users searching for “GitHub Desktop” to a malicious domain that mimicked legitimate repositories, tricking victims into downloading a bloated MSI installer. This installer evaded sandboxes by embedding over 100 dummy files and only decrypted its payload on machines with real GPUs, filtering out many virtualized research environments.

Once executed, the malware used PowerShell for persistence, privilege escalation, and creating Windows Defender exclusions, while retrieving modular payloads via ZIP archives and DLL sideloading. Evidence suggests the operators are Russian-speaking, with techniques aligning with credential theft, info stealing, and possible ransomware deployment.

The campaign also delivered AMOS Stealer variants to macOS users. Arctic Wolf notes this approach marks a significant advancement in hardware-aware anti-analysis methods and expects similar techniques to spread.


RECOMMENDATIONS:

1. Mandate downloading software only from official sources, verifying URLs and repository branches, and discourage users from clicking on ads or sponsored links.

2. Provide regular security awareness training to help employees identify phishing attempts and confirm download sources.

…

Visit our blog for more daily Intel ➜ https://cyderes.com/blog

See our newsletter for deeper monthly insights ➜ https://cyderes.com/newsletter

Catch our podcast for brief cyber updates ➜    / @beeverydayready  

Follow our story ➜   / cyderes  

…

#beeverydayready #cybersecurity #cyderes