HackerTrans
TopNewTrendsCommentsPastAskShowJobs

6mile

133 karmajoined vor 6 Jahren
Software supply chain research, created GitHax, threat intel platform for supply chain threats and former founder of SecureStack. Author of open-source projects like the DevSecOps Playbook, TVPO threat modelling framework, and more.

Submissions

North Korean Hackers Compromise Go and PHP Packages

opensourcemalware.com
11 points·by 6mile·vor 3 Tagen·1 comments

NPM attack targets Zapier and security tool browser extensions

opensourcemalware.com
5 points·by 6mile·vor 23 Tagen·1 comments

Microsoft Compromised Again. Shuts Down Azure Function GitHub Actions

opensourcemalware.com
49 points·by 6mile·letzten Monat·2 comments

More live NPM packages attributed to Axios threat actors

opensourcemalware.com
3 points·by 6mile·vor 2 Monaten·1 comments

Popular Kubernetes Networking Project Antrea Compromised

opensourcemalware.com
3 points·by 6mile·vor 2 Monaten·1 comments

Popular Kubernetes Networking Project Antrea Compromised

opensourcemalware.com
2 points·by 6mile·vor 2 Monaten·0 comments

Intercom-client NPM package and lightning PyPI packages compromised

opensourcemalware.com
2 points·by 6mile·vor 2 Monaten·1 comments

Bitwarden CLI NPM package has been compromised

opensourcemalware.com
16 points·by 6mile·vor 3 Monaten·1 comments

Vercel Incident Response Playbook

github.com
7 points·by 6mile·vor 3 Monaten·4 comments

GitHub Accounts Compromised

opensourcemalware.com
13 points·by 6mile·vor 4 Monaten·2 comments

Neutralinojs developer framework compromised with malware

opensourcemalware.com
1 points·by 6mile·vor 4 Monaten·0 comments

Malicious skills targeting Claude Code and Moltbot users

opensourcemalware.com
181 points·by 6mile·vor 5 Monaten·87 comments

New Python "RAT-as-a-library" named "Scopper"

getsafety.com
1 points·by 6mile·vor 6 Monaten·1 comments

VSCode Tasks files used in new malware campaign

opensourcemalware.com
4 points·by 6mile·vor 7 Monaten·0 comments

[untitled]

1 points·by 6mile·vor 8 Monaten·0 comments

Undelete NPM Packages

npmjs.com
3 points·by 6mile·vor 9 Monaten·1 comments

[untitled]

1 points·by 6mile·vor 10 Monaten·0 comments

[untitled]

1 points·by 6mile·vor 10 Monaten·0 comments

comments

6mile
·vor 3 Tagen·discuss
Because the Go and Packagist registries don't require additional publishing credentials like NPM and PyPI North Korean threat actors have been able to compromise legitimate packages via their PolinRider campaign.
6mile
·vor 23 Tagen·discuss
NPM attack targeting Mastro targets browser extensions other than crypto wallets.

- Credential managers and MFA authenticators from LastPass, Bitwarden, 1Password, Deloitte, Dashlane, ExpressVPN, KeePass, Proton, Kaspersky, passbolt, NordPass, Zoho, etc. - Zapier browser extension. Assuming this is to gain access to platforms the victim has integrated with Zapier
6mile
·letzten Monat·discuss
Signs point to the Miasma worm, but this is unconfirmed yet.
6mile
·vor 2 Monaten·discuss
The same threat actor that compromised Axios published three additional NPM packages within 18 hours. Unfortunately, these packages are still alive on NPM and compromising victims.
6mile
·vor 2 Monaten·discuss
If you are a Kubernetes shop, you will want to check whether you are using the Antrea project. Nothing malicious has been deployed yet, as we caught this one early, but the threat actors compromised the Jenkins build servers, so we expect new malicious releases soon.
6mile
·vor 3 Monaten·discuss
TeamPCP claims another victim and this time they call it "Shai-Hulud: The Third Coming"
6mile
·vor 3 Monaten·discuss
We have helped several orgs with incident response and this is the playbook that we used.
6mile
·vor 4 Monaten·discuss
The bash script for checking for infection? is that what you are talking about?
6mile
·vor 6 Monaten·discuss
Hi, I'm one of the researchers that identified this threat and I blogged about it back in November (https://opensourcemalware.com/blog/contagious-interview-vsco...)

First, @Tyriar thanks for being a part of this conversation. I know you don't have to, and I want to let you know I get that you are choosing to contribute, and I personally appreciate it.

The reality is that VS Code ships in a way that is perfect for attackers to use tasks files to compromise developers:

1. You have to click "trust this code" on every repo you open, which is just noise and desensitizes the user to the real underlying security threat. What VS Code should do is warn you when there is a tasks file, especially if there is a "command" parameter in that tasks file.

2. You can add parameters like these to tasks files to disable some of the notification features so devs never see the notifications you are talking about: "presentation": { "reveal": "never", "echo": false, "focus": false, "close": true, "panel": "dedicated", "showReuseMessage": false}

3. Regardless of Microsofts observations that opening other people's code is risky, I want to remind you that all of us open other peoples code all day long, so it seems a little duplicitous to say "you'd still be vulnerable if you trust the workspace". I mean, that's kind of our jobs. Your "Workspaces" abstraction is great on paper, especially for project based workflows, but that's not the only way that most of us use VS Code. The issue here is that Microsoft created a new feature (tasks files) that executes things when I open code in VS Code. This is new, and separate from the intrinsic risk of opening other people's code. To ignore that fact to me seems like you are running away from the responsibility to address what you've created.

Because of the above points we are quickly seeing VS Code tasks file become the number one way that developers are being compromised by nation state actors (typically North Korea/Lazarus).

Just search github and you'll see what I mean: https://github.com/search?q=path%3Atasks.json+vercel.app&ref...

There are dozens and dozens of bad guys using this technique right now. Microsoft needs to step up. End of story.
6mile
·vor 6 Monaten·discuss
This malware is a full-featured RAT that uses Telegram for C2 and is only 143 lines of code. It's "RAT-as-a-library" design means that we are already seeing criminals build more complext, customized malware on top of Scopper.
6mile
·vor 9 Monaten·discuss
The undelete package lets you recover NPM packages that have been removed and are no longer in the NPM registry. Works for both the tarballs and metadata. I use it for malware research, but you can use it for whatever you want!
6mile
·vor 10 Monaten·discuss
That domain (npmjs[.]help) has been taken down. Looks like it was purchased and started hosting on September 5th, 2025.