Software supply chain research, created GitHax, threat intel platform for supply chain threats and former founder of SecureStack. Author of open-source projects like the DevSecOps Playbook, TVPO threat modelling framework, and more.
Because the Go and Packagist registries don't require additional publishing credentials like NPM and PyPI North Korean threat actors have been able to compromise legitimate packages via their PolinRider campaign.
NPM attack targeting Mastro targets browser extensions other than crypto wallets.
- Credential managers and MFA authenticators from LastPass, Bitwarden, 1Password, Deloitte, Dashlane, ExpressVPN, KeePass, Proton, Kaspersky, passbolt, NordPass, Zoho, etc.
- Zapier browser extension. Assuming this is to gain access to platforms the victim has integrated with Zapier
The same threat actor that compromised Axios published three additional NPM packages within 18 hours. Unfortunately, these packages are still alive on NPM and compromising victims.
If you are a Kubernetes shop, you will want to check whether you are using the Antrea project. Nothing malicious has been deployed yet, as we caught this one early, but the threat actors compromised the Jenkins build servers, so we expect new malicious releases soon.
First, @Tyriar thanks for being a part of this conversation. I know you don't have to, and I want to let you know I get that you are choosing to contribute, and I personally appreciate it.
The reality is that VS Code ships in a way that is perfect for attackers to use tasks files to compromise developers:
1. You have to click "trust this code" on every repo you open, which is just noise and desensitizes the user to the real underlying security threat. What VS Code should do is warn you when there is a tasks file, especially if there is a "command" parameter in that tasks file.
2. You can add parameters like these to tasks files to disable some of the notification features so devs never see the notifications you are talking about:
"presentation": {
"reveal": "never",
"echo": false,
"focus": false,
"close": true,
"panel": "dedicated",
"showReuseMessage": false}
3. Regardless of Microsofts observations that opening other people's code is risky, I want to remind you that all of us open other peoples code all day long, so it seems a little duplicitous to say "you'd still be vulnerable if you trust the workspace". I mean, that's kind of our jobs. Your "Workspaces" abstraction is great on paper, especially for project based workflows, but that's not the only way that most of us use VS Code. The issue here is that Microsoft created a new feature (tasks files) that executes things when I open code in VS Code. This is new, and separate from the intrinsic risk of opening other people's code. To ignore that fact to me seems like you are running away from the responsibility to address what you've created.
Because of the above points we are quickly seeing VS Code tasks file become the number one way that developers are being compromised by nation state actors (typically North Korea/Lazarus).
This malware is a full-featured RAT that uses Telegram for C2 and is only 143 lines of code. It's "RAT-as-a-library" design means that we are already seeing criminals build more complext, customized malware on top of Scopper.
The undelete package lets you recover NPM packages that have been removed and are no longer in the NPM registry. Works for both the tarballs and metadata. I use it for malware research, but you can use it for whatever you want!