HackerTrans
TopNewTrendsCommentsPastAskShowJobs

6mile

133 karmajoined 6 lat temu
Software supply chain research, created GitHax, threat intel platform for supply chain threats and former founder of SecureStack. Author of open-source projects like the DevSecOps Playbook, TVPO threat modelling framework, and more.

Submissions

North Korean Hackers Compromise Go and PHP Packages

opensourcemalware.com
11 points·by 6mile·3 dni temu·1 comments

NPM attack targets Zapier and security tool browser extensions

opensourcemalware.com
5 points·by 6mile·23 dni temu·1 comments

Microsoft Compromised Again. Shuts Down Azure Function GitHub Actions

opensourcemalware.com
49 points·by 6mile·w zeszłym miesiącu·2 comments

More live NPM packages attributed to Axios threat actors

opensourcemalware.com
3 points·by 6mile·2 miesiące temu·1 comments

Popular Kubernetes Networking Project Antrea Compromised

opensourcemalware.com
3 points·by 6mile·2 miesiące temu·1 comments

Popular Kubernetes Networking Project Antrea Compromised

opensourcemalware.com
2 points·by 6mile·2 miesiące temu·0 comments

Intercom-client NPM package and lightning PyPI packages compromised

opensourcemalware.com
2 points·by 6mile·2 miesiące temu·1 comments

Bitwarden CLI NPM package has been compromised

opensourcemalware.com
16 points·by 6mile·3 miesiące temu·1 comments

Vercel Incident Response Playbook

github.com
7 points·by 6mile·3 miesiące temu·4 comments

GitHub Accounts Compromised

opensourcemalware.com
13 points·by 6mile·4 miesiące temu·2 comments

Neutralinojs developer framework compromised with malware

opensourcemalware.com
1 points·by 6mile·4 miesiące temu·0 comments

Malicious skills targeting Claude Code and Moltbot users

opensourcemalware.com
181 points·by 6mile·5 miesięcy temu·87 comments

New Python "RAT-as-a-library" named "Scopper"

getsafety.com
1 points·by 6mile·6 miesięcy temu·1 comments

VSCode Tasks files used in new malware campaign

opensourcemalware.com
4 points·by 6mile·7 miesięcy temu·0 comments

[untitled]

1 points·by 6mile·8 miesięcy temu·0 comments

Undelete NPM Packages

npmjs.com
3 points·by 6mile·9 miesięcy temu·1 comments

[untitled]

1 points·by 6mile·10 miesięcy temu·0 comments

[untitled]

1 points·by 6mile·10 miesięcy temu·0 comments

comments

6mile
·3 dni temu·discuss
Because the Go and Packagist registries don't require additional publishing credentials like NPM and PyPI North Korean threat actors have been able to compromise legitimate packages via their PolinRider campaign.
6mile
·23 dni temu·discuss
NPM attack targeting Mastro targets browser extensions other than crypto wallets.

- Credential managers and MFA authenticators from LastPass, Bitwarden, 1Password, Deloitte, Dashlane, ExpressVPN, KeePass, Proton, Kaspersky, passbolt, NordPass, Zoho, etc. - Zapier browser extension. Assuming this is to gain access to platforms the victim has integrated with Zapier
6mile
·w zeszłym miesiącu·discuss
Signs point to the Miasma worm, but this is unconfirmed yet.
6mile
·2 miesiące temu·discuss
The same threat actor that compromised Axios published three additional NPM packages within 18 hours. Unfortunately, these packages are still alive on NPM and compromising victims.
6mile
·2 miesiące temu·discuss
If you are a Kubernetes shop, you will want to check whether you are using the Antrea project. Nothing malicious has been deployed yet, as we caught this one early, but the threat actors compromised the Jenkins build servers, so we expect new malicious releases soon.
6mile
·3 miesiące temu·discuss
TeamPCP claims another victim and this time they call it "Shai-Hulud: The Third Coming"
6mile
·3 miesiące temu·discuss
We have helped several orgs with incident response and this is the playbook that we used.
6mile
·4 miesiące temu·discuss
The bash script for checking for infection? is that what you are talking about?
6mile
·6 miesięcy temu·discuss
Hi, I'm one of the researchers that identified this threat and I blogged about it back in November (https://opensourcemalware.com/blog/contagious-interview-vsco...)

First, @Tyriar thanks for being a part of this conversation. I know you don't have to, and I want to let you know I get that you are choosing to contribute, and I personally appreciate it.

The reality is that VS Code ships in a way that is perfect for attackers to use tasks files to compromise developers:

1. You have to click "trust this code" on every repo you open, which is just noise and desensitizes the user to the real underlying security threat. What VS Code should do is warn you when there is a tasks file, especially if there is a "command" parameter in that tasks file.

2. You can add parameters like these to tasks files to disable some of the notification features so devs never see the notifications you are talking about: "presentation": { "reveal": "never", "echo": false, "focus": false, "close": true, "panel": "dedicated", "showReuseMessage": false}

3. Regardless of Microsofts observations that opening other people's code is risky, I want to remind you that all of us open other peoples code all day long, so it seems a little duplicitous to say "you'd still be vulnerable if you trust the workspace". I mean, that's kind of our jobs. Your "Workspaces" abstraction is great on paper, especially for project based workflows, but that's not the only way that most of us use VS Code. The issue here is that Microsoft created a new feature (tasks files) that executes things when I open code in VS Code. This is new, and separate from the intrinsic risk of opening other people's code. To ignore that fact to me seems like you are running away from the responsibility to address what you've created.

Because of the above points we are quickly seeing VS Code tasks file become the number one way that developers are being compromised by nation state actors (typically North Korea/Lazarus).

Just search github and you'll see what I mean: https://github.com/search?q=path%3Atasks.json+vercel.app&ref...

There are dozens and dozens of bad guys using this technique right now. Microsoft needs to step up. End of story.
6mile
·6 miesięcy temu·discuss
This malware is a full-featured RAT that uses Telegram for C2 and is only 143 lines of code. It's "RAT-as-a-library" design means that we are already seeing criminals build more complext, customized malware on top of Scopper.
6mile
·9 miesięcy temu·discuss
The undelete package lets you recover NPM packages that have been removed and are no longer in the NPM registry. Works for both the tarballs and metadata. I use it for malware research, but you can use it for whatever you want!
6mile
·10 miesięcy temu·discuss
That domain (npmjs[.]help) has been taken down. Looks like it was purchased and started hosting on September 5th, 2025.