All news with #software supply chain security tag

🔐 Endor Labs discovered malicious npm packages this week that impersonated community nodes for the n8n workflow automation platform, harvesting OAuth tokens and API keys when installed. The deceptive packages presented legitimate-looking configuration screens while executing code to decrypt credentials from n8n’s credential store and exfiltrate them to attacker-controlled C2 servers. Because n8n treats installed nodes as trusted code with full access to the workflow environment, these packages bypass typical supply-chain monitoring and can perform arbitrary network requests and host interactions. Endor recommends preferring built-in integrations, auditing package source and metadata, monitoring outbound traffic from automation hosts, and using isolated, least-privilege service accounts.

📄 A Software Bill of Materials (SBOM) is a structured, machine-readable inventory that records every component and dependency inside a software product. An SBOM improves visibility across complex supply chains and helps vendors and buyers quickly identify affected systems after incidents such as SolarWinds or Log4j. U.S. policy and forthcoming European rules are driving wider adoption, and the NTIA defines minimum elements and acceptable formats (SPDX, CycloneDX, SWID). Generating SBOMs via Software Composition Analysis or build tooling and integrating them into DevSecOps processes is now considered best practice.

✈️ Airbus announced a software rollback after an A320 experienced an unexpected nose‑down maneuver on October 30, 2025, an event that sent multiple passengers to hospital and grounded aircraft for inspection. Airbus said intense solar radiation may have corrupted data critical to flight controls, but operators were able to mitigate many cases by reverting ELAC software from L104 to L103. The episode spotlights SDLC failings — notably test engineering, CI/CD, observability and supply‑chain integration — rather than merely cosmic rays.

🔒AWS Security details its incident response to multiple high-scale npm supply chain campaigns, including the compromised Nx package, the Shai-Hulud worm, and a token-farming operation detected by Amazon Inspector. Teams enacted rapid containment (repository blocklisting, OpenSSF registration), performed deep analysis using AI-assisted detonation in sandboxes, and automated disclosures to protect customers. The effort produced improved behavioral detections, GenAI prompt guardrails for Amazon Q, and strengthened collaboration with the security community to reduce future exposure.

🔐 A new wave of the self‑replicating npm worm, dubbed Sha1‑Hulud: The Second Coming, impacted over 800 packages and 27,000 GitHub repositories, targeting API keys, cloud credentials, and repo authentication data. The campaign backdoored packages, republished malicious installs, and created GitHub Actions workflows for command‑and‑control while dynamically installing Bun to evade Node.js defenses. GitGuardian reported hundreds of thousands of exposed secrets; PyPI was not affected.

⚠️ The second wave of the Shai-Hulud supply-chain attack has moved from npm into the Maven ecosystem after researchers found org.mvnpm:posthog-node:4.18.1 embedding the same setup_bun.js loader and bun_environment.js payload. The artifact was rebundled via an automated mvnpm process and was not published by PostHog; mirrored copies were purged from Maven Central on Nov 25, 2025. The campaign steals API keys, cloud credentials and npm/GitHub tokens by backdooring developer environments and injecting malicious GitHub workflows, affecting thousands of repositories.

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.

⚠️ Researchers found nine NuGet packages published under the developer name shanhai666 that combine legitimate .NET libraries with a small sabotage payload set to trigger between 2027 and 2028. The malicious code uses C# extension methods to intercept database and PLC operations and probabilistically terminate processes or corrupt writes. Socket advises immediate audits, removal from CI/CD pipelines, and verification of package provenance.

🔒 This roundup profiles ten cybersecurity startups founded in 2020 or later that CISOs should watch, chosen for funding, leadership, customer traction, and strategic clarity. It highlights diverse categories including non-human identity, software supply chain, data security posture, and AI agent security. Notable vendors such as Astrix, Chainguard, Cyera, and Drata have raised substantial capital and achieved rapid enterprise adoption. The list underscores investor enthusiasm and the rise of runtime‑focused and agentic defenses.

🔒 Modern supply-chain incidents like the Chalk and Debug hijacks show that impact goes far beyond direct financial theft. Response teams worldwide paused work, scanned environments, and executed remediation efforts even though researchers at Socket Security traced the attackers' on-chain haul to roughly $600. The larger cost is operational disruption, repeated investigations, and erosion of trust across OSS ecosystems. Organizations must protect people, registries, and CI/CD pipelines to contain downstream contamination.

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.

🔍 To secure modern software you must know what's inside it, and a Software Bill of Materials (SBOM) provides that transparency. An SBOM should be machine-readable, include component, version, license and patch data, and be generated automatically in CI/CD using standards like SPDX, CycloneDX or SWID. The article reviews eight tools — including Anchore, FOSSA, GitLab and Mend — that generate, analyze and manage SBOMs across the build, registry and runtime lifecycles.

🛡️ The Python Software Foundation (PSF) withdrew a $1.5 million proposal to the U.S. National Science Foundation after the approved award included conditions that would bar all PSF programs from activities that 'advance or promote diversity, equity, and inclusion.' The funding, under NSF’s Safety, Security, and Privacy of Open Source Ecosystems program, was intended to support automated malware-detection tools for PyPI and to be ported to other package ecosystems. PSF leaders said DEI is central to their mission, creating an unacceptable conflict that led the board to unanimously decline the grant and ask the community for donations and membership support.

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

⚠️ Researchers at a software supply chain security firm found multiple malicious packages across npm, PyPI, and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate developer secrets. Examples include npm packages that siphon config files and a Ruby gem that sends host files like /etc/passwd to a hard-coded webhook. The investigators warn that webhook-based C2 is cheap, fast, and blends into normal traffic, enabling early-stage compromise via install-time hooks and build scripts. The disclosure also links a large North Korean campaign that published hundreds of malicious packages to deliver stealers and backdoors.

🔒 In September, attackers used stolen maintainer credentials to inject malicious payloads into widely used npm packages such as chalk and debug, followed by the self‑propagating Shai‑Hulud worm that harvested npm tokens, GitHub PATs, and cloud credentials. The compromised packages and postinstall scripts allowed silent interception of cryptocurrency activity and automated propagation across developer environments. AWS recommends immediate actions: audit dependencies, rotate secrets, inspect CI/CD pipelines for unauthorized workflows or injected scripts, and use Amazon Inspector to detect malicious packages and share validated intelligence with OpenSSF.

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.

⚠️ Several widely used npm packages were trojanized after attackers phished maintainers, injecting obfuscated JavaScript that turns affected web applications into cryptodrainers. The malicious code executes in visitors' browsers, intercepting network traffic and API requests to rewrite cryptocurrency wallet addresses for Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash and Tron and redirect funds to attacker-controlled wallets. npm removed infected packages about three hours after the attack began, but total downloads during that window remain unknown. Developers are advised to audit dependencies, pin safe versions with overrides in package.json, and use anti-phishing protections.

⚠️ A maintainer of widely used npm packages was phished, allowing attackers to publish malicious updates to 20 modules that together exceed two billion weekly downloads. Researchers from Aikido Security and Socket found the injected payload hooks browser APIs (window.fetch, XMLHttpRequest, window.ethereum.request) to intercept and rewrite cryptocurrency transactions. The malware substitutes recipient addresses by computing Levenshtein distance to closely match intended wallets, putting end users and developers who connect wallets at risk. The incident highlights the persistent supply-chain threat to package ecosystems.