Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

304 posts tagged ‘open-source’.

An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT.

Insights from Internet Scanning and Open Source Intelligence

The author's work laptop was compromised by a foreign actor. This post details how their company's security tools caught the attack and prevented a disaster.

Les Cast Codeurs est un podcast en français de, par et pour les développeurs. Prenez connaissance des dernières nouvelles de la sphère Java et du développement en général. Plongez sur un sujet précis avec les épisodes interview.

A coordinated phishing campaign is targeting high-impact open source maintainers. Plus: Scorecard v6 evolving into a security evidence engine, 12 CVEs patched across undici, fastify, path-to-regexp and lodash, and a conversation about Node.js in production.

Issue 5 of our Threat Intelligence information

This week we have a look at the current chaos. Be it political or technical, we’re going through some radical changes. And I can’t help but think, if this is what progress looks like, oh crap. Supply Chain Chaos We start by having a look at an article by Ian about the Mad Emperor. No prizes for guess who is meant there. From the outside in, it really looks like there’s no plan or no idea about the kind of problems the attack on Iran is causing.

Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

602 posts tagged ‘security’.

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …