10 matches found
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index PyPI repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 package...
New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine
By Waqas Apart from displaying these messages, the packages performed no other actions. This indicates that these aren't malicious per se. This is a post from HackRead.com Read the original post: New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine...
A scanning tool for open-sourced software packages? Yes, please!
The Open Source Security Foundation OpenSSF, a collective of industry leaders aimed at improving the security of open-source software OSS, recently announced the release of a prototype tool that scans for malicious packages in open source repositories. This tool, conveniently called Package...
[Security Nation] Kate Stewart on Open-Source Projects at the Linux Foundation
!\Security Nation\ Kate Stewart on Open-Source Projects at the Linux Foundationhttps://blog.rapid7.com/content/images/2022/04/securitynationlogo.jpg In this episode of Security Nation, Jen and Tod chat with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation, about the...
15-Year-Old Bug in PEAR PHP Repository Could've Enabled Supply Chain Attacks
A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. "An attacker exploiting the first one could take over...
A week in security (March 21 – 27)
Last week on Malwarebytes Labs: Anti-war open-source software developer targets Russians and Belarussians with “protestware” Elden Ring exploit traps players in infinite death loop Update now! Many HP printers affected by three critical security vulnerabilities White House urges US businesses:...
Anti-war open-source software developer targets Russians and Belarussians with “protestware”
Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country...
Developer Sabotages Open-Source Software Package
This is a big deal: A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software. The applicatio...
Undesired Behavior
Overview event-source-polyfill is an A polyfill for http://www.w3.org/TR/eventsource/ Affected versions of this package are vulnerable to Undesired Behavior. This package geo-locates users based on their IP address and if the user is Russia-based prints a political protest message in the browser ...
Pro-Ukraine ‘Protestware’ Pushes Antiwar Ads, Geo-Targeted Malware
Researchers are tracking a number of open-source "protestware" projects on GitHub that have recently altered their code to display "Stand with Ukraine" messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several code packages that were recently modified to...