Nouveau type d'attaque à partir de la marketplace de Visual Studio Code :
"All extensions run with the privileges of the user that has opened the VS Code without any sandbox," "This means that the extension can install any program on your computer including ransomwares, wipers, and more."
Threat Landscape for Supply Chain Attacks :https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
Supply-chain attack via repository npm/python : une première, une autre
Supply-chain attack via Typosquatting sur des packages python : https://thehackernews.com/2021/07/several-malicious-typosquatted-python.html
idem avec PyPI: https://arstechnica.com/gadgets/2021/06/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers/
même chose plus récente
https://arstechnica.com/information-technology/2023/02/451-malicious-packages-available-in-pypi-contained-crypto-stealing-malware/#p3
Supply-chain attack via Composer (PHP) : https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html
Supply-chain attack : l'attaque elle-même est un peu grossière mais illustre bien le risque, le commit a été effectué avec les comptes de contributeurs connus https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/?comments=1
Supply-chain attack via l'outil de développement : https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/#p3
https://thehackernews.com/2023/01/malware-attack-on-circleci-engineers.html
CircleCi : récupération des tokens d'un admin (le MFA a été contourné via un vol de cookie), puis les données ont été exfiltrées ainsi que les clés d'encryption
"Though all the data exfiltrated was encrypted at rest, the third-party extracted encryption keys from a running process, enabling them to potentially access the encrypted data," Zuber said.
https://thehackernews.com/2023/02/hackers-abused-microsofts-verified.html
Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a phishing campaign designed to breach organizations' cloud environments and steal email.
What's notable about the campaign is that by mimicking popular brands, it was also successful at fooling Microsoft in order to gain the blue verified badge. "The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," the company explained.
These attacks, which were first observed on December 6, 2022, employed lookalike versions of legitimate apps like Zoom to deceive targets into authorizing access and facilitate data theft. Targets included financial, marketing, managers, and senior executives.
Proofpoint noted the malicious OAuth apps had "far-reaching delegated permissions" such as reading emails, adjusting mailbox settings, and gaining access to files and other data connected to the user's account.
Hardware (cameras) in UK
https://www.theregister.com/2023/06/08/uk_government_china_cam_removal/
Removal from the procurement supply chain of physical surveillance equipment produced by companies subject to the National Intelligence Law of the People's Republic of China.
tags : #area/watch #npm #javascript #registry
source :NPM registry vulnerable to 'manifest confusion' abuse • The Register
date : 2023-06-28
It lets an attacker include a dependency in a package that won’t show up on the npm website, even though the CLI will actually install it
"Without throwing any specific security vendors under the bus, I’ll just say that every one of the dependency tools I’ve tested misses entire dependencies because of shortcuts taken, and a fundamental failure to understand the npm package installation process," he said.