Typosquatted npm package quietly exfiltrates CI secrets
A malicious package mimicking a popular build tool harvested environment variables during install and shipped them to an attacker endpoint. Pin your dependencies and treat postinstall scripts as hostile.
The package mirrored a well-known build helper down to its README, then used a postinstall hook to sweep environment variables — exactly where CI systems stash tokens and cloud keys.
The payload was lightweight and obfuscated enough to slip past a casual glance, and the package lived on the registry for several days before takedown.
Defenders should pin exact versions, disable scripts where feasible, and route installs through an internal proxy that can flag newly published lookalikes.
This summary was generated from open reporting. Read the full original article ↗
Related
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Attackers are increasingly leveraging trusted components and everyday tools, from Linux rootkits to router 0-days, to infiltrate systems. This shift means the danger now lurks in seemingly normal things like updates, apps, and cloud services, making vigilance against supply chain threats and AI intrusions more critical than ever.
Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility
New vulnerabilities are being discovered too fast, the time-to-exploitation is too short, and our visibility into them is largely lacking. The post Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility appeared first on SecurityWeek .
Discussion
Loading discussion…