"The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads. The list of affected packages include @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, as well as related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others."
"The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession. The development comes as the supply chain attack campaign continues to slither its way through the software supply chain, worming through different open-source registries rapidly and infecting hundreds of software packages by embedding credential-stealing code into popular development tools."
""The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems," Socket said. "Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.""
"According to SafeDep, the attacker is said to have published 631 malicious versions across 314 packages. The stealer payload harvests more than 20 credential types, Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, database connection strings, and attempts Docker cont"
A software supply chain attack campaign compromised npm packages tied to the @antv ecosystem and other related libraries. The affected packages include widely used tools such as echarts-for-react, along with multiple @antv packages for data visualization, graphing, mapping, charting, and React component ecosystems. The attack uses a compromised maintainer account to publish trojanized versions in quick succession, matching the Mini Shai-Hulud tradecraft. The campaign spread across open-source registries and embedded credential-stealing code into popular development tools. The potential blast radius is significant because many organizations automatically pull new dependency versions, creating meaningful downstream exposure even if only some packages were updated. SafeDep reported 631 malicious versions across 314 packages, with a payload designed to harvest many credential types and cloud and platform secrets.
#software-supply-chain-attacks #npm-package-compromise #credential-stealing #mini-shai-hulud #data-visualization-libraries
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]