As the Service explained in its apology, it intended that those photos would 'provide more vivid information to the public.' Instead, they provided vivid information to crooks who recognized the photos included a seed phrase - a credential used to recover access to a cryptocurrency wallet if passwords and other means of logging in are lost.
We've excised the text, but suffice it to say that the whiteboard contains usernames and passwords for system access. It's a change from a Post-it note stuck to the screen, but it's no less likely to make a security professional shriek in horror. After all, not only is the account exposed, but anyone can use it, which renders an access log somewhat redundant.
The Sysdig Threat Research Team said they observed the break-in on November 28, and noted it stood out not only for its speed, but also for the "multiple indicators" suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking - using a compromised cloud account to access cloud-hosted LLMs.
The trojanized npm packages, which were first discovered late Sunday by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September. The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven't observed downstream attacks originating from credentials stolen by the malware.
