Google's New Security Project 'OSS Rebuild' Tackles Package Supply Chain Verification

黑客入侵 Toptal 的 GitHub，发布 10 个恶意 npm 包，下载量达 5000 次

黑客入侵 Toptal 的 GitHub，发布 10 个恶意 npm 包，下载量达 5000 次

Hackers Breach Toptal GitHub, Publish 10 Malicious npm Packages With 5,000 Downloads

In what's the latest instance of a software supply chain attack, unknown threat actors managed to compromise Toptal's GitHub organization account and leveraged that access to publish 10 malicious packages to the npm registry. The packages contained code to exfiltrate GitHub authentication tokens and destroy victim systems, Socket said in a report published last week. In addition, 73 repositories

NPM ‘is’ Package with 2.8M Weekly Downloads Exploited in Attack on Developers

The popular npm package ‘is’, which has about 2.8 million weekly downloads, has been taken over by threat actors in a sophisticated escalation of a phishing effort that was first disclosed last Friday. The attack began w…

NPM 'is' Package with 2.8M Weekly Downloads Exploited in Attack on Developers

Open the article to view the coverage from GBHackers On Security

Google’s OSS Rebuild Verifies Packages to Fight Supply Chain Attacks

In the ever-evolving realm of cybersecurity, Google has stepped forward with a ambitious initiative aimed at fortifying the foundations of open-source software. The tech giant’s newly unveiled OSS Rebuild project seeks to address one of the most pernicious threats facing developers today: supply chain attacks that compromise software packages at their source. By independently reproducing and verifying builds of popular open-source packages, Goog…

Google's New Security Project 'OSS Rebuild' Tackles Package Supply Chain Verification

This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts. It includes automation to derive declarative build definitions, new "build observability and verification tools" for security tea...