The Register
During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders.
As of Tuesday, the supply-chain attack remains active, and its scope extends beyond the original 18 infected Qix packages to now include five additional compromised DuckDB and coveops/abi packages, according to JFrog.
Wiz warns organizations to assume "malicious versions of popular packages are still available for download and might be automatically included in development pipelines."
This latest supply-chain attack "highlights how fragile the modern JavaScript ecosystem is, where half of the codebase is dependent on single-line utilities m
Raw Story