14 malicious npm packages impersonated OpenSearch, Elasticsearch libraries

https://image.theregister.com/5248815.jpg?imageId=5248815&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

And then Microsoft busted them all

A single npm user on Thursday published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries, according to Microsoft.

It’s the latest in a seemingly never-endingstring of supply chain attacks targeting developer tools, and stealing cloud credentials and CI/CD pipeline secrets in its wake.

Using a newly created maintainer alias, vpmdhaj (a39155771@gmail[.]com), the threat actor published 14 packages impersonating legitimate libraries from the @opensearch and @elastic ecosystems and targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself. This suggests that the attacker “likely chose a developer audience to have AWS and Elastic cloud credentials in their environments,” Microsoft warned in a Thursday blog.

All of the malicious packages include the same install-time stager and the same Bun-compiled, second-stage payload:...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more

http://www.techmeme.com/img/techmeme_sq328.png

Syntiant, which develops low-power AI processors, files for a US IPO, reporting a $20.9M net loss on $64.5M in revenue for the three months ended March 31

More: XBOX Wire, IGN, Game File, The Verge, Aftermath, Kotaku, Reuters, Polygon.com, GamesIndustry.biz, The Information, Windows Central, Forbes, Kotaku, Rock, Paper, Shotgun, PC Gamer, Business Insider, Comic Book, Double Fine, The Hollywood Reporter, Phandroid, Pure Xbox, GeekWire, Fast Company, Capital Brief, Associated Press, TheGamer, Los Angeles Times, GamesRadar,