Miasma supply-chain attack toolkit goes public on GitHub
Miasma worms its way onto GitHub as attack kit goes open source
As if there weren't enough package poisonings to worry about
As if the Miasma situation weren't bad enough, now this weapon is spreading like wildfire. Someone open sourced the entire Miasma worm supply-chain attack toolkit, likely using previously compromised developers' accounts to publish GitHub repositories containing the self-spreading malware’s source code over the last 24 hours.
SafeDep, a company focused on open source supply chain security that developed Package Management Guard (PMG), spotted the malicious repos, named “Miasma-Open-Source-Release,” and said that they started appearing on Monday. Its researchers analyzed one of these before GitHub nixed it, and described the code as more than just a supply chain worm.
“It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems),...
Copyright of this story solely belongs to theregister.com. To see the full text click HERE