Attackers have been running a campaign this month, using malicious open-source packages to steal sensitive data from software developers.
The campaign commenced on September 12 2023 and started with 14 malicious packages on npm. There was a brief hiatus on September 16 and 17 and the attacks resumed and expanded to the PyPi platform. A total of 45 malicious packages had been detected since the start of the campaign. The attackers utilised typo squatting to trick developers into downloading the packages. Typo-squatting is where malicious packages are given similar names to a legitimate popular package in hopes that developers would pick the malicious packages. They could use underscores instead of dashes in the file name. The data stolen by these packages included sensitive machine and user information. Some of the sensitive information included SSH private keys and kubeconfig files. Those stolen information can be used to provide unauthorised access to systems, servers or infrastructure. Users are advised to be cautious of what packages they download
This segment was created for the It’s 5:05 podcast