Jossef Harush KadouriinCheckmarx ZeroBackdoor Discovered in xz: The Most Advanced Supply Chain Attack Known to DateThe xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over…Mar 313Mar 313
Jossef Harush KadouriinCheckmarx ZeroWhen ‘Everything’ Goes Wrong: NPM Dependency-Hell Campaign — 2024 EditionHappy New Year! What a way to open 2024 with a package named “everything” that relies on every single NPM package causing disruptionsJan 2Jan 2
Jossef Harush KadouriinCheckmarx ZeroSurprise: When Dependabot Contributes Malicious CodeIn July 2023, we detected suspicious commits in hundreds of GitHub repositories, appearing as if contributed by Dependabot but carrying…Sep 27, 2023Sep 27, 2023
Jossef Harush KadouriinCheckmarx ZeroPopular NuGet Package “Moq” Silently Exfiltrates User Data to Cloud ServiceThe highly popular NuGet package Moq with total downloads of 475M+, released on August 8th new versions 4.20.0-rc, 4.20.0 and 4.20.1with a…Aug 9, 2023Aug 9, 2023
Jossef Harush KadouriinCheckmarx ZeroWho Broke NPM?: Malicious Packages Flood Leading to Denial of ServiceMalicious campaigns targeting open-source ecosystems are causing a flood of spam, SEO poisoning, and malware infection.Apr 4, 2023Apr 4, 2023
Jossef Harush KadouriinCheckmarx ZeroMassive Malicious Attack on NPM: 50k Packages Flooded with Phishing LinksA sudden surge of thousands of malicious packages was uploaded to the NPM open-source ecosystem from multiple user accounts the last…Mar 26, 2023Mar 26, 2023
Jossef Harush KadouriinCheckmarx ZeroThis is How I Hijacked CocoaPods Subdomain Using GitHub PagesCocoaPods is THE dependency manager for iOS and Mac projects. It helps software developers easily add pre-made pieces of code (called…Mar 2, 2023Mar 2, 2023
Jossef Harush KadouriinCheckmarx Zero900+ Malicious Python Packages Manipulating Victim’s Clipboard to Steal CryptoStarting Feb 9 2023, an attacker published a total of 444 malicious packages via 22 different PyPi user accounts. The malicious packages…Feb 10, 2023Feb 10, 2023
Jossef Harush KadouriinCheckmarx ZeroChat With a Software Supply Chain attackerA PyPi user account, aidoc, was found to have been publishing malicious packagesJan 22, 20235Jan 22, 20235
Jossef Harush KadouriinCheckmarx ZeroMixing Politics and Open Source: Bad IdeaDuring the past year, since the Russia-Ukraine war began, we’ve seen multiple examples of open-source packages with hidden protest messages…Jan 12, 20232Jan 12, 20232