Hackers have compromised several popular open source projects that software developers around the world rely on in an ongoing cyberattack.
On Tuesday, cybersecurity companies StepSecurity and SafeDep warned of the latest wave of so-called “supply chain” attacks. The attack aims to compromise developers of popular open source projects and use their access to launch malicious updates that are pushed to downstream users.
According to SafeDep, hackers took over one developer's account and released more than 630 malicious versions across 317 packages in about 20 minutes. The goal of this attack is to steal credentials for various services, including password managers, as a means to steal data and continue spreading malware.
Among the packages that the hackers compromised was Antv, a library created by Alibaba. In some cases, hackers published malicious updates on GitHub, according to JFrog Security.
This latest wave of attacks is part of a broader campaign targeting open source projects and developers who use their code for their own projects. Researchers named the hack “Mini-Shy-Flud” because it followed an earlier, larger hacking campaign.
Last week, in another wave of attacks as part of the Mini Shai-Hulud attack, hackers compromised the computers of two OpenAI employees after hacking the open source library TanStack. OpenAI was just one of several victims.