網頁應用程式框架TanStack的NPM套件遭Mini Shai-Hulud供應鏈攻擊
Posted in
業界新聞
新聞
資安公司StepSecurity發現最新一波蠕蟲程式Mini Shai-Hulud攻擊,TeamPCP針對網頁應用程式框架TanStack的GitHub Actions發布流程,利用挾持的OIDC權杖(token),發布TanStack Router的惡意NPM套件。與先前攻擊的差異在於,這次被滲透的套件,竟然具有軟體供應鏈安全框架SLSA第3級來源見證,使得Mini Shai-Hulud成為第一個可產生有效見證的惡意軟體套件、又有文件記載的NPM蠕蟲。值得留意的是,Mini Shai-Hulud已從TanStack擴散,影響UiPath、DraftLab及其他維護者的套件。
針對駭客滲透TanStack的過程,StepSecurity指出大致可分成3個環節,首先,駭客於GitHub分叉當中暫存惡意酬載,然後注入在已經發布的NPM套件tarball檔案,接著,他們再挾持專案的CI/CD管線流程,發布具備有效SLSA來源的惡意版本。
TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages - StepSecurity
The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.
www.stepsecurity.io
Comments (0)