Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: NuGet is hit with a malicious typosquatting campaign. Also: A malicious ChatGPT Chrome extension is hijacking Facebook accounts.
This Week’s Top Story
NuGet software repository targeted with malicious packages
Software supply chain attacks have greatly increased over the past year, especially on open source software repositories. As a result, malicious packages have been downloaded hundreds of thousands of times, causing supply chain attacks globally. Popular repositories npm and PyPI saw an almost 300% increase in supply chain attacks on their platforms in the past four years combined. Other repositories, such as NuGet, which houses .NET code components, haven’t been taken advantage of by attackers… Until now.
Researchers at JFrog recently discovered a possible first for NuGet: 13 malicious packages with trojan components that compromise a victim’s installation system and download crypto-stealing malware with backdoor functionality. While the malicious packages have been removed from the repository, they were downloaded more than 166,000 times, possibly causing thousands of supply chain attacks. The malicious packages impersonated legitimate software tools like Coinbase and Microsoft ASP.NET, making it easy for developers to accidentally download them. The attackers used typosquatting, in which the name of a popular package is copied and slightly misspelled, to trick developers into downloading these packages.
This recent campaign discovered by JFrog is significant, considering that typosquatting attacks of this nature have not yet occurred on the platform. This demonstrates that threat actors are continuing to see open source repositories as a worthy landscape for carrying out software supply chain attacks. Also, it shows that even less popular repositories like NuGet, which seemed resilient before, are still susceptible to these kinds of attacks.
Here are the stories we’re paying attention to this week…
In a recent tweet, Altman of OpenAI shared that a bug in an open source library, for which a fix has now been released, caused a small percentage of ChatGPT users to see the titles of other users' conversation history: "we feel awful about this."
Facebook accounts hijacked by new malicious ChatGPT Chrome extension (BleepingComputer)
A trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome Web Store, accumulating over 9,000 downloads while stealing Facebook accounts. This malicious version includes additional code that attempts to steal Facebook session cookies.
CISA revises cybersecurity performance goals (Cybersecurity Dive)
The Cybersecurity and Infrastructure Security Agency (CISA) updated the cybersecurity performance goals originally released in October, in an effort to more closely align the goals with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
The company published a press release on the Ferrari website, as well as sent an email to affected customers. The company's communications confirmed that following a cyber-incident, the Ferrari Italian subsidiary was contacted by a threat actor, demanding that the ransom demand be paid.
Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.
North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer)
A joint cybersecurity advisory from Germany and South Korea warn about Kimsuky's use of Chrome extensions to steal target's Gmail emails. Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians.
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk