Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: NuGet is hit with a malicious typosquatting campaign. Also: A malicious ChatGPT Chrome extension is hijacking Facebook accounts.
This Week’s Top Story
NuGet software repository targeted with malicious packages
Software supply chain attacks have greatly increased over the past year, especially on open source software repositories. As a result, malicious packages have been downloaded hundreds of thousands of times, causing supply chain attacks globally. Popular repositories npm and PyPI saw an almost 300% increase in supply chain attacks on their platforms in the past four years combined. Other repositories, such as NuGet, which houses .NET code components, haven’t been taken advantage of by attackers… Until now.
Researchers at JFrog recently discovered a possible first for NuGet: 13 malicious packages with trojan components that compromise a victim’s installation system and download crypto-stealing malware with backdoor functionality. While the malicious packages have been removed from the repository, they were downloaded more than 166,000 times, possibly causing thousands of supply chain attacks. The malicious packages impersonated legitimate software tools like Coinbase and Microsoft ASP.NET, making it easy for developers to accidentally download them. The attackers used typosquatting, in which the name of a popular package is copied and slightly misspelled, to trick developers into downloading these packages.
This recent campaign discovered by JFrog is significant, considering that typosquatting attacks of this nature have not yet occurred on the platform. This demonstrates that threat actors are continuing to see open source repositories as a worthy landscape for carrying out software supply chain attacks. Also, it shows that even less popular repositories like NuGet, which seemed resilient before, are still susceptible to these kinds of attacks.
News Roundup
Here are the stories we’re paying attention to this week…
Bug in open source library causes a significant issue for ChatGPT (Sam Altman)
In a recent tweet, Altman of OpenAI shared that a bug in an open source library, for which a fix has now been released, caused a small percentage of ChatGPT users to see the titles of other users' conversation history: "we feel awful about this."
Facebook accounts hijacked by new malicious ChatGPT Chrome extension (BleepingComputer)
A trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome Web Store, accumulating over 9,000 downloads while stealing Facebook accounts. This malicious version includes additional code that attempts to steal Facebook session cookies.
CISA revises cybersecurity performance goals (Cybersecurity Dive)
The Cybersecurity and Infrastructure Security Agency (CISA) updated the cybersecurity performance goals originally released in October, in an effort to more closely align the goals with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
Ferrari confirms customer data breached following ransomware attack (TechRadar.pro)
The company published a press release on the Ferrari website, as well as sent an email to affected customers. The company's communications confirmed that following a cyber-incident, the Ferrari Italian subsidiary was contacted by a threat actor, demanding that the ransom demand be paid.
Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug (ArsTechnica)
Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.
North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer)
A joint cybersecurity advisory from Germany and South Korea warn about Kimsuky's use of Chrome extensions to steal target's Gmail emails. Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians.
Learn about ReversingLabs Software Supply Chain Security, see the three-minute demo — and start a free trial. Who is ReversingLabs? Matt Rose explains.
Keep learning
- Learn how to better manage and secure your development secrets
- See special report: The Evolution of App Sec + Get Forrester SCA landscape
- See Webinar: Deconstructing the 3CX Software Supply Chain Attack
- Track key trends, what's ahead: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key