The Lazarus Group has been targeting developers in a new VMConnect campaign, using fake job interviews to trick them into downloading malicious software packages from open-source repositories.

OSC&R report reveals that 95% organizations face high software supply chain risks. Despite advancements in application security programs, more work is needed to manage risks effectively.

This new set of packages, consisting of approximately 60 packages and 290 versions, showcases a more sophisticated approach compared to earlier attacks revealed in October 2023, according to ReversingLabs.

ReversingLabs researchers discovered a suspicious package on npm called legacyreact-aws-s3-typescript. They found that the package contained a post-install script that downloaded and executed a simple backdoor.

This incident sheds light on the challenge of tracking and mitigating open-source threats, specifically the issue of "noise" in the form of low-quality test packages and low-distribution malicious packages.

Development teams need to plan ahead and create shareable SBOMs that are standardized in a format that's readily consumable while also establishing scalable systems for attestation, access management, and data verification, among other factors.

The malicious packages used name squatting, disguised dependencies, and legitimate-looking code to steal mnemonic phrases, evading detection and targeting crypto assets without broader system compromise.

It appears that the package author was in the process of building out the malware and adding layers of deception. Fortunately, the package was detected and removed from npm before that could happen.

Public services like GitHub provide a convenient and less suspicious platform for malware authors to operate their C2 infrastructure, eliminating the need for maintaining their own servers.

Cybersecurity firm ReversingLabs has discovered a coordinated and ongoing malicious campaign on the NuGet package manager. The campaign involves the publishing of hundreds of malicious packages since August.