Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label NPM malware. Show all posts
software supply chain attacks
cryptocurrency Fake Recruiter Scam Lazarus Group malware NPM malware Open Source Security PyPI Security Threats Remote Access Trojan software supply chain attacks

Fraudulent Recruiters Target Developers with Malicious Coding Tests


 

If a software developer is accustomed to receiving unsolicited messages offering lucrative remote employment opportunities, the initial approach may appear routine—a brief introduction, a well-written job description, and an invitation to complete a small technical exercise. Nevertheless, behind the recent waves of such outreach lies a sophisticated operation. 

During the investigation, investigators have discovered a new version of the long-running fake recruiter campaign linked to North Korean threat actors. This campaign now targets JavaScript and Python developers with cryptocurrency-themed assignments. 

With a deliberate, modular design that makes it possible for operators to rapidly rebuild and re-deploy infrastructure when parts of the campaign are exposed or dismantled since at least May 2025. Several malicious packages were quietly published to the NPM and PyPI ecosystems, which developers utilize in routine work processes. 

Once executed within a developer's environment, the packages serve as downloaders that discreetly retrieve a remote access trojan. Researchers have compiled 192 packages associated with the campaign, which they have labeled Graphalgo, confirming the threat's scale and persistence. 

It has been determined that the operation is more than just opportunistic phishing and represents a carefully orchestrated social engineering campaign incorporated into legitimate hiring processes rather than just opportunistic phishing. 

A recruiting impersonator impersonates a recruiter from an established technology company, initiating communication through professional networking platforms and via email with job descriptions, technical prerequisites, and compensation information aligned with market trends. By cultivating trust over a number of exchanges, the operators resemble the cadence and tone of authentic recruitment cycles without relying on urgency or alarm. 

Following the establishment of legitimacy, they implement a coding assessment, typically a compressed archive, designed to provide a standard measure of the candidate's ability to solve problems or develop blockchain-related applications. 

In addition, the files provided contain embedded malware that is designed to execute once the developer tries to review or run the project locally. Using routine practices such as cloning repositories, installing dependencies, and executing test scripts, the attackers were able to circumvent conventional suspicion triggers associated with unsolicited attachments. 

The strategy demonstrates a deep understanding of developer behavior, technical interview conventions, and the implicit trust derived from structured hiring processes, according to researchers. The execution of the malicious project components in several observed cases enabled unauthorized system access, resulting in credential harvesting, lateral movement, as well as the possibility of exposing proprietary source code and corporate infrastructure to unauthorized access. 

A key component of the campaign's success is not exploiting software vulnerabilities, but rather manipulating professional norms—transforming recruitment itself into a delivery channel for compromise. Several ReversingLabs researchers have determined that the infrastructure supporting the campaign is intended to mirror legitimate activity within the blockchain and crypto-trading industries. 

Threat actors establish fictitious companies, post detailed job postings on professional and social platforms, such as LinkedIn, Facebook, and Reddit, and request candidates to complete technical assignments as part of the simulated interview process. The tasks are usually similar to routine coding evaluations, where candidates clone repositories, execute projects locally, resolve minor bugs, and submit improvements. 

Nevertheless, the critical objective is not the solution submitted, but the process of executing it. When running a project, a malicious dependency sourced from trusted ecosystems such as npm and PyPI is installed, thus allowing the payload to be introduced indirectly through dependency resolution processes. 

As investigators point out, the process of assembling such repositories is straightforward: a legitimate open-source template is modified to reference a compromised or weaponized package, following which the project appears technically sound and professionally structured. An example of a benign package called “bigmathutils,” which had accumulated approximately 10,000 downloads, was introduced into malicious functionality by version 1.1.0. 

A maneuver likely intended to limit forensic visibility followed by the deprecation and removal of the package soon thereafter. A more extensive campaign was later developed, dubbed Graphalgo for its frequent use of packages containing the term "graph" and their imitations of well-established libraries such as graphlib.

Researchers have observed a shift in package names that include the word "big" since December 2025, although there has not been a comprehensive identification of the recruitment infrastructure associated with that phase. As a means of giving structural legitimacy to their operations, actors utilize GitHub Organizations. The visible project files of GitHub repositories do not contain any overtly malicious code.

Instead, compromise occurs by resolving external dependencies -Graphalgo packages retrieved from npm or PyPI - thus separating the malicious logic from the repository, making detection more challenging. By executing the projects as instructed, developers inadvertently install a remote access trojan on their computer systems. Analysis of the malware indicates it is capable of enumerating processes, executing arbitrary commands via command-and-control channels, exfiltrating data and delivering secondary payloads. 

A clear financial motive associated with cryptocurrency asset theft is also evident from the fact that the RAT checks for the MetaMask browser extension. According to researchers, multiple developers were successfully compromised before the activity was discovered, demonstrating the operational effectiveness of embedding malicious logic within trusted mechanics in software development workflows.

According to a technical examination of the later infection stages, the intermediate payloads serve mainly as downloaders, retrieving the final remote access trojan from the attacker's infrastructure. Upon deployment, the RAT communicates periodically with its command-and-control server, polling it for tasking and executing the instructions given by the operator. 

The tool has a feature set that is consistent with mature post-exploitation tools: file uploading and downloading capabilities, process enumeration, and execution of arbitrary system commands. Additionally, communications with the C2 endpoint are token-protected, requiring a valid server-issued token when registering an agent or issuing a command command. 

It is believed that this additional authentication layer serves to restrict unsolicited interaction with the infrastructure and to reflect operational discipline previously observed in North Korean state-backed campaigns. In addition to detecting the MetaMask browser extension, the malware demonstrates a clear interest in crypto assets, aligning with financial motivations historically linked to Pyongyang-aligned groups as well as a clear interest in cryptocurrency assets. 

As part of their investigation, researchers identified three functionally equivalent variants of the final payload implemented in various languages. JavaScript and Python versions were distributed through malicious packages hosted on npm and PyPI, while a third variant was found independently using Visual Basic Script. 

As first noted in early February 2026, the VBS sample communicates with the same C2 infrastructure associated with earlier "graph"-named packages, as evidenced by the SHA1 hash dbb4031e9bb8f8821a5758a6c308932b88599f18. This suggests a parallel or yet to be identified recruitment frontend is part of the broader operation. North Korean activity in public open-source ecosystems has been documented in a number of cases. 

VMConnect, an operation later dubbed and attributed to the Lazarus Group, was detected by ReversingLabs in 2023 involving malicious PyPI impersonation operations. The attack involved weaponized packages linked to convincing GitHub repositories which were able to reinforce trust before delivering malware from attacker infrastructure.

In a year, researchers observed the VMConnect tradecraft continuing to be practiced, this time incorporating fabricated coding assessments associated with fraudulent job interviews. As in some instances, the actors assumed the identity of Capital One, further demonstrating their willingness to appropriate established corporate identities to legitimize outreach. Other security firms have confirmed the pattern through their reports. 

As of 2023, Phylum provided information about NPM malware campaigns that utilize token-based mechanisms and paired packages to avoid detection, while Unit 42 provided information about the methods North Korean state-sponsored actors used to distribute multi-stage malware through developer ecosystems. In addition to Veracode and Socket's disclosures during 2024 and 2025, further npm packages attributed to Lazarus-related activity were also identified, including second-stage payloads that erased forensic evidence upon execution of the package.

In the present campaign, attribution is based on a convergence of technical and operational indicators rather than a single artifact. Lazarus methodologies, such as using fake interviews to gain access, cryptocurrency-themed lures, multistage payload chains layered with obfuscation, and deliberately delaying the release of benign and malicious package versions, are similar to previously documented Lazarus methods. 

Moreover, token-protected C2 communications and Git commit timestamps aligned with GMT+9, North Korea's time zone, provide context alignment. These characteristics suggest a coordinated, state-sponsored effort rather than opportunistic cybercrime. Researchers cite the modular architecture of the campaign as a significant strength. By separating recruitment personas from backend payload infrastructure, operators can rotate the company names, job postings, and thematic branding without altering core delivery mechanisms.

Although a direct link has been established between "graph"-named packages and specific blockchain-based job offerings, the frontend elements for the newer "big"-named packages and the VBS RAT variant have not yet been identified in detail. 

ReversingLabs analyzed the Graphalgo activity and compiled an extensive set of indicators of compromise linked to the operation, including malicious package names, hashes, domains, and C2 endpoints as part of its investigation. This gap indicates that elements of the operation likely remain active and evolving. These artifacts are crucial in assisting organizations in the detection and response to incidents, since they enable them to identify exposures within development environments and within software supply chains.

Lazarus-related operations persisting across NPM and PyPI underscores a broader reality: open-source ecosystems remain strategically valuable target surfaces, while recruitment-themed social engineering has evolved into an extremely sophisticated intrusion vector that is capable of bypassing conventional defense measures. Those findings underscore the importance of reassessing the implicit trust placed in external code and recruitment-driven processes among development teams.

Besides email filtering and endpoint protection, security controls should include rigorous dependency monitoring, sandboxing of third-party projects, and stricter verification of unsolicited technical assessments in addition to traditional email filtering and endpoint protection. 

An organization should implement a software composition analysis, enforce a least-privilege development environment, and monitor anomalous outbound connections originating from the build system or developer workstations. As a result, awareness programs must be updated to address recruitment-themed social engineering, which incorporates professional credibility with technical deception in order to achieve effective recruitment results.

Threat actors are continuing to adapt their tactics to mimic legitimate industry practices, which is why defensive strategies should mature as well - treating development environments and open-source dependencies as critical security boundaries as opposed to mere conveniences.
Read more »
software supply chain attack
cloud secret theft developer credential theft JavaScript security malware NPM malware Shai Hulud malware software supply chain attack

New Shai Hulud Malware Variant Turns Developers Into Supply Chain Attack Vectors, Expel Warns

 

A newly released report from managed detection and response firm Expel Inc. reveals an advanced variant of the Shai Hulud malware, highlighting how software supply chain attacks are moving beyond isolated malicious packages to large-scale, self-spreading campaigns that exploit developers as unwitting distribution channels.

Originally detected in September, the Shai Hulud malware campaign targets the JavaScript ecosystem and prioritizes supply chain compromise over conventional endpoint attacks. It spreads through trojanized Node Package Manager (npm) packages designed to steal credentials and replicate across developer environments.

According to Expel, the latest iteration of Shai Hulud automates the takeover of developer systems and the npm registry by combining credential harvesting, cloud secret extraction and rapid self-propagation. The malware is typically triggered during an npm install process on a developer’s machine or within continuous integration and continuous delivery pipelines.

Once activated, the malicious package initiates a two-stage infection process. In the first phase, it prepares the environment by installing the Bun JavaScript runtime if it is not already available. The second phase launches a highly obfuscated background payload responsible for stealing credentials, exfiltrating data and spreading the infection further.

The malware conducts extensive searches for sensitive information stored locally, including cloud access keys, npm publishing tokens and GitHub login credentials. It also uses the TruffleHog security scanning tool to comb through a victim’s home directory, identifying hard-coded secrets hidden in source code, configuration files and git history.

When cloud credentials are discovered, Shai Hulud escalates its activity by directly querying cloud-based secret management services such as Amazon Web Services Inc.’s Secrets Manager, Microsoft Corp.’s Azure Key Vault and Google LLC’s Cloud Secret Manager to retrieve additional confidential data.

Rather than relying on traditional command-and-control infrastructure, the malware blends into normal developer workflows by abusing GitHub services. Stolen credentials and system details are exfiltrated to newly created public GitHub repositories, while infected systems are registered as self-hosted GitHub Actions runners, providing attackers with persistent remote access.

To maintain and expand the campaign, Shai Hulud exploits compromised developer accounts by injecting malicious code into other npm packages owned by the victim. These altered packages are then automatically published to the registry, allowing the malware to continue spreading.

Expel estimates that the campaign has affected more than 25,000 repositories and hundreds of npm packages, including those linked to widely used developer tools. The report concludes that Shai Hulud signals a fundamental change in supply chain risk by targeting the trust mechanisms underlying modern software development. While the current activity is focused on npm, Expel cautions that similar attacks could surface in other ecosystems built on comparable trust models, such as PyPI, RubyGems and Composer.
Read more »
npm malware attack
Cyber Attacks cybersecurity risks Developers Malware Attack Malwares NPM NPM malware npm malware attack

Sha1-Hulud Malware Returns With Advanced npm Supply-Chain Attack Targeting Developers

 

A new wave of the Sha1-Hulud malware campaign has unfolded, indicating further exacerbation of supply-chain attacks against the software development ecosystem. The recent attacks have hit the Node Package Manager, or npm, one of the largest open-source package managers that supplies JavaScript developers around the world. Once the attackers compromise vulnerable packages within npm, the malicious code will automatically be executed whenever targeted developers update to vulnerable versions, oblivious to the fact. Current estimates indicate nearly 1,000 npm packages have been tampered with, thereby indirectly affecting tens of thousands of repositories. 

Sha1-Hulud first came into light in September 2025, when it staged its first significant intrusion into npm's ecosystem. The past campaign included the injection of trojanized code into weakly-secured open-source libraries that then infected every development environment that had the components installed. The malware from the initial attack was also encoded with a credential harvesting feature, along with a worm-like mechanism intended for the proliferation of infection. 

The latest rendition, seen in new activity, extends the attack vector and sophistication. Among others, it includes credential theft, self-propagation components, and a destructive "self-destruct" module that aims at deleting user data in case interference with the malware is detected. The malware now demonstrates wide platform compatibility, running across Linux, macOS, and Windows systems, and introduces abuse of GitHub Actions for remote code execution. 

The infection chain starts with a modified installation sequence. Inside the package.json file, the compromised npm packages bear a pre-install script named setup_bun.js. Posing as a legitimate installer for the Bun JavaScript runtime, the script drops a 10MB heavily obfuscated payload named bun_environment.js. From there, malware begins searching for tokens, API keys, GitHub credentials, and other sensitive authentication data. It leverages tools like TruffleHog to find more secrets. After stealing the data, it automatically gets uploaded into a public repository created under the victim's GitHub account, naming it "Sha1-Hulud: The Second Coming," thus making those files accessible not just to the attackers but to actually anyone publicly browsing the repository. 

The malware then uses the stolen npm authentication tokens to compromise new packages maintained by the victim. It injects the same malicious scripts into those packages and republishes them with updated version numbers, triggering automatic deployment across dependent systems. If the victim tries to block access or remove components, the destructive fail-safe is initiated, which wipes home directory files and overwrites data sectors-this significantly reduces the chances of data recovery. 

Security teams are encouraged to temporarily stop updating npm packages, conduct threat-hunting activities for the known IoCs, rotate credentials, and reevaluate controls on supply-chain risk. The researchers recommend treating any system showing signs of infection as completely compromised.
Read more »
TruffleHog leak
Data Breach GitHub repositories breach NPM malware Shai-Hulud attack Supply Chain Attack TruffleHog leak

Shai-Hulud 2.0 Breach Exposes 400,000 Secrets After Massive NPM Supply-Chain Attack

 

The second wave of the Shai-Hulud malware attack last week led to the exposure of nearly 400,000 raw secrets after compromising hundreds of NPM (Node Package Manager) packages and leaking stolen data across more than 30,000 GitHub repositories.

While only around 10,000 of those secrets were confirmed as valid using the TruffleHog open-source scanning tool, cloud security company Wiz reports that over 60% of the NPM tokens leaked in this incident were still active as of December 1st.

Shai-Hulud first surfaced in mid-September, infecting 187 NPM packages with a worm-like payload. The malware scanned systems for account tokens using TruffleHog, injected a harmful script into the targeted packages, and then automatically republished them.
In the latest attack, the threat escalated—impacting more than 800 packages (including all affected versions) and adding a destructive feature capable of wiping a victim’s home directory under specific conditions.

During their review of the secrets spilled by Shai-Hulud 2.0 into over 30,000 GitHub repositories, Wiz researchers found several types of sensitive files exposed:

  • About 70% of repositories contained a contents.json file with GitHub usernames, tokens, and file snapshots

  • Around 50% stored truffleSecrets.json with TruffleHog scan results

  • Nearly 80% included environment.json, which revealed OS details, CI/CD metadata, npm package information, and GitHub credentials

  • 400 repositories had actionsSecrets.json, exposing GitHub Actions workflow secrets

Wiz notes that the malware used TruffleHog without the --only-verified flag, meaning the full set of 400,000 leaked secrets only matched valid formats—they weren’t necessarily functional. Even so, the dataset still contained active credentials.

While the secret data is extremely noisy and requires heavy deduplication efforts, it still contains hundreds of valid secrets, including cloud, NPM tokens, and VCS credentials,” Wiz explained.

To date, these credentials pose an active risk of further supply chain attacks. For example, we observe that over 60% of leaked NPM tokens are still valid.

From the 24,000 environment.json files analyzed, nearly half were unique. About 23% originated from developer machines, with the remainder linked to CI/CD systems or similar automated environments.

The investigation also showed that 87% of compromised machines were running Linux, and 76% of infections occurred within containerized environments. Among CI/CD services, GitHub Actions was the most affected, followed by Jenkins, GitLab CI, and AWS CodeBuild.

When examining which packages were hit hardest, Wiz identified @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 as the most impacted—together accounting for over 60% of all infections. Researchers believe the overall damage could have been significantly reduced if these key packages had been flagged and taken down early.

The infection pattern also revealed that 99% of attacks triggered during the preinstall event, specifically through the node setup_bun.js script. The few anomalies observed were likely test runs.

Wiz warns that the operators behind Shai-Hulud are likely to continue refining their methods. The team expects more waves of supply-chain attacks powered by the extensive trove of leaked credentials gathered so far.

Read more »
Token Farming Attack
Automated Attacks Cyber Security Dependency Threats malware NPM malware Open Source Risks Registry Abuse Research Software Integrity supply chain security Token Farming Attack

$116 Million at Risk as Balancer Suffers Major Smart Contract Breach

 

Security experts are becoming increasingly concerned about a developing anomaly in the JavaScript ecosystem after researchers discovered a massive cluster of self-replicating npm packages that seem to have no technical function but instead indicate a well-thought-out and financially motivated scheme. Over 43,000 of these packages—roughly 1% of the whole npm repository—were covertly uploaded over a two-year period using at least 11 synchronized accounts, according to recent research by Endor Labs. 

The libraries automatically reproduce themselves when downloaded and executed, filling the ecosystem with nearly identical code, even though they do not behave like traditional malware—showing no indicators of data theft, backdoor deployment, or system compromise. Investigators caution that even while these packages are harmless at the moment, their size and consistent behavior could serve as a channel for harmful updates in the future. 

With many packages containing tea.yaml files connected to TEA cryptocurrency accounts, early indications also point to a potential monetization plan, indicating the operation may be built to farm tokens at scale. The scope and complexity of the program were exposed by more research in the weeks that followed. 

In late October, clusters of unusual npm uploads were first observed by Amazon's security experts using improved detection algorithms and AI-assisted monitoring. By November 7, hundreds of suspicious packages had been found, and by November 12, over 150,000 malicious entries had been linked to a network of coordinated developer accounts. 

What had started out as a few dubious packages swiftly grew into a huge discovery. They were all connected to the tea.xyz token-farming initiative, a decentralized protocol that uses TEA tokens for staking, incentives, and governance to reward open-source contributions. Instead of using ransomware or credential stealers, the attackers flooded the registry with self-replicating packages that were made to automatically create and publish new versions.

As unwary developers downloaded or interacted with the contaminated libraries, the perpetrators silently accumulated token rewards. Each package was connected to blockchain wallets under the attackers' control by embedded tea.yaml files, which made it possible for them to embezzle profits from lawful community activities without drawing attention to themselves. The event, according to security experts, highlights a broader structural flaw in contemporary software development, where the speed and transparency of open-source ecosystems may be readily exploited at scale. 

Amazon's results show how AI-driven automation has made it easy for attackers to send large quantities of garbage or dangerous goods in a short amount of time, according to Manoj Nair, chief innovation officer at Snyk. He emphasized that developers should use behavior-based scanning and automated dependency-health controls to identify low-download libraries, template-reused content, and abrupt spikes in mass publishing before such components enter their build pipelines, as manual review is no longer sufficient. 

In order to stop similar operations before they start, he continued, registry operators must also change by proactively spotting bulk uploads, duplicate code templates, and oddities in metadata. Suzu CEO Michael Bell shared these worries, claiming that the discovery of 150,000 self-replicating, token-farming npm packages shows why attackers frequently have significantly more leverage when they compromise the development supply chain than when they directly target production systems. 

Bell cautioned that companies need to treat build pipelines and dependency chains with the same rigor as production infrastructure because shift-left security is becoming the standard. This includes implementing automated scans, keeping accurate software bills of materials, enforcing lockfiles to pin trusted versions, and verifying package authenticity before installation. He pointed out that once malicious code enters production, defenders are already reacting to a breach rather than stopping an assault. 

The researchers discovered that by incorporating executable scripts and circular dependency chains into package.json files, the campaign took advantage of npm's installation procedures. In actuality, installing one malicious package set off a planned cascade that increased replication and tea.xyz teaRank scores by automatically installing several more.

The operation created significant risks by flooding the registry with unnecessary entries, taxing storage and bandwidth resources, and increasing the possibility of dependency confusion, even if the packages did not include ransomware or credential-stealing payloads. Many of the packages shared cloned code, had tea.yaml files connecting them to attacker-controlled blockchain wallets, and used standard naming conventions. Amazon recommended that companies assess their current npm dependencies, eliminate subpar or non-functional components, and bolster their supply-chain defenses with separated CI/CD environments and SBOM enforcement. 

The event contributes to an increasing number of software supply-chain risks that have led to the release of new guidelines by government organizations, such as CISA, with the goal of enhancing resilience throughout development pipelines. The campaign serves as a sobering reminder that supply-chain integrity can no longer be ignored as the inquiry comes to an end. The scope of this issue demonstrates how readily automation may corrupt open-source ecosystems and take advantage of community trust for commercial gain if left uncontrolled. 

Stronger verification procedures throughout development pipelines, ongoing dependency auditing, and stricter registry administration are all necessary, according to experts. In addition to reducing such risks, investing in clear information, resilient tooling, and cross-industry cooperation will support the long-term viability of the software ecosystems that contemporary businesses rely on.
Read more »
telemetry.js malware
GitHub Actions vulnerability NPM malware Nx supply chain attack telemetry.js malware

Nx "s1ngularity" Supply Chain Attack Exposes Thousands of Secrets

 

The recent Nx "s1ngularity" NPM supply chain attack has led to a massive security fallout, exposing thousands of account tokens and repository secrets, according to Wiz researchers.

A post-incident analysis revealed that the breach compromised 2,180 accounts and 7,200 repositories in three distinct attack phases. Wiz emphasized that the impact is still unfolding, as many of the leaked secrets remain valid.

Nx, a widely used open-source build system and monorepo management tool in enterprise-scale JavaScript/TypeScript projects, has over 5.5 million weekly downloads on the NPM registry.

How the Attack Happened

On August 26, 2025, threat actors exploited a flawed GitHub Actions workflow in the Nx repository. This enabled them to publish a malicious version of Nx on NPM containing a post-install malware script called telemetry.js.

The telemetry.js malware targeted Linux and macOS systems, attempting to steal sensitive data such as GitHub tokens, npm tokens, SSH keys, .env files, and even crypto wallets. The stolen data was then uploaded to public repositories under the name "s1ngularity-repository."

What made this breach particularly unique was the attacker’s use of AI command-line tools like Claude, Q, and Gemini. These tools were leveraged with changing LLM prompts to hunt for and extract secrets.

"The evolution of the prompt shows the attacker exploring prompt tuning rapidly throughout the attack. We can see the introduction of role-prompting, as well as varying levels of specificity on techniques," explained Wiz.

"These changes had a concrete impact on the success of the malware. The introduction of the phrase ‘penetration testing’, for example, was concretely reflected in LLM refusals to engage in such activity."

Three Phases of the Attack

Phase 1 (Aug 26–27): Backdoored Nx packages impacted around 1,700 users, leaking more than 2,000 unique secrets and exposing 20,000 files from infected systems. GitHub removed attacker-created repositories within eight hours, but the stolen data had already been duplicated.

Phase 2 (Aug 28–29): Using stolen GitHub tokens, attackers flipped private repositories to public, renaming them with the “s1ngularity” tag. This compromised 480 more accounts (mostly organizations) and exposed 6,700 private repositories.

Phase 3 (from Aug 31): The attackers focused on a single organization, using two compromised accounts to publish another 500 private repositories.

Root Cause & Response

The Nx team later confirmed that the breach stemmed from a pull request title injection combined with insecure use of pull_request_target. This flaw allowed attackers to execute arbitrary code with elevated permissions, triggering Nx’s publish pipeline and stealing the npm publishing token.

In response, Nx revoked compromised tokens, adopted two-factor authentication, and migrated to NPM’s Trusted Publisher model, which eliminates token-based publishing. Additionally, manual approvals are now required for pull request-triggered workflows.
Read more »
Subscribe to: Comments (Atom)