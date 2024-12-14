  • Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Yearlong supply-chain attack targeting security pros steals 390K credentials

"Multifaceted, high-precision campaign targets malicious and benevolent hackers alike."

"Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.

"This increases their look of legitimacy and the likelihood that someone will run them," Datadog said.

The attackers' use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.

Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.

The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchers—as other recently discovered campaigns have done—it’s unclear why MUT-1244 would also employ cryptocurrency mining, an activity that’s often easy to detect.

Reports from both Checkmarx and Datadog include indicators people can use to check if they've been targeted."

Source: https://arstechnica.com/security/20...geting-security-pros-steals-390k-credentials/
 
The scale and subtlety of this campaign are pretty unsettling. Packaging malicious code into trusted sources like Feedly and Vulnmon is exactly the kind of tactic that makes even seasoned pros vulnerable. Targeting security researchers feels like an attempt to both exploit and undermine the defenders. It’s a wake-up call—vet everything, even if it looks legit.
 
Nation states are in it for the long game. Like those previous well know repo's that one day switched over to deploying malicious code.....

This is why when people blinding assume open source is more secure, it is false unless you yourself understand the code your are reading and can tie back into every single package said FOSS item uses and validate it as well....

There is way too much trust in open source in general that free code is safe code... so people blindly just copy pasta' the crap out of it.
 
MrGuvernment said:
There is way too much trust in open source in general that free code is safe code... so people blindly just copy pasta' the crap out of it.
Yep, waaaaaaaaaaay too many people think that OSS = perfectly safe. I hear the "many eyes" thing get repeated on and when when in reality:

1) Plenty of projects have only one guy, or two guys, that contribute to them. While anyone could, in theory, nobody does and it is entirely one dude's project.
2) Even when there are multiple people, code reviews are often very superficial. Just because another coder looked at it, doesn't mean they did a good job. Sometimes (more often than you think) it is literally just bitching about variable names.
3) Bad actors can join a community, and they can be sneaky. Someone can contribute good code, get a reputation, and then start sneaking things in.

Open source CAN be secure, but it is not definitonally secure.
 
