Aggregator

It is described as 'something truly unforgettable'

The Shai-Hulud malware campaign impacted hundreds of npm packages across multiple maintainers, reports Koi Security, including popular libraries like @ctrl/tinycolor and some packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows. Koi Security created a table of packages identified as compromised, promising it's "continuously updated" (and showing the last compromise detected Tuesday). Nearly all of the compromised packages have a status of "removed from NPM". Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation. This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement. As a result, the compromise quickly scaled beyond its initial entry point, impacting not only widely used open-source libraries but also CrowdStrike's npm packages. The injected script performs credential harvesting and persistence operations. It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises. "The malicious code also attempts to leak data on GitHub by making private repositories public," according to a Tuesday blog post from security systems provider Sysdig: The Sysdig Threat Research Team (TRT) has been monitoring this worm's progress since its discovery. Due to quick response times, the number of new packages being compromised has slowed considerably. No new packages have been seen in several hours at the time... Their blog post concludes "Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity." Some context from Tom's Hardware: To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target — but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.

Read more of this story at Slashdot.

Scientists have discovered new information about the interstellar object nearing Earth which could reveal facts about the solar system it came from.

Kourtney Kardashian used Instagram to reveal a new look on Friday. The 46-year-old mother-of-four debuted freshly cut bangs as she posed two mirror selfies for her 217 million followers to see.

Home inspection experts have revealed all the unlikely spots in your home that could be harboring hidden toxins responsible for congestion, hormone issues and brain damage.

The supporters, led by the group Hammers United, believe the club is 'going to die' under the owners' direction. Going into the game, West Ham sat 18th in the Premier League under Graham Potter.

The couple shocked fans by passionately kissing three times during a raunchy routine performed at London's O2 arena on Friday night.

The tattoo artist, 42, first revealed in October that she would be covering up all of her colourful artwork with solid black ink after becoming 'fed up' with her look.

The Strictly and Love Island winner Dani lives in Essex with her footballer husband - and Essex is where it all began for the pair

While I have never had any interventions such as Botox or fillers, and I am steering well clear of any fat jabs, I am not prepared to go completely au natural...

The musician was one half of the duo behind Optimo Espacio, a weekly Sunday-night club in Sun Club in Glasgow, alongside music producer Jonnie Wilkes, also known as JG Wilkes.

Long-time Slashdot reader robinsrowe shared this report from the Register: The C++ standards committee abandoned a detailed proposal to create a rigorously safe subset of the language, according to the proposal's co-author, despite continuing anxiety about memory safety. "The Safety and Security working group voted to prioritize Profiles over Safe C++. Ask the Profiles people for an update. Safe C++ is not being continued," Sean Baxter, author of the cutting-edge Circle C++ compiler, commented in June this year. The topic came up as developers like Simone Bellavia noted the anniversary of the proposal and discovered a decision had been made on Safe C++. One year ago, Baxter told The Reg that the project would enable C++ developers to get the memory safety of Rust, but without having to learn a new language. "Safe C++ prevents users from writing unsound code," he said. "This includes compile-time intelligence like borrow checking to prevent use-after-free bugs and initialization analysis for type safety." Safe C++ would enable incremental migration of code, since it only applies to code in the safe context. Existing unsafe code would run as before. Even the matter of whether the proposal has been abandoned is not clear-cut. Erich Keane, C++ committee member and co-chair of the C++ Evolution Working Group (EWG), said that Baxter's proposal "got a vote of encouragement where roughly 1/2 (20/45) of the people encouraged Sean's paper, and 30/45 encouraged work on profiles (with 6 neutral)... Sean is completely welcome to continue the effort, and many in the committee would love to see him make further effort on standardizing it." In response, Baxter said: "The Rust safety model is unpopular with the committee. Further work on my end won't change that. Profiles won the argument." He added that the language evolution principles adopted by the EWG include the statement that "we should avoid requiring a safe or pure function annotation that has the semantics that a safe or pure function can only call other safe or pure functions." This, he said, is an "irreconcilable design disagreement...."

Read more of this story at Slashdot.

Sir Keir Starmer is ploughing ahead with plans to introduce the scheme in line with efforts to overhaul the country's asylum and immigration system and reduce crossings in the Channel.

The managers of this £250million fund do things rather differently, and it seems to be working rather well...

Nato planes were scrambled in Poland early on Saturday after Russia launched airstrikes targeting neighbouring Ukraine. 

Queen Camilla made a joke about an 'infamous' scene from a TV adaptation of Jane Austen's novel Pride and Prejudice while attending her annual literary festival in Derbyshire on Friday.

Laura Whitmore and Jodie Kidd proved themselves to be the ultimate fashionistas as they took to the runway at London Fashion Week.

The treasure is said to be impossible to take because of the magic

In  September 1997, Mr Wood spent half an hour with influential Black Sabbath vocalist and solo artist Ozzy Osbourne for The Daily Star, who died last July aged 76.

In  September 1997, Mr Wood spent half an hour with influential Black Sabbath vocalist and solo artist Ozzy Osbourne for The Daily Star, who died last July aged 76.