Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise
A critical vulnerability (CVE-2024-3094) was discovered in the XZ Utils library on March 29th.
Tom Abai is a security researcher at Mend.io. He is passionate about finding and addressing security incidents in the software supply chain area. In his free time, he likes to play CTF’s games and learn cool stuff regarding cybersecurity.
A critical vulnerability (CVE-2024-3094) was discovered in the XZ Utils library on March 29th.
The Mend.io research team detected more than 100 malicious packages targeting the most popular machine learning (ML) libraries from the PyPi registry.
See the attack flow of this new info-stealer Mend.io detected and how it can stay undetected by abusing trusted development tools like Electron.
Mend.io research discovered a threat actor takeover of the name ‘gemnasium-gitlab-service', a retired Ruby gem with more than two million downloads. Existing projects that haven't updated their dependencies might unwittingly pull in this new version, assuming it's a continuation of the original. Given that the new gem is now controlled by an unknown entity, it could be altered to include malicious code or to perform undesirable actions.
A new malicious package named 'Vibranced' has been detected on the Node Package Manager (npm) repository and poses a significant threat to users who may unknowingly install it. The package has been carefully crafted to mimic the popular ‘colors’ package.
Our team detected an attack on npm packages that utilized typosquatting to compromise nearly 300 NPM packages.