Several popular open source projects depended on by software developers worldwide have been compromised in an ongoing cyberattack by hackers.
On Tuesday, cybersecurity companies StepSecurity and SafeDep reported a new series of “supply chain” attacks, aiming to target developers of well-known open source projects and exploit that access to deploy harmful updates to users downstream.
SafeDep disclosed that the hackers gained control of a developer’s account, releasing over 630 malicious versions across 317 packages within approximately 20 minutes. The attack’s objective is to steal credentials for various services, including password managers, to exfiltrate data and facilitate the further spread of malware.
Among the targeted packages is Antv, a library developed by Alibaba. In some instances, hackers uploaded malicious updates on GitHub, as noted by JFrog Security.
This latest attack series is part of an extensive campaign against open source projects and their developers. Researchers have named the attacks “Mini Shai-Hulud,” following a previous, larger hacking campaign.
In a prior wave of Mini Shai-Hulud attacks last week, hackers infiltrated the computers of two OpenAI employees after breaching the open source library TanStack. OpenAI was one among several targeted entities.