Red Hat Security Advisory 2024-8317-03 - Logging for Red Hat OpenShift - 5.8.14.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8317.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Logging for Red Hat OpenShift - 5.8.14  
Advisory ID:        RHSA-2024:8317-03  
Product:            logging for Red Hat OpenShift  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8317  
Issue date:         2024-10-29  
Revision:           03  
CVE Names:          CVE-2024-24791  
====================================================================

Summary: 

Logging for Red Hat OpenShift - 5.8.14

Description:

Logging for Red Hat OpenShift - 5.8.14

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

https://docs.openshift.com/container-platform/4.13/logging/cluster-logging-upgrading.html

CVEs:

CVE-2024-24791

References:

https://access.redhat.com/security/updates/classification/#important  
https://issues.redhat.com/browse/LOG-4671  
https://issues.redhat.com/browse/LOG-6182  
https://issues.redhat.com/browse/LOG-6184  
https://issues.redhat.com/browse/LOG-6266

Red Hat Security Advisory 2024-8317-03

Red Hat Security Advisory 2024-8315-03 - Logging for Red Hat OpenShift - 5.9.8.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8315.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Logging for Red Hat OpenShift - 5.9.8  
Advisory ID:        RHSA-2024:8315-03  
Product:            logging for Red Hat OpenShift  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8315  
Issue date:         2024-10-29  
Revision:           03  
CVE Names:          CVE-2024-24791  
====================================================================

Summary: 

Logging for Red Hat OpenShift - 5.9.8

Description:

Logging for Red Hat OpenShift - 5.9.8

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

https://docs.openshift.com/container-platform/4.14/logging/cluster-logging-upgrading.html

CVEs:

CVE-2024-24791

References:

https://access.redhat.com/security/updates/classification/#important  
https://issues.redhat.com/browse/LOG-6159  
https://issues.redhat.com/browse/LOG-6169  
https://issues.redhat.com/browse/LOG-6181  
https://issues.redhat.com/browse/LOG-6183  
https://issues.redhat.com/browse/LOG-6206  
https://issues.redhat.com/browse/LOG-6214

Red Hat Security Advisory 2024-8315-03

Red Hat Security Advisory 2024-8314-03 - Logging for Red Hat OpenShift - 6.0.1.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8314.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Logging for Red Hat OpenShift - 6.0.1  
Advisory ID:        RHSA-2024:8314-03  
Product:            logging for Red Hat OpenShift  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8314  
Issue date:         2024-10-29  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Logging for Red Hat OpenShift - 6.0.1

Description:

Logging for Red Hat OpenShift - 6.0.1

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

https://docs.openshift.com/container-platform/4.16/observability/logging/logging-6.0/log6x-upgrading-to-6.html

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#important  
https://issues.redhat.com/browse/LOG-6129  
https://issues.redhat.com/browse/LOG-6151  
https://issues.redhat.com/browse/LOG-6180  
https://issues.redhat.com/browse/LOG-6202

Red Hat Security Advisory 2024-8314-03

## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r9pp-r4xf-597r. This link is maintained to preserve external references.

## Original Description
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-25pw-q952-x37g

**Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape**

High severity GitHub Reviewed Published Oct 28, 2024 to the GitHub Advisory Database • Updated Oct 28, 2024

Withdrawn This advisory was withdrawn on Oct 28, 2024

**Package**

pip pyload-ng (pip)

**Affected versions**

<= 0.5.0b3.dev85

**Description**

Published by the National Vulnerability Database

Oct 28, 2024

Published to the GitHub Advisory Database

Oct 28, 2024

Last updated

Oct 28, 2024

GHSA-25pw-q952-x37g: Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape

A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as Evasive Panda that infected them with a previously undocumented post-compromise toolset codenamed CloudScout.
"The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies," ESET security researcher Anh Ho said. "Through

Cloud Security / Cyber Attack

A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as **Evasive Panda** that infected them with a previously undocumented post-compromise toolset codenamed CloudScout.

"The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies," ESET security researcher Anh Ho said. "Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda's signature malware framework."

The use of the .NET-based malware tool, per the Slovak cybersecurity company, was detected between May 2022 and February 2023. It incorporates 10 different modules, written in C#, out of which three are meant for stealing data from Google Drive, Gmail, and Outlook. The purpose of the remaining modules remains unknown.

Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has a track record of striking various entities across Taiwan and Hong Kong. It's also known for orchestrating watering hole and supply chain attacks targeting the Tibetan diaspora.

What sets the threat actor apart from the rest is the use of several initial access vectors, ranging from newly disclosed security flaws to compromising the supply chain by means of DNS poisoning, to breach victim networks and deploy MgBot and Nightdoor.

ESET said the CloudScout modules are designed to hijack authenticated sessions in the web browser by stealing the cookies and using them to gain unauthorized access to Google Drive, Gmail, and Outlook. Each of these modules is deployed by an MgBot plugin, programmed in C++.

"At the heart of CloudScout is the CommonUtilities package, which provides all necessary low-level libraries for the modules to run," Ho explained.

"CommonUtilities contains quite a few custom-implemented libraries despite the abundant availability of similar open-source libraries online. These custom libraries give the developers more flexibility and control over the inner workings of their implant, compared to open-source alternatives."

This includes -

*   HTTPAccess, which provides functions to handle HTTP communications
*   ManagedCookie, which provides functions to manage cookies for web requests between CloudScout and the targeted service
*   Logger
*   SimpleJSON

The information gathered by the three modules – mail folder listings, email messages (including attachments), and files matching certain extensions (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt) – is compressed into a ZIP archive for subsequent exfiltration by either MgBot or Nightdoor.

That said, new security mechanisms introduced by Google such as Device Bound Session Credentials (DBSC) and App-Bound Encryption are bound to render cookie-theft malware obsolete.

"CloudScout is a .NET toolset used by Evasive Panda to steal data stored in cloud services," Ho said. "It is implemented as an extension to MgBot and uses the pass-the-cookie technique to hijack authenticated sessions from web browsers."

The development comes as the Government of Canada accused a "sophisticated state-sponsored threat actor" from China of conducting broad reconnaissance efforts spanning several months against numerous domains in Canada.

"The majority of affected organizations targeted were Government of Canada departments and agencies, and includes federal political parties, the House of Commons, and Senate," it said in a statement.

"They also targeted dozens of organizations, including democratic institutions, critical infrastructure , the defense sector, media organizations, think tanks, and NGOs."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services

Debian Linux Security Advisory 5799-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5799-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 28, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-10229 CVE-2024-10230 CVE-2024-10231Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.69-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcfKnwACgkQZF0CR8Nudje0sBAAsYJO23wXH5WDVCouanWuxcBKHrXDSF0RrlPOQP5tJURzc8teVhQodU6aohwckqSyCeYI3/z6NvfVcZFOWVlNQLktcNo8nWw7pMTMkhynk9OA3KCR/LDA3b6TIZxW3z55Sza4TkcJrj+DIUgBFRBzQvFolwP6MRMcjI+kT4To9YemZlED8ZlhtNt4/abKD2suwV5nyzRFPh14sgujtwuF/zPNivuHMQFXNwWfnbIBmJlC+3XO3Ox1IVZ3IcN2tCWM0hvtkGOCOA5e3OXUGuLgWdQWg0J/hlZ8wYwlamDutp/BS3zPxurshDrEY1WOgb7oSl2rM3IgitsnHyyccICgasto7vlYpKJBCfhXDyuR00a+Sfihn91hT2lCodp8x6HazMD8HxutTa+xiihBFgKON/NFK2GvS0EbaCUe5lQe893y7cBAYhHwliXmKuL+9D/H53+UhPJSE97ZOvsLoopTzk2+cgInstHfX1SpNR4rPKN5Sk0VxDbnDiKuSUmPOGqG4xnWLhg9g04lWWNB34nHkq8cPLfGDd0erk8GHHX7/PYTqlLf8cmJppnwNoZffi3B6mk/zbwPCMVaM8odDL9Pc41zooLCGkykglmR6Yw/xbdC9+vrlsFJ/O2ligILTl/9Yf5ZaxemdcE/QEv65VyoYIDs7BkXcpgRIMqo55l5FTI==Rr/n-----END PGP SIGNATURE-----

Debian Security Advisory 5799-1

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated building/project name exposure vulnerability.

**ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure**

    ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name ExposureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The building management system suffers from an unauthenticated building/projectname exposure.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5850Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5850.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl http://192.168.73.31/getApplicationNamesJS.phpvar instanceDirectory=["1":"OOU KrstePMisirkov_Kumanovo"];

ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.39 security update  
Advisory ID:        RHSA-2024:8235-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8235  
Issue date:         2024-10-28  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.39. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8238

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-25727  
https://issues.redhat.com/browse/OCPBUGS-32266  
https://issues.redhat.com/browse/OCPBUGS-37353  
https://issues.redhat.com/browse/OCPBUGS-37552  
https://issues.redhat.com/browse/OCPBUGS-39019  
https://issues.redhat.com/browse/OCPBUGS-41246  
https://issues.redhat.com/browse/OCPBUGS-41836  
https://issues.redhat.com/browse/OCPBUGS-41918  
https://issues.redhat.com/browse/OCPBUGS-42517  
https://issues.redhat.com/browse/OCPBUGS-42518  
https://issues.redhat.com/browse/OCPBUGS-42533  
https://issues.redhat.com/browse/OCPBUGS-42567  
https://issues.redhat.com/browse/OCPBUGS-42603  
https://issues.redhat.com/browse/OCPBUGS-42757  
https://issues.redhat.com/browse/OCPBUGS-42828  
https://issues.redhat.com/browse/OCPBUGS-42986

Red Hat Security Advisory 2024-8235-03

The building management system suffers from an unauthenticated building/project name exposure.

ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name Exposure

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.
The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers

Malware / Threat Intelligence

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.

The Datadog Security Research team is monitoring the activity under the name **Tenacious Pungsan**, which is also known by the monikers CL-STA-0240 and Famous Chollima.

The names of the malicious packages, which are no longer available for download from the package registry, are listed below -

*   passports-js, a backdoored copy of the passport (118 downloads)
*   bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
*   blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious packages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.

This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.

Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.

Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.

The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.

"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#js