|
| ▲ | advocatemack 3 hours ago | parent | next [-] |
| Mackenzie here I work for Aikido.
This is a classic example of the security community all playing a part. The very first notice of this was from a developer named Daniel Pereira. He alerted Socket who did the first review of the Malware and discovered 40 packages. After, Aikido discovered an additional 147 packages and the Crowdstrike packages.
I'm not sure how Step found it but they were the first to really understand the malware and that it was a self replicating worm. So multiple parties all playing a part kinda independent. Its pretty cool |
|
| ▲ | jamesberthoty 4 hours ago | parent | prev | next [-] |
| Several individual developers seem to have noticed it at around the same time with Step and Socket pointing to different people in their blogs. And then vendors from Socket, Aikido, and Step all seem to have detected it via their upstream malware detection feeds - Socket and Aikido do AI code analysis, and Step does eBPF monitoring of build pipelines. I think this was widespread enough it was noticed by several people. |
|
| ▲ | m4r71n 4 hours ago | parent | prev | next [-] |
| Since so many vendors discovered these packages seemingly independently, you'd think that they would share those mechanisms with NPM itself so that those packages would never be published in the first place. But I guess that removes their ability to sell an "early alert" mechanism through their offerings... |
| |
| ▲ | progbits 3 hours ago | parent [-] | | NPM is owned by github/microsoft. I'm sure they could afford to buy one of these products or just build their own, but clearly security is not a thing they care about. | | |
| ▲ | codazoda 3 hours ago | parent | next [-] | | Somehow I didn't realize GitHub purchased npm in 2020. GitHub is the second word on npmjs.org. How did I not notice? | | |
| ▲ | octo888 2 hours ago | parent [-] | | Microsoft: GitHub, NPM, typescript, VS Code, OpenAI, Playwright A lot of fingers in a lot pies |
| |
| ▲ | kjok an hour ago | parent | prev | next [-] | | Why should MS buy any of these startups when a developer (not any automated tech) found the malware? It looks like these startups did after-the-fact analysis for PR. | |
| ▲ | foobarbecue 3 hours ago | parent | prev [-] | | Can't help noticing, in the original article: > The entire attack design assumes Linux or macOS execution environments, checking for os.platform() === 'linux' || 'darwin'. It deliberately skips Windows systems If I were the conspiracy-minded sort I might jump to some wild conclusions here. | | |
| ▲ | acomjean an hour ago | parent [-] | | I’m using windows again. By default windows has “power shell” which is not at all like bash and is (how do I say this diplomatically)… wanting. I mean it says something the developed the Linux Subsystem for Windows, but it’s an optional install. |
|
|
|
|
| ▲ | augzodia 4 hours ago | parent | prev | next [-] |
| OP article says: > The incident was discovered by @franky47, who promptly notified the community through a GitHub issue. |
| |
|
| ▲ | 3 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | Onavo 2 hours ago | parent | prev [-] |
| Usually security companies monitor CVEs and the security mailing lists. That's how they all end up releasing the blog posts at the same time. It's because they are all using the same primary source. |
