{"id":98734,"date":"2024-11-12T16:02:41","date_gmt":"2024-11-12T16:02:41","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=98734"},"modified":"2025-01-03T10:36:09","modified_gmt":"2025-01-03T08:36:09","slug":"october-2024-in-software-supply-chain-security","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/","title":{"rendered":"October 2024 in Software Supply Chain\u00a0Security"},"content":{"rendered":"

October 2024 heralded a new chapter in supply chain security challenges, characterized by innovative attack techniques and cryptocurrency-focused threats. A groundbreaking entry point exploitation technique affecting multiple package ecosystems was unveiled, while the NPM ecosystem witnessed the first-ever use of Ethereum smart contracts for malware C2 infrastructure. The month also saw multiple sophisticated attacks on cryptocurrency wallets through PyPI packages and a notable compromise of the popular lottie-player package, despite 2FA protections, highlighting the increasing complexity of supply chain security threats.<\/p>\n\n\n\n

Let\u2019s delve into some of the most striking events of October: <\/p>\n\n\n\n\n\n\n\n

This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands<\/h2>\n\n\n\n

A new supply chain attack technique exploits entry points in various programming ecosystems, allowing attackers to trojanize CLI commands. This stealthy method poses risks to developers and enterprises, bypassing traditional security checks. (Link to report).<\/a><\/p>\n\n\n\n\n\n\n\n

With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers<\/h2>\n\n\n\n

NPM package lottie-player compromised via leaked automation token, bypassing 2FA. Malicious versions injected code to trick users into connecting crypto wallets. Swift response: safe version released, compromised versions unpublished. (Link to report)<\/a>.<\/p>\n\n\n\n

\n\n\n\n\n

<\/p>\n<\/div><\/div>\n\n\n\n

Crypto-Stealing Code Lurking in Python Package Dependencies<\/h2>\n\n\n\n

A sophisticated cyber attack on PyPI targeted cryptocurrency wallets through malicious packages. The attack used deceptive strategies, distributed malicious code across dependencies, and only activated when specific functions were called, making detection challenging. (Link to report).<\/a><\/p>\n\n\n\n

\"Crypto-Stealing<\/figure>\n\n\n\n

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack<\/h2>\n\n\n\n

A malicious PyPI package \u201ccryptoaitools\u201d targeted cryptocurrency enthusiasts through a multi-vector supply chain attack. It used deceptive GUI, multi-stage infection, and comprehensive data exfiltration to steal crypto-related information from Windows and macOS users. (Link to report).<\/a><\/p>\n\n\n\n

\"Cryptocurrency<\/figure>\n\n\n\n

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware<\/h2>\n\n\n\n

A sophisticated NPM supply chain attack uses Ethereum smart contracts for C2 distribution. The cross-platform malware, targeting popular testing packages, affects Windows, Linux, and macOS through Typosquatting and preinstall scripts. (Link to report)<\/a><\/p>\n\n\n\n

\"Ethereum<\/figure>\n\n\n\n

*   *   *<\/p>\n\n\n\n

Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.<\/p>\n\n\n\n

I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.<\/p>\n\n\n\n

Stay tuned\u2026<\/p>\n\n\n\n

Working to Keep the Open-Source Ecosystem Safe<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>","protected":false},"excerpt":{"rendered":"

October 2024 heralded a new chapter in supply chain security challenges, characterized by innovative attack techniques and cryptocurrency-focused threats. A groundbreaking entry point exploitation technique affecting multiple package ecosystems was unveiled, while the NPM ecosystem witnessed the first-ever use of Ethereum smart contracts for malware C2 infrastructure. The month also saw multiple sophisticated attacks on […]<\/p>\n","protected":false},"author":66,"featured_media":98738,"template":"","zero-category":[1067],"zero-tag":[1068],"class_list":["post-98734","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-tag-checkmarx-security-research-team"],"acf":[],"yoast_head":"\nOctober 2024 in Software Supply Chain\u00a0Security - Checkmarx<\/title>\n<meta name=\"description\" content=\"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"October 2024 in Software Supply Chain\u00a0Security - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-03T08:36:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/\",\"name\":\"October 2024 in Software Supply Chain\u00a0Security - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png\",\"datePublished\":\"2024-11-12T16:02:41+00:00\",\"dateModified\":\"2025-01-03T08:36:09+00:00\",\"description\":\"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png\",\"width\":1024,\"height\":512},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"October 2024 in Software Supply Chain\u00a0Security - Checkmarx","description":"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/","og_locale":"en_US","og_type":"article","og_title":"October 2024 in Software Supply Chain\u00a0Security - Checkmarx","og_description":"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.","og_url":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2025-01-03T08:36:09+00:00","og_image":[{"width":1024,"height":512,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/","url":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/","name":"October 2024 in Software Supply Chain\u00a0Security - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png","datePublished":"2024-11-12T16:02:41+00:00","dateModified":"2025-01-03T08:36:09+00:00","description":"Breaking down the biggest software supply chain security threats from the month of October 2024, from 2FA to cryptocurrency.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/october-2024-in-software-supply-chain-security\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Medium-Thumbnail.png","width":1024,"height":512},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/98734","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/66"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/98738"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=98734"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=98734"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=98734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}