Software developers worldwide are facing a serious security threat as hackers continue to compromise popular open source projects in an ongoing supply chain attack. The cybercriminals are targeting the very foundation of modern software development by infiltrating trusted code libraries that millions of applications depend on.
This attack represents a particularly dangerous form of cybercrime because it exploits the interconnected nature of modern software development. When hackers compromise widely-used open source packages, their malicious code can spread to countless applications and services that incorporate those libraries, creating a ripple effect across the entire software ecosystem.
On Tuesday, cybersecurity firms StepSecurity and SafeDep warned of the latest wave of supply-chain attacks. The hackers are compromising developers of popular open source projects and using that access to plant malicious updates that get pushed to users downstream.
The scale and speed of these attacks is alarming. According to SafeDep, hackers took over the account of one developer and released over 630 malicious versions across 317 packages in about 20 minutes. The primary goal appears to be stealing credentials for various services, including password managers, as a way to steal data and continue spreading the malware.
Among the packages that hackers compromised is Antv, a library made by Alibaba. In some cases, the hackers published malicious updates on GitHub, according to JFrog Security. This shows that even code from major tech companies isn’t immune to these attacks.
Researchers have dubbed these hacks “Mini Shai-Hulud,” named after a previous, more expansive hacking campaign that followed similar tactics. The attacks are part of a wider campaign targeting open source projects and the developers who use the code for their own projects.
The threat is already affecting high-profile targets. Last week, in another wave of attacks as part of the Mini Shai-Hulud campaign, hackers compromised the computers of two OpenAI employees after hacking the open source library TanStack. OpenAI was just one of several victims in that attack.
These supply chain attacks are particularly concerning because they target the trust-based system that underpins open source development. Developers routinely incorporate third-party libraries into their projects, trusting that updates from maintainers are legitimate. When that trust is violated, it can compromise software used by millions of people.
The attacks also highlight the vulnerability of the open source ecosystem, which powers most modern software but often relies on volunteer maintainers who may not have extensive security resources. A single compromised developer account can potentially affect thousands of downstream projects and applications.