BleepingComputer reports that nearly a dozen npm packages, including the widely used 'country-currency-map' package and other cryptocurrency-related packages, have been hijacked with malicious JavaScript code that facilitated the compromise of environment variables, including API and encryption keys, as well as cloud and database credentials.
Only country-currency-map, among nine other infostealer-laced packages, has been removed from npm, according to an analysis from Sonatype, which believed the previously spotless packages to have been targeted by threat actors using the same technique. "Given the concurrent timing of the attacks on multiple packages from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be a more likely scenario as opposed to well-orchestrated phishing attacks," said Sonatype. Threat actors were also more likely to have exploited inadequate npm maintainer account security in conducting the attack, as evidenced by the absence of malware compromise among the impacted npm projects' respective GitHub repositories.
Vietnam-aligned threat actor OceanLotus has been linked to two distinct campaigns targeting domestic entities and stock investors with a backdoor known as SPECTRALVIPER, according to ESET.
Federal prosecutors have charged a Russian national, Denis Nikolayevich Obrezko, with conspiracy to commit unauthorized computer access in connection with a widespread cyberespionage campaign attributed to the Russia-aligned threat group Void Blizzard, according to a recent report by CyberScoop.
