undefined
🫡
If anybody is wondering, Tracer.ai is legit and operating at the instruction of Microsoft.
They’re an AI brand protection service which has been systematically harming Microsoft’s brand for a while. An example - getting YouTube videos about Minecraft removed, which has hindered Minecraft’s visibility online (which is a huge part of Xbox revenue). https://www.reddit.com/r/PhoenixSC/comments/1fk28zm/microsoft_has_started_using_some_kind_of_ai_that/
🫡
AI causes another embarrassing social media cycle at Microsoft in 3..2..
🫡
Oh no
🫡
Apparently Microsoft don’t understand how the Fediverse works, and want me to delete the parody account @microsoft 🫡
I cannot tell you have many security incidents I’ve worked at orgs on critical national infrastructure over the years where the threat actor got access and *mind boggles* deployed coin miners.
No really, I don’t think I can you tell you, I’d get sued
That NodeJS supply chain hack incident is amazing because the threat actor(tm) got RCE access to like a billion devices and ran the world’s shittest Etherum dumper.
Imagine if they had done reverse shells instead, or automated lateral movement to ransomware deployment NotPetya style.
The thing that saved companies here was the threat actor was incompetent crypto boy, nothing more.
For anybody confused about how this happens, basically:
- For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness
- For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams "make online shop" into a computer and 389 libraries are added and an app is farted out
The output = if you want to own the world's companies, just phish one guy in Skegness
Developer confirms they fell for phishing email
It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.
https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Weekly download stats for impacted packages prior to incident
ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)
Total 2674m
additional backdoored packages
ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi
If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.
Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.
NPM on it, some packages nuked, more being nuked
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
Just reported to NPM, they work on it.
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Malicious javascript compromise on npmjs.com
These packages, about a billion downloads prior
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name
Thread follows.
Also, the Trend Micro story about a billion Google accounts being breached is also bullshit - the story is written using GenAI. That one also went global.
We've reached the point where vendors are just throwing shit at customers and journalists are just single source running it, nothing matters basically.