Ilkka Turunen

Fake npm 2FA reset email led to compromise of popular code packages - Help Net Security Malicious versions of 18 widely used npm packages were uploaded to the npm Registry following the compromise of their maintainer's account.

Fake npm 2FA reset email led to compromise of popular code packages

📖 Read more: www.helpnetsecurity.com/2025/09/09/n...

#cybersecurity #cybersecuritynews #accounthijacking @aikidosecurity.bsky.social @ilkka.turunen.dev @gossithedog.cyberplace.social.ap.brid.gy

Our malware systems at Sonatype seem to be picking these up coming from other, not yet reported accounts. This attack seems to have landed more publishers as this unfolds. Check your accounts folks while we work with others to contain.

Yep, I've been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.

Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

Releases · solana-labs/solana-web3.js Solana JavaScript SDK. Contribute to solana-labs/solana-web3.js development by creating an account on GitHub.

The web3.js compromise is a good example of legitimate library poisoning attacks. Sounds like a maintainer account was phished or an access token compromised. Basically any developer machine that installed this should be considered compromised github.com/solana-labs/...

I prefer to think of it more as extra predictive writing

One synth to rule them all, one groove to find them,
One sound to bring them all, and in the rhythm bind them.

In the land of Roland, where the beats reside,
The 808 booms and the Juno glides.

Lord of the Rolands

These are going to be big changes in the way we all do our work

The Cyber Resilience Act (aka CRA, aka Regulation (EU) 2024/2847) has been published in the Official Journal of the European Union eur-lex.europa.eu/legal-conten...

That was a pretty stopping finding for us too. OSS as all software have increasingly deep dependency chains, there are move CVEs discovered by the day, leading to significant slowdowns. The NVD backlog is still increasing so expect this to keep going up

The Onion Buys Alex Jones’s Infowars Out of Bankruptcy The satirical news site planned to turn Infowars into a parody of itself, mocking “weird internet personalities” who peddle conspiracy theories and health supplements.

Hi everyone.

The Onion, with the help of the Sandy Hook families, has purchased InfoWars.

We are planning on making it a very funny, very stupid website.

We have retained the services of some Onion and Clickhole Hall of Famers to pull this off.

I can't wait to show you what we have cooked up.

@axsharma.bsky.social wrote about it www.sonatype.com/blog/lottie-...

Malicious code in Lottie-Player CDN files · Issue #254 · LottieFiles/lottie-player after i use https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js or https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js This popup opens on ...

So, lottie-player, a popular js dep for playing videos was taken over through compromised dev tokens github.com/LottieFiles/...

Opetus kolmannella kielellä tuottanee lähinnä internationalishiä joka ei kuulosta järkevälle kenellekkään. Uskon että maahanmuutto- ja työllistymisjärjestelmä on se ongelma enemmän kuin suomenkieli, englanninkielinen lukiokoulutus ei kyllä meikäläisen paluumuuttoaikeita lisäisi juurikaan

I’m going to continue as i do on the other socials, posting what’s interesting to me. In this case that the SEC is going after companies that minimise cyber incidents, at least in the publicly traded realm. Not a huge hit to any one of them tho www.sec.gov/newsroom/pre...

This is because any active oss project typically really cares about the issues. What’s more alarming it’s really consumption behaviours that are leading to risk. OSS is probably the most secure code you can get but the risk comes from forgetting it’s there

As one of the authors of the report that is cited in the article - the vulnerability count is a yard stick of popularity of open source. Last year we reported that OSS projects are actually WAY better at applying & producing security patches vs closed source and industry

Very true. Fairly instant for me. And I don’t have to look at the rubbish on the FYP

I do have to admit the air is so much cleaner here compared to the toxic smog over at Xitter. So nice to see actual tech twitter again

Shhhh! I was enjoying lurking

I haven't been this excited about social media since 2011.

There is a new 'Rapid Reset' Vulnerability described by Cloudflare this week that affects the HTTP2 protocol. This implementation of HTTP2 is pretty widespread in different OSS libraries and embedded servers. Great writeup here blog.sonatype.com/10-open-sour...

It’s clear that what we have is both a gold rush and a productivity tool. You can see the adoption rate is enormous and the tech still finding its tracks

Huge news to share - we’re live with our 9th State of the Software Supply Chain report. 1 in 8 downloads contain some documented risk - and most of that could easily be avoided! Read the whole package here 👉 bit.ly/3LMRXo6

The report goes into detail abt what are good indicators for security in a project - the top ones being code review process and no binaries committed. We’ll be publishing some updated findings next week. Imo also certain standard build artefacts like READMES, license and SBOM files are a must have

Hello world. Is this the federated social media to rule them all then?