Supply‑chain token worms

Software supply-chain attacks this week hit the tools developers trust to build and ship code, and the payloads were built to steal tokens, not break systems. (thehackernews.com) A software supply chain is the chain of packages, containers, and build scripts that get pulled into an app before it runs. Between April 21 and April 23, GitGuardian said three campaigns targeted npm, PyPI, and Docker Hub to pull secrets from developer machines and continuous integration pipelines. (blog.gitguardian.com) In the npm case, attackers hid malicious code in install-time scripts, the commands that run automatically when a package is added. The Hacker News and BleepingComputer reported that one worm-like campaign spread through six compromised npm packages by harvesting developer authentication tokens and trying to republish tainted updates from those accounts. (thehackernews.com) (bleepingcomputer.com) That tactic shifts the target from end users to the people and robots that publish software. Once a token is stolen from a laptop or a build runner, an attacker can sign in as a trusted maintainer and push poisoned code through normal release channels. (stepsecurity.io) (sans.org) The same playbook showed up outside npm. GitGuardian said one campaign compromised official Checkmarx KICS artifacts on Docker Hub and related code extensions, while another followed the March compromise of LiteLLM on the Python Package Index, where versions 1.82.7 and 1.82.8 were live for about 40 minutes before PyPI quarantined them. (blog.gitguardian.com) (docs.litellm.ai) The broader campaign tied to TeamPCP shows how fast that can cascade once one automation credential falls. SANS said attackers used a compromised Aqua Security service account to tamper with 76 of 77 Trivy action tags on March 19, then pivoted across npm packages, Docker images, Checkmarx workflows, and LiteLLM on PyPI over the next six days. (sans.org) (securityweek.com) Researchers describe the worm behavior as self-propagation: malicious code steals a token, checks what packages that token can publish, and pushes the same implant into those packages. StepSecurity said the earlier CanisterWorm wave was a direct follow-on from the Trivy compromise, and Socket later counted 141 affected npm packages between March 20 and March 23. (stepsecurity.io) (scworld.com) Checkmarx said its March 23 incident affected two OpenVSX plugins and two GitHub Actions workflows. Socket and Docker then disclosed a fresh April 22 compromise involving malicious images in the official `checkmarx/kics` Docker Hub repository, including overwritten tags such as `v2.1.20`, `alpine`, `debian`, and `latest`. (checkmarx.com) (socket.dev) The pattern across these incidents is quieter than ransomware and more useful to intruders. A stolen npm token, cloud key, or GitHub credential lets an attacker come back through the same build systems teams use every day. (blog.gitguardian.com) (datadoghq.com) The immediate cleanup is mundane and expensive: rotate publisher tokens, pin exact package and container versions, check build logs for unexpected install scripts, and treat any environment that pulled the poisoned releases as exposed. The attacks kept using trusted names and official channels, which is exactly why they traveled so far. (docs.litellm.ai) (socket.dev)