Infectious NPM and PyPI Packages Raise Fresh Supply Chain Concerns


A persistent effort that targets the npm ecosystem has been discovered by security researchers from Phylum. The campaign, which was discovered for the first time on June 11, uses two released packages that cooperate to fetch more dangerous resources. The success of the campaign depends on these packages being deployed in a specific order, according to the supply chain security company.

A token obtained from a distant server is intended to be stored locally in the first package. In order to obtain another script from the remote server, the second package passes this token. This yields a string that is encoded in Base64, “bm8gaGlzdG9yeSBhdmFpbGFibGU=”, and only executed if it is longer than 100 characters.

Read More…