Ilkka Turunen

Fake npm 2FA reset email led to compromise of popular code packages - helpnetsecurity.com/2025/09/09/npm… - @AikidoSecurity @CharlieEriksen @sonatype @llkkaT #npm #AccountHijacking #Cybersecurity

Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7 Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees. Immediate Mitigation Actions - Published a new safe version (2.0.8) - Unpublished the compromised package versions from npm - Removed all access and associated tokens/services accounts of the impacted developer Impact - Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges. - The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. - A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix. Recommended Steps - If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8 -- SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ== - If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets. Next Steps - LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise. - We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected. If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com

So many things happening today, including the CRA being adopted by the EU Council. Not long now till the starting gun is fired for implementation consilium.europa.eu/en/press/press…

Put it another way - not a huge deal. It's turned off in red hat for example. Good resource here redhat.com/en/blog/red-ha…

It seems like the vulnerability affects cups, a printer driver found in linux and unix like systems. The good news is the attack only works if the attacker can connect via UDP on port 631. Also requires a print job to start evilsocket.net/2024/09/26/Att…

well I guess we find out tonight then

oh dear. hope it's overhyped, I guess we find out oct 6th

This was a great conversation about all the regulation coming up here in Europe

Dependency is replaced by one-liner, weekly traffic is reduced by 440GB

When it rains… also it’s likely they’ll see this incident as a blueprint for future campaigns

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

My prays with the CrowdStrike engineers, but this is the best joke I have for this situation

Oof. This is a hairy patch to unpick

The NVD has stated it is getting new staffing and aims to clear the backlog by the end of the fiscal year (which would be September). Sceptical if that will indeed happen, but if so users of tools relying on it directly will have one busy summer with alerts nist.gov/itl/nvd

🚨 an example of an adversary trying to push their malware as a coding solution. Please be careful with any dependencies

It was a pleasure taking a part in this engaging conversation

The #SOSS2024 Policy Summit is coming to an end with our last panel, where we will discuss the economic advantage of secure open-source software in Europe. We are joined by: 📌 MEP @karmel80 📌 Martina Goetz, @sapopensource 📌 Per Beming, @ericsson 📌 @llkkaT, @sonatype 📌 @torgo, @Samsung Moderated by Ana Jimenez, @todogroup Learn more 👉 ceps.eu/ceps-events/se…

The NVD backlog just went over 10,000 unanalysed issues